The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
A chroot operation changes the apparent root
directory for a running process and its children. It allows you to
run a program with a root directory other than
/
. The program cannot see or access files
outside the designated directory tree. Such an artificial root
directory is called a chroot jail, and its
purpose is to limit the directory access of a potential attacker.
The chroot jail locks down a given process and any user ID that it
is using so that all they see is the directory in which the
process is running. To the process, it appears that the directory
in which it is running is the root directory.
The chroot mechanism cannot defend against
intentional tampering or low-level access to system devices by
privileged users. For example, a chroot
root
user could create device nodes and mount
file systems on them. A program can also break out of a chroot
jail if it can gain root
privilege and use
chroot()
to change its current working
directory to the real root
directory. For
this reason, you should ensure that a chroot jail does not
contain any setuid
or
setgid
executables that are owned by
root
.
For a chroot process to be able to start successfully, you must populate the chroot directory with all required program files, configuration files, device nodes, and shared libraries at their expected locations relative to the level of the chroot directory.