|CHROOT(2)||System Calls Manual||CHROOT(2)|
chroot — change
dirname is the address of the pathname of a
directory, terminated by an ASCII NUL.
causes dirname to become the root directory, that is,
the starting point for path searches of pathnames beginning with
In order for a directory to become the root directory, a process must have execute (search) access for that directory.
If the program is not currently running with an
altered root directory, it should be noted that
has no effect on the process's current directory.
If the program is already running with an altered root directory, the process's current directory is changed to the same new root directory. This prevents the current directory from being further up the directory tree than the altered root directory.
This call is restricted to the superuser.
Upon successful completion, the value 0 is returned; otherwise the value -1 is returned and the global variable errno is set to indicate the error.
The following example changes the root directory to newroot, sets the current directory to the new root, and drops some setuid privileges. There may be other privileges which need to be dropped as well.
#include <err.h> #include <unistd.h> if (chroot(newroot) != 0 || chdir("/") != 0) err(1, "%s", newroot); setresuid(getuid(), getuid(), getuid());
chroot() will fail and the root directory
will be unchanged if:
NAME_MAXcharacters, or an entire pathname (including the terminating NUL) exceeded
chroot() system call first appeared in
Version 7 AT&T UNIX.
There are ways for a root process to escape from the chroot jail. Changes to the directory hierarchy made from outside the chroot jail may allow a restricted process to escape, even if it is unprivileged. Passing directory file descriptors via recvmsg(2) from outside the chroot jail may also allow a process to escape.
|March 31, 2022||OpenBSD-current|