LXC vs. Chroot for Multi-App Isolation: Security Considerations for SFTP Access in Shared Ubuntu Environments


2 views

In your current setup with three applications on separate domains hosted on a single Ubuntu server, you're using chroot to isolate SFTP access for developers. The configuration in sshd_config looks like:

Match Group sftp  
  PasswordAuthentication yes
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTcpForwarding no

This creates the following directory structure for each application:

/home/app1/prod
/home/app2/prod
/home/app3/prod

While chroot provides basic filesystem isolation, it has significant security gaps:

  • Processes can still interact with system resources (CPU, memory, network)
  • No isolation of system calls or kernel access
  • Shared /proc and /sys filesystems
  • Potential privilege escalation vulnerabilities

LXC (Linux Containers) provides true process-level isolation:

sudo apt install lxc lxc-templates
sudo lxc-create -t download -n app1-container -- -d ubuntu -r focal -a amd64
sudo lxc-start -n app1-container

Key benefits over chroot:

  • Separate process trees for each container
  • Network namespace isolation
  • Cgroups for resource limits
  • Independent /proc, /sys, and device access
  • Snapshot and cloning capabilities

To make the transition transparent for developers:

  1. Maintain the same SFTP access patterns:
    2. Match Group sftp
  PasswordAuthentication yes
  ForceCommand internal-sftp
  AllowTcpForwarding no
  # Remove ChrootDirectory directive
  2. Create container-specific users with identical UIDs/GIDs
  3. Bind mount application directories into containers:
    4. lxc config device add app1-container homedir disk source=/home/app1 path=/home/app1

Implementing resource limits in LXC:

lxc config set app1-container limits.cpu 2
lxc config set app1-container limits.memory 4GB
lxc config set app1-container security.privileged false
lxc config set app1-container security.nesting false

LXC provides superior network isolation options:

lxc network create app1-net ipv4.address=10.0.1.0/24
lxc config device add app1-container eth0 nic nictype=bridged parent=app1-net

Essential commands for container management:

lxc list
lxc info app1-container
lxc exec app1-container -- bash
lxc snapshot app1-container

In your current Ubuntu server environment, you're using chroot to isolate three applications, each with their own development teams and SFTP access. The configuration appears solid on the surface:

# Current directory structure
/home/app1/prod
/home/app2/prod
/home/app3/prod

# Relevant sshd_config entries
Match Group sftp
  PasswordAuthentication yes
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTcpForwarding no

While chroot provides basic filesystem isolation, it doesn't offer complete process isolation. A compromised application could potentially:

  • Consume all available system resources (CPU, memory)
  • Access shared kernel resources
  • Exploit kernel vulnerabilities affecting other processes
  • Read sensitive system information via /proc

LXC (Linux Containers) provides kernel-level isolation through:

  • Separate process namespaces
  • Network namespace isolation
  • Control groups (cgroups) for resource limits
  • User namespace mapping
  • Filesystem isolation with union mounts
# Basic LXC container creation example
lxc launch ubuntu:22.04 app1-container
lxc config set app1-container limits.cpu 2
lxc config set app1-container limits.memory 4GB

The transition to LXC can be transparent to developers with proper planning:

Filesystem Access:
Map existing directories into containers using bind mounts:

lxc config device add app1-container homedir disk source=/home/app1 path=/home/app1

SFTP Configuration:
You'll need to either:

  1. Run sshd inside each container
  2. Use the host's sshd with chroot inside the container
# Option 1: Containerized sshd
lxc exec app1-container -- apt install openssh-server
lxc exec app1-container -- systemctl enable ssh

# Option 2: Host sshd with container chroot
Match Group sftp
  ChrootDirectory /var/lib/lxc/app1-container/rootfs/home/app1

Additional hardening measures you can implement:

# Example security profile
lxc profile create app-secure
lxc profile set app-secure security.privileged false
lxc profile set app-secure security.nesting false  
lxc profile set app-secure linux.kernel_modules deny

LXC adds minimal overhead while providing better resource control:

# Setting resource limits
lxc config set app1-container limits.cpu.allowance 50%
lxc config set app1-container limits.memory.swap false
lxc config set app1-container limits.disk.priority 10

Recommended migration approach:

  1. Create containers alongside existing chroots
  2. Test SFTP access thoroughly
  3. Migrate one application at a time
  4. Monitor resource usage and performance