1.\" Copyright (c) 1983, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)chroot.2 8.1 (Berkeley) 6/4/93 29.\" $FreeBSD$ 30.\" 31.Dd January 3, 2012 32.Dt CHROOT 2 33.Os 34.Sh NAME 35.Nm chroot 36.Nd change root directory 37.Sh LIBRARY 38.Lb libc 39.Sh SYNOPSIS 40.In unistd.h 41.Ft int 42.Fn chroot "const char *dirname" 43.Sh DESCRIPTION 44The 45.Fa dirname 46argument 47is the address of the pathname of a directory, terminated by an ASCII NUL. 48The 49.Fn chroot 50system call causes 51.Fa dirname 52to become the root directory, 53that is, the starting point for path searches of pathnames 54beginning with 55.Ql / . 56.Pp 57In order for a directory to become the root directory 58a process must have execute (search) access for that directory. 59.Pp 60It should be noted that 61.Fn chroot 62has no effect on the process's current directory. 63.Pp 64This call is restricted to the super-user. 65.Pp 66Depending on the setting of the 67.Ql kern.chroot_allow_open_directories 68sysctl variable, open filedescriptors which reference directories 69will make the 70.Fn chroot 71fail as follows: 72.Pp 73If 74.Ql kern.chroot_allow_open_directories 75is set to zero, 76.Fn chroot 77will always fail with 78.Er EPERM 79if there are any directories open. 80.Pp 81If 82.Ql kern.chroot_allow_open_directories 83is set to one (the default), 84.Fn chroot 85will fail with 86.Er EPERM 87if there are any directories open and the 88process is already subject to the 89.Fn chroot 90system call. 91.Pp 92Any other value for 93.Ql kern.chroot_allow_open_directories 94will bypass the check for open directories 95.Sh RETURN VALUES 96.Rv -std 97.Sh ERRORS 98The 99.Fn chroot 100system call 101will fail and the root directory will be unchanged if: 102.Bl -tag -width Er 103.It Bq Er ENOTDIR 104A component of the path name is not a directory. 105.It Bq Er EPERM 106The effective user ID is not the super-user, or one or more 107filedescriptors are open directories. 108.It Bq Er ENAMETOOLONG 109A component of a pathname exceeded 255 characters, 110or an entire path name exceeded 1023 characters. 111.It Bq Er ENOENT 112The named directory does not exist. 113.It Bq Er EACCES 114Search permission is denied for any component of the path name. 115.It Bq Er ELOOP 116Too many symbolic links were encountered in translating the pathname. 117.It Bq Er EFAULT 118The 119.Fa dirname 120argument 121points outside the process's allocated address space. 122.It Bq Er EIO 123An I/O error occurred while reading from or writing to the file system. 124.El 125.Sh SEE ALSO 126.Xr chdir 2 , 127.Xr jail 2 128.Sh HISTORY 129The 130.Fn chroot 131system call appeared in 132.Bx 4.2 . 133It was marked as 134.Dq legacy 135in 136.St -susv2 , 137and was removed in subsequent standards. 138.Sh BUGS 139If the process is able to change its working directory to the target 140directory, but another access control check fails (such as a check for 141open directories, or a MAC check), it is possible that this system 142call may return an error, with the working directory of the process 143left changed. 144.Sh SECURITY CONSIDERATIONS 145The system have many hardcoded paths to files where it may load after 146the process starts. 147It is generally recommended to drop privileges immediately after a 148successful 149.Nm 150call, 151and restrict write access to a limited subtree of the 152.Nm 153root, 154for instance, 155setup the sandbox so that the sandboxed user will have no write 156access to any well-known system directories. 157