1.\" Copyright (c) 1983, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)chroot.2 8.1 (Berkeley) 6/4/93 29.\" $FreeBSD$ 30.\" 31.Dd September 29, 2020 32.Dt CHROOT 2 33.Os 34.Sh NAME 35.Nm chroot 36.Nd change root directory 37.Sh LIBRARY 38.Lb libc 39.Sh SYNOPSIS 40.In unistd.h 41.Ft int 42.Fn chroot "const char *dirname" 43.Sh DESCRIPTION 44The 45.Fa dirname 46argument 47is the address of the pathname of a directory, terminated by an ASCII NUL. 48The 49.Fn chroot 50system call causes 51.Fa dirname 52to become the root directory, 53that is, the starting point for path searches of pathnames 54beginning with 55.Ql / . 56.Pp 57In order for a directory to become the root directory 58a process must have execute (search) access for that directory. 59.Pp 60It should be noted that 61.Fn chroot 62has no effect on the process's current directory. 63.Pp 64This call is restricted to the super-user. 65.Pp 66Depending on the setting of the 67.Ql kern.chroot_allow_open_directories 68sysctl variable, open filedescriptors which reference directories 69will make the 70.Fn chroot 71fail as follows: 72.Pp 73If 74.Ql kern.chroot_allow_open_directories 75is set to zero, 76.Fn chroot 77will always fail with 78.Er EPERM 79if there are any directories open. 80.Pp 81If 82.Ql kern.chroot_allow_open_directories 83is set to one (the default), 84.Fn chroot 85will fail with 86.Er EPERM 87if there are any directories open and the 88process is already subject to the 89.Fn chroot 90system call. 91.Pp 92Any other value for 93.Ql kern.chroot_allow_open_directories 94will bypass the check for open directories, 95mimicking the historic insecure behavior of 96.Fn chroot 97still present on other systems. 98.Sh RETURN VALUES 99.Rv -std 100.Sh ERRORS 101The 102.Fn chroot 103system call 104will fail and the root directory will be unchanged if: 105.Bl -tag -width Er 106.It Bq Er ENOTDIR 107A component of the path name is not a directory. 108.It Bq Er EPERM 109The effective user ID is not the super-user, or one or more 110filedescriptors are open directories. 111.It Bq Er ENAMETOOLONG 112A component of a pathname exceeded 255 characters, 113or an entire path name exceeded 1023 characters. 114.It Bq Er ENOENT 115The named directory does not exist. 116.It Bq Er EACCES 117Search permission is denied for any component of the path name. 118.It Bq Er ELOOP 119Too many symbolic links were encountered in translating the pathname. 120.It Bq Er EFAULT 121The 122.Fa dirname 123argument 124points outside the process's allocated address space. 125.It Bq Er EIO 126An I/O error occurred while reading from or writing to the file system. 127.It Bq Er EINTEGRITY 128Corrupted data was detected while reading from the file system. 129.El 130.Sh SEE ALSO 131.Xr chdir 2 , 132.Xr jail 2 133.Sh HISTORY 134The 135.Fn chroot 136system call appeared in 137.At v7 . 138It was marked as 139.Dq legacy 140in 141.St -susv2 , 142and was removed in subsequent standards. 143.Sh BUGS 144If the process is able to change its working directory to the target 145directory, but another access control check fails (such as a check for 146open directories, or a MAC check), it is possible that this system 147call may return an error, with the working directory of the process 148left changed. 149.Sh SECURITY CONSIDERATIONS 150The system have many hardcoded paths to files where it may load after 151the process starts. 152It is generally recommended to drop privileges immediately after a 153successful 154.Nm 155call, 156and restrict write access to a limited subtree of the 157.Nm 158root, 159for instance, 160setup the sandbox so that the sandboxed user will have no write 161access to any well-known system directories. 162.Pp 163For complete isolation from the rest of the system, use 164.Xr jail 2 165instead. 166