1.\" Copyright (c) 1983, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.Dd September 29, 2020 29.Dt CHROOT 2 30.Os 31.Sh NAME 32.Nm chroot 33.Nd change root directory 34.Sh LIBRARY 35.Lb libc 36.Sh SYNOPSIS 37.In unistd.h 38.Ft int 39.Fn chroot "const char *dirname" 40.Sh DESCRIPTION 41The 42.Fa dirname 43argument 44is the address of the pathname of a directory, terminated by an ASCII NUL. 45The 46.Fn chroot 47system call causes 48.Fa dirname 49to become the root directory, 50that is, the starting point for path searches of pathnames 51beginning with 52.Ql / . 53.Pp 54In order for a directory to become the root directory 55a process must have execute (search) access for that directory. 56.Pp 57It should be noted that 58.Fn chroot 59has no effect on the process's current directory. 60.Pp 61This call is restricted to the super-user. 62.Pp 63Depending on the setting of the 64.Ql kern.chroot_allow_open_directories 65sysctl variable, open filedescriptors which reference directories 66will make the 67.Fn chroot 68fail as follows: 69.Pp 70If 71.Ql kern.chroot_allow_open_directories 72is set to zero, 73.Fn chroot 74will always fail with 75.Er EPERM 76if there are any directories open. 77.Pp 78If 79.Ql kern.chroot_allow_open_directories 80is set to one (the default), 81.Fn chroot 82will fail with 83.Er EPERM 84if there are any directories open and the 85process is already subject to the 86.Fn chroot 87system call. 88.Pp 89Any other value for 90.Ql kern.chroot_allow_open_directories 91will bypass the check for open directories, 92mimicking the historic insecure behavior of 93.Fn chroot 94still present on other systems. 95.Sh RETURN VALUES 96.Rv -std 97.Sh ERRORS 98The 99.Fn chroot 100system call 101will fail and the root directory will be unchanged if: 102.Bl -tag -width Er 103.It Bq Er ENOTDIR 104A component of the path name is not a directory. 105.It Bq Er EPERM 106The effective user ID is not the super-user, or one or more 107filedescriptors are open directories. 108.It Bq Er ENAMETOOLONG 109A component of a pathname exceeded 255 characters, 110or an entire path name exceeded 1023 characters. 111.It Bq Er ENOENT 112The named directory does not exist. 113.It Bq Er EACCES 114Search permission is denied for any component of the path name. 115.It Bq Er ELOOP 116Too many symbolic links were encountered in translating the pathname. 117.It Bq Er EFAULT 118The 119.Fa dirname 120argument 121points outside the process's allocated address space. 122.It Bq Er EIO 123An I/O error occurred while reading from or writing to the file system. 124.It Bq Er EINTEGRITY 125Corrupted data was detected while reading from the file system. 126.El 127.Sh SEE ALSO 128.Xr chdir 2 , 129.Xr jail 2 130.Sh HISTORY 131The 132.Fn chroot 133system call appeared in 134.At v7 . 135It was marked as 136.Dq legacy 137in 138.St -susv2 , 139and was removed in subsequent standards. 140.Sh BUGS 141If the process is able to change its working directory to the target 142directory, but another access control check fails (such as a check for 143open directories, or a MAC check), it is possible that this system 144call may return an error, with the working directory of the process 145left changed. 146.Sh SECURITY CONSIDERATIONS 147The system has many hardcoded paths to files which it may load after 148the process starts. 149It is generally recommended to drop privileges immediately after a 150successful 151.Nm 152call, 153and restrict write access to a limited subtree of the 154.Nm 155root. 156For instance, 157setup the sandbox so that the sandboxed user will have no write 158access to any well-known system directories. 159.Pp 160For complete isolation from the rest of the system, use 161.Xr jail 2 162instead. 163