| .\" Copyright (c) 1992 Drew Eckhardt (drew@cs.colorado.edu), March 28, 1992 |
| .\" |
| .\" %%%LICENSE_START(VERBATIM) |
| .\" Permission is granted to make and distribute verbatim copies of this |
| .\" manual provided the copyright notice and this permission notice are |
| .\" preserved on all copies. |
| .\" |
| .\" Permission is granted to copy and distribute modified versions of this |
| .\" manual under the conditions for verbatim copying, provided that the |
| .\" entire resulting derived work is distributed under the terms of a |
| .\" permission notice identical to this one. |
| .\" |
| .\" Since the Linux kernel and libraries are constantly changing, this |
| .\" manual page may be incorrect or out-of-date. The author(s) assume no |
| .\" responsibility for errors or omissions, or for damages resulting from |
| .\" the use of the information contained herein. The author(s) may not |
| .\" have taken the same level of care in the production of this manual, |
| .\" which is licensed free of charge, as they might when working |
| .\" professionally. |
| .\" |
| .\" Formatted or processed versions of this manual, if unaccompanied by |
| .\" the source, must acknowledge the copyright and authors of this work. |
| .\" %%%LICENSE_END |
| .\" |
| .\" Modified by Michael Haardt <michael@moria.de> |
| .\" Modified 1993-07-21 by Rik Faith <faith@cs.unc.edu> |
| .\" Modified 1994-08-21 by Michael Chastain <mec@shell.portal.com> |
| .\" Modified 1996-06-13 by aeb |
| .\" Modified 1996-11-06 by Eric S. Raymond <esr@thyrsus.com> |
| .\" Modified 1997-08-21 by Joseph S. Myers <jsm28@cam.ac.uk> |
| .\" Modified 2004-06-23 by Michael Kerrisk <mtk.manpages@gmail.com> |
| .\" |
| .TH CHROOT 2 2021-03-22 "Linux" "Linux Programmer's Manual" |
| .SH NAME |
| chroot \- change root directory |
| .SH SYNOPSIS |
| .nf |
| .B #include <unistd.h> |
| .PP |
| .BI "int chroot(const char *" path ); |
| .fi |
| .PP |
| .RS -4 |
| Feature Test Macro Requirements for glibc (see |
| .BR feature_test_macros (7)): |
| .RE |
| .PP |
| .BR chroot (): |
| .nf |
| Since glibc 2.2.2: |
| _XOPEN_SOURCE && ! (_POSIX_C_SOURCE >= 200112L) |
| || /* Since glibc 2.20: */ _DEFAULT_SOURCE |
| || /* Glibc <= 2.19: */ _BSD_SOURCE |
| Before glibc 2.2.2: |
| none |
| .fi |
| .SH DESCRIPTION |
| .BR chroot () |
| changes the root directory of the calling process to that specified in |
| .IR path . |
| This directory will be used for pathnames beginning with \fI/\fP. |
| The root directory is inherited by all children of the calling process. |
| .PP |
| Only a privileged process (Linux: one with the |
| .B CAP_SYS_CHROOT |
| capability in its user namespace) may call |
| .BR chroot (). |
| .PP |
| This call changes an ingredient in the pathname resolution process |
| and does nothing else. |
| In particular, it is not intended to be used |
| for any kind of security purpose, neither to fully sandbox a process nor |
| to restrict filesystem system calls. |
| In the past, |
| .BR chroot () |
| has been used by daemons to restrict themselves prior to passing paths |
| supplied by untrusted users to system calls such as |
| .BR open (2). |
| However, if a folder is moved out of the chroot directory, an attacker |
| can exploit that to get out of the chroot directory as well. |
| The easiest way to do that is to |
| .BR chdir (2) |
| to the to-be-moved directory, wait for it to be moved out, then open a |
| path like ../../../etc/passwd. |
| .PP |
| .\" This is how the "slightly trickier variation" works: |
| .\" https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-014-2015.txt#L142 |
| A slightly |
| trickier variation also works under some circumstances if |
| .BR chdir (2) |
| is not permitted. |
| If a daemon allows a "chroot directory" to be specified, |
| that usually means that if you want to prevent remote users from accessing |
| files outside the chroot directory, you must ensure that folders are never |
| moved out of it. |
| .PP |
| This call does not change the current working directory, |
| so that after the call \(aq\fI.\fP\(aq can |
| be outside the tree rooted at \(aq\fI/\fP\(aq. |
| In particular, the superuser can escape from a "chroot jail" |
| by doing: |
| .PP |
| .in +4n |
| .EX |
| mkdir foo; chroot foo; cd .. |
| .EE |
| .in |
| .PP |
| This call does not close open file descriptors, and such file |
| descriptors may allow access to files outside the chroot tree. |
| .SH RETURN VALUE |
| On success, zero is returned. |
| On error, \-1 is returned, and |
| .I errno |
| is set to indicate the error. |
| .SH ERRORS |
| Depending on the filesystem, other errors can be returned. |
| The more general errors are listed below: |
| .TP |
| .B EACCES |
| Search permission is denied on a component of the path prefix. |
| (See also |
| .BR path_resolution (7).) |
| .\" Also search permission is required on the final component, |
| .\" maybe just to guarantee that it is a directory? |
| .TP |
| .B EFAULT |
| .I path |
| points outside your accessible address space. |
| .TP |
| .B EIO |
| An I/O error occurred. |
| .TP |
| .B ELOOP |
| Too many symbolic links were encountered in resolving |
| .IR path . |
| .TP |
| .B ENAMETOOLONG |
| .I path |
| is too long. |
| .TP |
| .B ENOENT |
| The file does not exist. |
| .TP |
| .B ENOMEM |
| Insufficient kernel memory was available. |
| .TP |
| .B ENOTDIR |
| A component of |
| .I path |
| is not a directory. |
| .TP |
| .B EPERM |
| The caller has insufficient privilege. |
| .SH CONFORMING TO |
| SVr4, 4.4BSD, SUSv2 (marked LEGACY). |
| This function is not part of POSIX.1-2001. |
| .\" SVr4 documents additional EINTR, ENOLINK and EMULTIHOP error conditions. |
| .\" X/OPEN does not document EIO, ENOMEM or EFAULT error conditions. |
| .SH NOTES |
| A child process created via |
| .BR fork (2) |
| inherits its parent's root directory. |
| The root directory is left unchanged by |
| .BR execve (2). |
| .PP |
| The magic symbolic link, |
| .IR /proc/[pid]/root , |
| can be used to discover a process's root directory; see |
| .BR proc (5) |
| for details. |
| .PP |
| FreeBSD has a stronger |
| .BR jail () |
| system call. |
| .SH SEE ALSO |
| .BR chroot (1), |
| .BR chdir (2), |
| .BR pivot_root (2), |
| .BR path_resolution (7), |
| .BR switch_root (8) |