xref: /freebsd/lib/libsys/chroot.2 (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1.\" Copyright (c) 1983, 1991, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. Neither the name of the University nor the names of its contributors
13.\"    may be used to endorse or promote products derived from this software
14.\"    without specific prior written permission.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.Dd September 29, 2020
29.Dt CHROOT 2
30.Os
31.Sh NAME
32.Nm chroot
33.Nd change root directory
34.Sh LIBRARY
35.Lb libc
36.Sh SYNOPSIS
37.In unistd.h
38.Ft int
39.Fn chroot "const char *dirname"
40.Sh DESCRIPTION
41The
42.Fa dirname
43argument
44is the address of the pathname of a directory, terminated by an ASCII NUL.
45The
46.Fn chroot
47system call causes
48.Fa dirname
49to become the root directory,
50that is, the starting point for path searches of pathnames
51beginning with
52.Ql / .
53.Pp
54In order for a directory to become the root directory
55a process must have execute (search) access for that directory.
56.Pp
57It should be noted that
58.Fn chroot
59has no effect on the process's current directory.
60.Pp
61This call is restricted to the super-user.
62.Pp
63Depending on the setting of the
64.Ql kern.chroot_allow_open_directories
65sysctl variable, open filedescriptors which reference directories
66will make the
67.Fn chroot
68fail as follows:
69.Pp
70If
71.Ql kern.chroot_allow_open_directories
72is set to zero,
73.Fn chroot
74will always fail with
75.Er EPERM
76if there are any directories open.
77.Pp
78If
79.Ql kern.chroot_allow_open_directories
80is set to one (the default),
81.Fn chroot
82will fail with
83.Er EPERM
84if there are any directories open and the
85process is already subject to the
86.Fn chroot
87system call.
88.Pp
89Any other value for
90.Ql kern.chroot_allow_open_directories
91will bypass the check for open directories,
92mimicking the historic insecure behavior of
93.Fn chroot
94still present on other systems.
95.Sh RETURN VALUES
96.Rv -std
97.Sh ERRORS
98The
99.Fn chroot
100system call
101will fail and the root directory will be unchanged if:
102.Bl -tag -width Er
103.It Bq Er ENOTDIR
104A component of the path name is not a directory.
105.It Bq Er EPERM
106The effective user ID is not the super-user, or one or more
107filedescriptors are open directories.
108.It Bq Er ENAMETOOLONG
109A component of a pathname exceeded 255 characters,
110or an entire path name exceeded 1023 characters.
111.It Bq Er ENOENT
112The named directory does not exist.
113.It Bq Er EACCES
114Search permission is denied for any component of the path name.
115.It Bq Er ELOOP
116Too many symbolic links were encountered in translating the pathname.
117.It Bq Er EFAULT
118The
119.Fa dirname
120argument
121points outside the process's allocated address space.
122.It Bq Er EIO
123An I/O error occurred while reading from or writing to the file system.
124.It Bq Er EINTEGRITY
125Corrupted data was detected while reading from the file system.
126.El
127.Sh SEE ALSO
128.Xr chdir 2 ,
129.Xr jail 2
130.Sh HISTORY
131The
132.Fn chroot
133system call appeared in
134.At v7 .
135It was marked as
136.Dq legacy
137in
138.St -susv2 ,
139and was removed in subsequent standards.
140.Sh BUGS
141If the process is able to change its working directory to the target
142directory, but another access control check fails (such as a check for
143open directories, or a MAC check), it is possible that this system
144call may return an error, with the working directory of the process
145left changed.
146.Sh SECURITY CONSIDERATIONS
147The system has many hardcoded paths to files which it may load after
148the process starts.
149It is generally recommended to drop privileges immediately after a
150successful
151.Nm
152call,
153and restrict write access to a limited subtree of the
154.Nm
155root.
156For instance,
157setup the sandbox so that the sandboxed user will have no write
158access to any well-known system directories.
159.Pp
160For complete isolation from the rest of the system, use
161.Xr jail 2
162instead.
163