0

At Heroku I can use binaries like ImageMagick and others, but the filesystem seems chroot'ed and a clone of the web application directory (git repository).

How do I allow access to binaries outside the root?

This is really not a specific Heroku question, but I really want to know how to do this.

Jacob
  • 115
  • 2

1 Answers1

4

You can't. By definition chroot() limits your access in a way, that you can't access anything out of that context. If you need to use other binaries, you need to install them, and their dependencies, in the chroot-environment.

To check what dependencies a certain binary has, you may use the ldd command. Example:

xila:~# ldd /usr/bin/wget 
    linux-gate.so.1 =>  (0xb7784000)
    libdl.so.2 => /lib/libdl.so.2 (0xb7775000)
    librt.so.1 => /lib/librt.so.1 (0xb776c000)
    libssl.so.0.9.8 => /usr/lib/i586/libssl.so.0.9.8 (0xb7729000)
    libcrypto.so.0.9.8 => /usr/lib/i586/libcrypto.so.0.9.8 (0xb75ea000)
    libc.so.6 => /lib/libc.so.6 (0xb74ac000)
    /lib/ld-linux.so.2 (0xb7785000)
    libpthread.so.0 => /lib/libpthread.so.0 (0xb7494000)
    libz.so.1 => /usr/lib/libz.so.1 (0xb747e000)

If you want wget to run in your chroot, you need to copy all those libraries to your chroot - into the appropriate locations. Which means, you need to imitate the directory structure.

However, if one of thos libraries depends on another not listed here, you have to clone this as well. Do an ldd on the libraries as well - eventually you will have found them all.

Alexander Janssen
  • 2,607
  • 16
  • 21
  • +1 -- Jacob: What you're asking for (the ability to access files outside of the chroot) defeats the entire security purpose of a chroot. Once you're inside you can't see the outside world; If you could there would be no reason to chroot applications in the first place. – voretaq7 Nov 02 '12 at 21:45
  • Thank you both for taking time to answer my question. Do you guys have any idea, how Heroku make those binaries available and still give the illusion that its a root'ed environment? – Jacob Nov 02 '12 at 22:03
  • I don't know Heroku's policies, if you don't have a shell and can't make it work yourself, you'd need to stick to Heroku's support. – Alexander Janssen Nov 02 '12 at 22:12
  • No no, I want to make a similar environment on my own server. – Jacob Nov 02 '12 at 22:36
  • Ok, Heroku uses LXC and each contained process has all the binaries within the chroot'ed environment. – Jacob Nov 03 '12 at 17:27