]>
Commit | Line | Data |
---|---|---|
fea681da MK |
1 | .\" Copyright (c) 1992 Drew Eckhardt (drew@cs.colorado.edu), March 28, 1992 |
2 | .\" | |
93015253 | 3 | .\" %%%LICENSE_START(VERBATIM) |
fea681da MK |
4 | .\" Permission is granted to make and distribute verbatim copies of this |
5 | .\" manual provided the copyright notice and this permission notice are | |
6 | .\" preserved on all copies. | |
7 | .\" | |
8 | .\" Permission is granted to copy and distribute modified versions of this | |
9 | .\" manual under the conditions for verbatim copying, provided that the | |
10 | .\" entire resulting derived work is distributed under the terms of a | |
11 | .\" permission notice identical to this one. | |
c13182ef | 12 | .\" |
fea681da MK |
13 | .\" Since the Linux kernel and libraries are constantly changing, this |
14 | .\" manual page may be incorrect or out-of-date. The author(s) assume no | |
15 | .\" responsibility for errors or omissions, or for damages resulting from | |
16 | .\" the use of the information contained herein. The author(s) may not | |
17 | .\" have taken the same level of care in the production of this manual, | |
18 | .\" which is licensed free of charge, as they might when working | |
19 | .\" professionally. | |
c13182ef | 20 | .\" |
fea681da MK |
21 | .\" Formatted or processed versions of this manual, if unaccompanied by |
22 | .\" the source, must acknowledge the copyright and authors of this work. | |
4b72fb64 | 23 | .\" %%%LICENSE_END |
fea681da MK |
24 | .\" |
25 | .\" Modified by Michael Haardt <michael@moria.de> | |
26 | .\" Modified 1993-07-21 by Rik Faith <faith@cs.unc.edu> | |
27 | .\" Modified 1994-08-21 by Michael Chastain <mec@shell.portal.com> | |
28 | .\" Modified 1996-06-13 by aeb | |
29 | .\" Modified 1996-11-06 by Eric S. Raymond <esr@thyrsus.com> | |
30 | .\" Modified 1997-08-21 by Joseph S. Myers <jsm28@cam.ac.uk> | |
c11b1abf | 31 | .\" Modified 2004-06-23 by Michael Kerrisk <mtk.manpages@gmail.com> |
fea681da | 32 | .\" |
4b8c67d9 | 33 | .TH CHROOT 2 2017-09-15 "Linux" "Linux Programmer's Manual" |
fea681da MK |
34 | .SH NAME |
35 | chroot \- change root directory | |
36 | .SH SYNOPSIS | |
37 | .B #include <unistd.h> | |
68e4db0a | 38 | .PP |
fea681da | 39 | .BI "int chroot(const char *" path ); |
68e4db0a | 40 | .PP |
e2128f59 MK |
41 | .in -4n |
42 | Feature Test Macro Requirements for glibc (see | |
43 | .BR feature_test_macros (7)): | |
44 | .in | |
68e4db0a | 45 | .PP |
e2128f59 MK |
46 | .BR chroot (): |
47 | .ad l | |
48 | .RS 4 | |
49 | .PD 0 | |
50 | .TP 4 | |
51 | Since glibc 2.2.2: | |
52 | .nf | |
1b5de130 MK |
53 | _XOPEN_SOURCE && ! (_POSIX_C_SOURCE\ >=\ 200112L) |
54 | || /* Since glibc 2.20: */ _DEFAULT_SOURCE | |
55 | || /* Glibc versions <= 2.19: */ _BSD_SOURCE | |
e2128f59 MK |
56 | .TP 4 |
57 | .fi | |
58 | Before glibc 2.2.2: none | |
59 | .PD | |
60 | .RE | |
61 | .ad b | |
fea681da | 62 | .SH DESCRIPTION |
e511ffb6 | 63 | .BR chroot () |
bed63c46 | 64 | changes the root directory of the calling process to that specified in |
fea681da | 65 | .IR path . |
56d22987 | 66 | This directory will be used for pathnames beginning with \fI/\fP. |
a1ffe9f5 | 67 | The root directory is inherited by all children of the calling process. |
efeece04 | 68 | .PP |
fea681da MK |
69 | Only a privileged process (Linux: one with the |
70 | .B CAP_SYS_CHROOT | |
d4dabee1 | 71 | capability in its user namespace) may call |
2777b1ca | 72 | .BR chroot (). |
efeece04 | 73 | .PP |
fea681da | 74 | This call changes an ingredient in the pathname resolution process |
ba9aa794 MK |
75 | and does nothing else. |
76 | In particular, it is not intended to be used | |
614e269a | 77 | for any kind of security purpose, neither to fully sandbox a process nor |
ba9aa794 MK |
78 | to restrict filesystem system calls. |
79 | In the past, | |
614e269a JH |
80 | .BR chroot () |
81 | has been used by daemons to restrict themselves prior to passing paths | |
ba9aa794 | 82 | supplied by untrusted users to system calls such as |
614e269a JH |
83 | .BR open (2). |
84 | However, if a folder is moved out of the chroot directory, an attacker | |
ba9aa794 MK |
85 | can exploit that to get out of the chroot directory as well. |
86 | The easiest way to do that is to | |
614e269a JH |
87 | .BR chdir (2) |
88 | to the to-be-moved directory, wait for it to be moved out, then open a | |
89 | path like ../../../etc/passwd. | |
efeece04 | 90 | .PP |
614e269a JH |
91 | .\" This is how the "slightly trickier variation" works: |
92 | .\" https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-014-2015.txt#L142 | |
93 | A slightly | |
94 | trickier variation also works under some circumstances if | |
95 | .BR chdir (2) | |
ba9aa794 MK |
96 | is not permitted. |
97 | If a daemon allows a "chroot directory" to be specified, | |
614e269a JH |
98 | that usually means that if you want to prevent remote users from accessing |
99 | files outside the chroot directory, you must ensure that folders are never | |
100 | moved out of it. | |
efeece04 | 101 | .PP |
fea681da | 102 | This call does not change the current working directory, |
f81fb444 MK |
103 | so that after the call \(aq\fI.\fP\(aq can |
104 | be outside the tree rooted at \(aq\fI/\fP\(aq. | |
56d22987 MK |
105 | In particular, the superuser can escape from a "chroot jail" |
106 | by doing: | |
47f743f1 MK |
107 | .PP |
108 | .in +4n | |
109 | .EX | |
110 | mkdir foo; chroot foo; cd .. | |
111 | .EE | |
112 | .in | |
efeece04 | 113 | .PP |
fea681da MK |
114 | This call does not close open file descriptors, and such file |
115 | descriptors may allow access to files outside the chroot tree. | |
47297adb | 116 | .SH RETURN VALUE |
c13182ef MK |
117 | On success, zero is returned. |
118 | On error, \-1 is returned, and | |
fea681da MK |
119 | .I errno |
120 | is set appropriately. | |
121 | .SH ERRORS | |
9ee4a2b6 | 122 | Depending on the filesystem, other errors can be returned. |
c13182ef | 123 | The more general errors are listed below: |
fea681da MK |
124 | .TP |
125 | .B EACCES | |
126 | Search permission is denied on a component of the path prefix. | |
127 | (See also | |
ad7cc990 | 128 | .BR path_resolution (7).) |
fea681da MK |
129 | .\" Also search permission is required on the final component, |
130 | .\" maybe just to guarantee that it is a directory? | |
131 | .TP | |
132 | .B EFAULT | |
133 | .I path | |
134 | points outside your accessible address space. | |
135 | .TP | |
136 | .B EIO | |
137 | An I/O error occurred. | |
138 | .TP | |
139 | .B ELOOP | |
140 | Too many symbolic links were encountered in resolving | |
141 | .IR path . | |
142 | .TP | |
143 | .B ENAMETOOLONG | |
144 | .I path | |
145 | is too long. | |
146 | .TP | |
147 | .B ENOENT | |
148 | The file does not exist. | |
149 | .TP | |
150 | .B ENOMEM | |
151 | Insufficient kernel memory was available. | |
152 | .TP | |
153 | .B ENOTDIR | |
154 | A component of | |
155 | .I path | |
156 | is not a directory. | |
157 | .TP | |
158 | .B EPERM | |
159 | The caller has insufficient privilege. | |
47297adb | 160 | .SH CONFORMING TO |
c13182ef | 161 | SVr4, 4.4BSD, SUSv2 (marked LEGACY). |
97c1eac8 MK |
162 | This function is not part of POSIX.1-2001. |
163 | .\" SVr4 documents additional EINTR, ENOLINK and EMULTIHOP error conditions. | |
164 | .\" X/OPEN does not document EIO, ENOMEM or EFAULT error conditions. | |
fea681da | 165 | .SH NOTES |
ef828a01 MK |
166 | A child process created via |
167 | .BR fork (2) | |
168 | inherits its parent's root directory. | |
169 | The root directory is left unchanged by | |
170 | .BR execve (2). | |
efeece04 | 171 | .PP |
bdf47032 MK |
172 | The magic symbolic link, |
173 | .IR /proc/[pid]/root , | |
174 | can be used to discover a process's root directory; see | |
175 | .BR proc (5) | |
176 | for details. | |
177 | .PP | |
fea681da | 178 | FreeBSD has a stronger |
31e9a9ec | 179 | .BR jail () |
fea681da | 180 | system call. |
47297adb | 181 | .SH SEE ALSO |
9bab77a4 | 182 | .BR chroot (1), |
fea681da | 183 | .BR chdir (2), |
2e78e5e1 | 184 | .BR pivot_root (2), |
6eb4d411 MK |
185 | .BR path_resolution (7), |
186 | .BR switch_root (8) |