.\" $OpenBSD: chroot.2,v 1.23 2021/01/03 18:10:27 rob Exp $ .\" $NetBSD: chroot.2,v 1.7 1995/02/27 12:32:12 cgd Exp $ .\" .\" Copyright (c) 1983, 1991, 1993 .\" The Regents of the University of California. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of the University nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" @(#)chroot.2 8.1 (Berkeley) 6/4/93 .\" .Dd $Mdocdate: January 3 2021 $ .Dt CHROOT 2 .Os .Sh NAME .Nm chroot .Nd change root directory .Sh SYNOPSIS .In unistd.h .Ft int .Fn chroot "const char *dirname" .Sh DESCRIPTION .Fa dirname is the address of the pathname of a directory, terminated by an ASCII NUL. .Fn chroot causes .Fa dirname to become the root directory, that is, the starting point for path searches of pathnames beginning with .Ql / . .Pp In order for a directory to become the root directory a process must have execute (search) access for that directory. .Pp If the program is not currently running with an altered root directory, it should be noted that .Fn chroot has no effect on the process's current directory. .Pp If the program is already running with an altered root directory, the process's current directory is changed to the same new root directory. This prevents the current directory from being further up the directory tree than the altered root directory. .Pp This call is restricted to the superuser. .Sh RETURN VALUES .Rv -std .Sh EXAMPLES The following example changes the root directory to .Va newroot , sets the current directory to the new root, and drops some setuid privileges. There may be other privileges which need to be dropped as well. .Bd -literal -offset indent #include #include if (chroot(newroot) != 0 || chdir("/") != 0) err(1, "%s", newroot); setresuid(getuid(), getuid(), getuid()); .Ed .Sh ERRORS .Fn chroot will fail and the root directory will be unchanged if: .Bl -tag -width Er .It Bq Er ENOTDIR A component of the pathname is not a directory. .It Bq Er ENAMETOOLONG A component of a pathname exceeded .Dv NAME_MAX characters, or an entire pathname (including the terminating NUL) exceeded .Dv PATH_MAX bytes. .It Bq Er ENOENT The named directory does not exist. .It Bq Er EACCES Search permission is denied for any component of the pathname. .It Bq Er ELOOP Too many symbolic links were encountered in translating the pathname. .It Bq Er EFAULT .Fa dirname points outside the process's allocated address space. .It Bq Er EIO An I/O error occurred while reading from or writing to the file system. .It Bq Er EPERM The caller is not the superuser. .El .Sh SEE ALSO .Xr chdir 2 .Sh HISTORY The .Fn chroot system call first appeared in .At v7 . .Sh CAVEATS There are ways for a root process to escape from the chroot jail. Changes to the directory hierarchy made from outside the chroot jail may allow a restricted process to escape, even if it is unprivileged. Passing directory file descriptors via .Xr recvmsg 2 from outside the chroot jail may also allow a process to escape.