1.\" Copyright (c) 1983, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)chroot.2 8.1 (Berkeley) 6/4/93 29.\" 30.Dd September 29, 2020 31.Dt CHROOT 2 32.Os 33.Sh NAME 34.Nm chroot 35.Nd change root directory 36.Sh LIBRARY 37.Lb libc 38.Sh SYNOPSIS 39.In unistd.h 40.Ft int 41.Fn chroot "const char *dirname" 42.Sh DESCRIPTION 43The 44.Fa dirname 45argument 46is the address of the pathname of a directory, terminated by an ASCII NUL. 47The 48.Fn chroot 49system call causes 50.Fa dirname 51to become the root directory, 52that is, the starting point for path searches of pathnames 53beginning with 54.Ql / . 55.Pp 56In order for a directory to become the root directory 57a process must have execute (search) access for that directory. 58.Pp 59It should be noted that 60.Fn chroot 61has no effect on the process's current directory. 62.Pp 63This call is restricted to the super-user. 64.Pp 65Depending on the setting of the 66.Ql kern.chroot_allow_open_directories 67sysctl variable, open filedescriptors which reference directories 68will make the 69.Fn chroot 70fail as follows: 71.Pp 72If 73.Ql kern.chroot_allow_open_directories 74is set to zero, 75.Fn chroot 76will always fail with 77.Er EPERM 78if there are any directories open. 79.Pp 80If 81.Ql kern.chroot_allow_open_directories 82is set to one (the default), 83.Fn chroot 84will fail with 85.Er EPERM 86if there are any directories open and the 87process is already subject to the 88.Fn chroot 89system call. 90.Pp 91Any other value for 92.Ql kern.chroot_allow_open_directories 93will bypass the check for open directories, 94mimicking the historic insecure behavior of 95.Fn chroot 96still present on other systems. 97.Sh RETURN VALUES 98.Rv -std 99.Sh ERRORS 100The 101.Fn chroot 102system call 103will fail and the root directory will be unchanged if: 104.Bl -tag -width Er 105.It Bq Er ENOTDIR 106A component of the path name is not a directory. 107.It Bq Er EPERM 108The effective user ID is not the super-user, or one or more 109filedescriptors are open directories. 110.It Bq Er ENAMETOOLONG 111A component of a pathname exceeded 255 characters, 112or an entire path name exceeded 1023 characters. 113.It Bq Er ENOENT 114The named directory does not exist. 115.It Bq Er EACCES 116Search permission is denied for any component of the path name. 117.It Bq Er ELOOP 118Too many symbolic links were encountered in translating the pathname. 119.It Bq Er EFAULT 120The 121.Fa dirname 122argument 123points outside the process's allocated address space. 124.It Bq Er EIO 125An I/O error occurred while reading from or writing to the file system. 126.It Bq Er EINTEGRITY 127Corrupted data was detected while reading from the file system. 128.El 129.Sh SEE ALSO 130.Xr chdir 2 , 131.Xr jail 2 132.Sh HISTORY 133The 134.Fn chroot 135system call appeared in 136.At v7 . 137It was marked as 138.Dq legacy 139in 140.St -susv2 , 141and was removed in subsequent standards. 142.Sh BUGS 143If the process is able to change its working directory to the target 144directory, but another access control check fails (such as a check for 145open directories, or a MAC check), it is possible that this system 146call may return an error, with the working directory of the process 147left changed. 148.Sh SECURITY CONSIDERATIONS 149The system has many hardcoded paths to files which it may load after 150the process starts. 151It is generally recommended to drop privileges immediately after a 152successful 153.Nm 154call, 155and restrict write access to a limited subtree of the 156.Nm 157root. 158For instance, 159setup the sandbox so that the sandboxed user will have no write 160access to any well-known system directories. 161.Pp 162For complete isolation from the rest of the system, use 163.Xr jail 2 164instead. 165