A chroot operation changes the apparent root directory for a running
process and its children. It allows you to run a program with a root directory other than
/
. The program cannot see or access files outside the designated
directory tree. Such an artificial root directory is called a chroot
jail, and its purpose is to limit the directory access of a potential attacker. The
chroot jail locks down a given process and any user ID that it is using so that all they see
is the directory in which the process is running. To the process, it appears that the
directory in which it is running is the root directory.
The chroot mechanism cannot defend against intentional tampering or
low-level access to system devices by privileged users. For example, a
chroot
root
user could create device nodes and mount file systems on them. A
program can also break out of a chroot jail if it can gain root
privilege
and use chroot()
to change its current working directory to the real
root
directory. For this reason, you should ensure that a chroot jail
does not contain any setuid
or setgid
executables that
are owned by root
.
For a chroot process to be able to start successfully, you must populate the chroot directory with all required program files, configuration files, device nodes, and shared libraries at their expected locations relative to the level of the chroot directory.