1 .\" Copyright (c) 1992 Drew Eckhardt (drew@cs.colorado.edu), March 28, 1992
3 .\" %%%LICENSE_START(VERBATIM)
4 .\" Permission is granted to make and distribute verbatim copies of this
5 .\" manual provided the copyright notice and this permission notice are
6 .\" preserved on all copies.
8 .\" Permission is granted to copy and distribute modified versions of this
9 .\" manual under the conditions for verbatim copying, provided that the
10 .\" entire resulting derived work is distributed under the terms of a
11 .\" permission notice identical to this one.
13 .\" Since the Linux kernel and libraries are constantly changing, this
14 .\" manual page may be incorrect or out-of-date. The author(s) assume no
15 .\" responsibility for errors or omissions, or for damages resulting from
16 .\" the use of the information contained herein. The author(s) may not
17 .\" have taken the same level of care in the production of this manual,
18 .\" which is licensed free of charge, as they might when working
21 .\" Formatted or processed versions of this manual, if unaccompanied by
22 .\" the source, must acknowledge the copyright and authors of this work.
25 .\" Modified by Michael Haardt <michael@moria.de>
26 .\" Modified 1993-07-21 by Rik Faith <faith@cs.unc.edu>
27 .\" Modified 1994-08-21 by Michael Chastain <mec@shell.portal.com>
28 .\" Modified 1996-06-13 by aeb
29 .\" Modified 1996-11-06 by Eric S. Raymond <esr@thyrsus.com>
30 .\" Modified 1997-08-21 by Joseph S. Myers <jsm28@cam.ac.uk>
31 .\" Modified 2004-06-23 by Michael Kerrisk <mtk.manpages@gmail.com>
33 .TH CHROOT 2 2016-07-17 "Linux" "Linux Programmer's Manual"
35 chroot \- change root directory
37 .B #include <unistd.h>
39 .BI "int chroot(const char *" path );
42 Feature Test Macro Requirements for glibc (see
43 .BR feature_test_macros (7)):
53 _XOPEN_SOURCE && ! (_POSIX_C_SOURCE\ >=\ 200112L)
54 || /* Since glibc 2.20: */ _DEFAULT_SOURCE
55 || /* Glibc versions <= 2.19: */ _BSD_SOURCE
58 Before glibc 2.2.2: none
64 changes the root directory of the calling process to that specified in
66 This directory will be used for pathnames beginning with \fI/\fP.
67 The root directory is inherited by all children of the calling process.
69 Only a privileged process (Linux: one with the
71 capability in its user namespace) may call
74 This call changes an ingredient in the pathname resolution process
75 and does nothing else.
76 In particular, it is not intended to be used
77 for any kind of security purpose, neither to fully sandbox a process nor
78 to restrict filesystem system calls.
81 has been used by daemons to restrict themselves prior to passing paths
82 supplied by untrusted users to system calls such as
84 However, if a folder is moved out of the chroot directory, an attacker
85 can exploit that to get out of the chroot directory as well.
86 The easiest way to do that is to
88 to the to-be-moved directory, wait for it to be moved out, then open a
89 path like ../../../etc/passwd.
91 .\" This is how the "slightly trickier variation" works:
92 .\" https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-014-2015.txt#L142
94 trickier variation also works under some circumstances if
97 If a daemon allows a "chroot directory" to be specified,
98 that usually means that if you want to prevent remote users from accessing
99 files outside the chroot directory, you must ensure that folders are never
102 This call does not change the current working directory,
103 so that after the call \(aq\fI.\fP\(aq can
104 be outside the tree rooted at \(aq\fI/\fP\(aq.
105 In particular, the superuser can escape from a "chroot jail"
109 mkdir foo; chroot foo; cd ..
112 This call does not close open file descriptors, and such file
113 descriptors may allow access to files outside the chroot tree.
115 On success, zero is returned.
116 On error, \-1 is returned, and
118 is set appropriately.
120 Depending on the filesystem, other errors can be returned.
121 The more general errors are listed below:
124 Search permission is denied on a component of the path prefix.
126 .BR path_resolution (7).)
127 .\" Also search permission is required on the final component,
128 .\" maybe just to guarantee that it is a directory?
132 points outside your accessible address space.
135 An I/O error occurred.
138 Too many symbolic links were encountered in resolving
146 The file does not exist.
149 Insufficient kernel memory was available.
157 The caller has insufficient privilege.
159 SVr4, 4.4BSD, SUSv2 (marked LEGACY).
160 This function is not part of POSIX.1-2001.
161 .\" SVr4 documents additional EINTR, ENOLINK and EMULTIHOP error conditions.
162 .\" X/OPEN does not document EIO, ENOMEM or EFAULT error conditions.
164 A child process created via
166 inherits its parent's root directory.
167 The root directory is left unchanged by
170 FreeBSD has a stronger
177 .BR path_resolution (7)