change root directory
is the address of the pathname of a
directory, terminated by an ASCII NUL.
to become the root directory, that
is, the starting point for path searches of pathnames beginning with
In order for a directory to become the root directory a process must have
execute (search) access for that directory.
If the program is not currently running with an altered root directory, it
should be noted that
() has no effect
on the process's current directory.
If the program is already running with an altered root directory, the process's
current directory is changed to the same new root directory. This prevents the
current directory from being further up the directory tree than the altered
This call is restricted to the superuser.
Upon successful completion, the value 0 is returned; otherwise the
value -1 is returned and the global variable
is set to indicate the error.
The following example changes the root directory to
, sets the current directory to the
new root, and drops some setuid privileges. There may be other privileges
which need to be dropped as well.
if (chroot(newroot) != 0 || chdir("/") != 0)
err(1, "%s", newroot);
setresuid(getuid(), getuid(), getuid());
() will fail and the root directory
will be unchanged if:
- A component of the path name is not a directory.
- A component of a pathname exceeded
NAME_MAX characters, or an entire
pathname (including the terminating NUL) exceeded
- The named directory does not exist.
- Search permission is denied for any component of the path name.
- Too many symbolic links were encountered in translating the pathname.
- dirname points outside the process's
allocated address space.
- An I/O error occurred while reading from or writing to the file
- The caller is not the superuser.
() system call first appeared in
Version 7 AT&T UNIX
There are ways for a root process to escape from the chroot jail. Changes to the
directory hierarchy made from outside the chroot jail may allow a restricted
process to escape, even if it is unprivileged. Passing directory file
descriptors via recvmsg(2)
outside the chroot jail may also allow a process to escape.