When working with chroot environments, bind mounts are incredibly useful for making host directories available inside the jail. The standard mount --bind command works perfectly for read-write access, but things get tricky when you need read-only access to these directories within the chroot.
The typical bind mount operation:
mount --bind /host/directory /chroot/directory
creates a writable mount by default. This becomes problematic when you want to:
- Prevent accidental modifications in the chroot
- Enhance security by limiting write access
- Share system libraries without risking corruption
Linux actually supports read-only bind mounts through a combination of options:
mount --bind -o ro /host/directory /chroot/directory
Or alternatively:
mount -o bind,ro /host/directory /chroot/directory
After creating the mount, verify it's read-only with:
mount | grep /chroot/directory
You should see ro in the options list. Test it by attempting to create a file in the mounted directory from within the chroot.
For mounts that persist across reboots, add this to /etc/fstab:
/host/directory /chroot/directory none bind,ro 0 0
For more complex scenarios, you can combine bind mounts with other features:
# Read-only recursive bind mount
mount --rbind -o ro /host/directory /chroot/directory
# Read-only bind mount with remount
mount --bind /host/directory /chroot/directory
mount -o remount,ro,bind /chroot/directory
While bind mounts are the most efficient solution, alternatives exist:
- OverlayFS (with lowerdir read-only)
- tmpfs mounts for temporary writable spaces
- SquashFS for compressed read-only access
Common issues and solutions:
- If you get "mount: permission denied", ensure you have CAP_SYS_ADMIN
- For recursive mounts, check parent directory permissions
- When using fstab, verify paths exist before mounting
When working with chroot environments, mount --bind is incredibly useful for making directories available inside the jail. However, there's a significant security consideration - by default, these bind mounts inherit the same permissions as the original directory, including write access.
Linux actually provides a simple solution through the remount option combined with ro:
# First create the normal bind mount
sudo mount --bind /original/path /chroot/path
# Then remount it as read-only
sudo mount -o remount,ro,bind /chroot/pathYou can verify the mount is read-only with:
mount | grep /chroot/pathThis should show the ro flag in the output.
To make this survive reboots, add this to your /etc/fstab:
/original/path /chroot/path none bind,ro 0 0For more complex scenarios where you need some writable areas, consider OverlayFS:
sudo mount -t overlay overlay -o lowerdir=/readonly/path,upperdir=/tmp/overlay,workdir=/tmp/work /chroot/pathRemember that while read-only bind mounts prevent writes through the mount point, the underlying filesystem must also be properly secured. The chroot user shouldn't have write permissions to the original directory.
Here's how I secure a web server's document root in a chroot:
# Bind mount the web content
sudo mount --bind /var/www /chroot/var/www
# Make it read-only
sudo mount -o remount,ro,bind /chroot/var/www
# Verify
mount | grep /chroot/var/www