| chroot | |
|---|---|
 Example usage of chroot inRaspberry Pi OS running an interactive shell within a special root directory | |
| Original authors | Bill Joy,AT&T Bell Laboratories |
| Developers | Variousopen-source andcommercial developers |
| Initial release | 1979; 46 years ago (1979) |
| Operating system | Unix,Unix-like,Plan 9,Inferno |
| Platform | Cross-platform |
| Type | Command |
chroot is ashellcommand and asystem call onUnix andUnix-likeoperating systems that changes the apparentroot directory for the current running process and itschildren. A program that is run in such a modified environment cannot name (and therefore normally cannot access) files outside the designated directory tree. The termchroot may refer to thechroot(2)system call or thechroot(8)command-line utility. The modified environment is called achroot jail.
The chroot system call was introduced during development ofVersion 7 Unix in 1979. One source suggests thatBill Joy added it on 18 March 1982 – 17 months before4.2BSD was released – in order to test its installation and build system.[1] All versions of BSD that had a kernel have chroot(2).[2][3] An early use of the term "jail" as applied to chroot comes fromBill Cheswick creating ahoneypot to monitor ahacker in 1991.[4]
The first article about a jailbreak has been discussed on the security column of SunWorld Online which is written by Carole Fennelly; the August 1999 and January 1999 editions cover most of the chroot() topics.[5]
To make it useful forvirtualization,FreeBSD expanded the concept and in its 4.0 release in 2000 introduced thejail command.[6]
By 2002, an article written by Nicolas Boiteux described how to create a jail on Linux.[7]
By 2003, first internet microservices providers with Linux jails provide SAAS/PAAS (shell containers, proxy, ircd, bots, ...) services billed for consumption into the jail by usage.[8]
By 2005,Sun releasedSolaris Containers (also known as Solaris Zones), described as "chroot on steroids."[9]
By 2008,LXC (upon whichDocker was later built) adopted the "container" terminology[10] and gained popularity in 2013 due to inclusion intoLinux kernel 3.8 ofuser namespaces.[11]
A chroot environment can be used to create and host a separatevirtualized copy of the software system. This can be useful for:
The chroot mechanism is not intended to defend against intentional tampering by privileged (root) users. A notable exception isNetBSD, on which chroot is considered a security mechanism and no escapes are known. On most systems, chroot contexts do not stack properly and chrooted programs with sufficient privileges may perform asecond chroot to break out. To mitigate the risk of this security weakness, chrooted programs should relinquish root privileges as soon as practical after chrooting, or other mechanisms – such asFreeBSD jails – should be used instead. Note that some systems, such asFreeBSD, take precautions to prevent a second chroot attack.[12]
On systems that support device nodes on ordinary filesystems, a chrootedroot user can still create device nodes and mount the file systems on them; thus, the chroot mechanism is not intended by itself to be used to block low-level access to system devices by privileged users. It is not intended to restrict the use of resources likeI/O, bandwidth, disk space or CPU time. Most Unixes are not completely file system-oriented and leave potentially disruptive functionality like networking and process control available through the system call interface to a chrooted program.
At startup, programs expect to findscratch space, configuration files,device nodes andshared libraries at certain preset locations. For a chrooted program to successfully start, the chroot directory must be populated with a minimum set of these files. This can make chroot difficult to use as a general sandboxing mechanism. Tools such asJailkit can help to ease and automate this process.
Only theroot user can perform a chroot. This is intended to prevent users from putting asetuid program inside a specially crafted chroot jail (for example, with a fake/etc/passwd and/etc/shadow file) that would fool it into aprivilege escalation.
Some Unixes offer extensions of the chroot mechanism to address at least some of these limitations (seeImplementations of operating system-level virtualization technology).
It is possible to run graphical applications on a chrooted environment, using methods such as:[13][14]
ThePostfix mail transfer agent may operate as a pipeline of individually chrooted helper programs.[16]
Like 4.2BSD before it, the Debian and Ubuntu internal package-building farms use chroots extensively to catch unintentional build dependencies between packages.SUSE uses a similar method with itsbuild program. Fedora, Red Hat, and various other RPM-based distributions build allRPMs using a chroot tool such asmock.
ManyFTP servers for POSIX systems use the chroot mechanism to sandbox untrusted FTP clients. This may be done by forking a process to handle an incoming connection, then chrooting the child (to avoid having to populate the chroot with libraries required for program startup).
If privilege separation is enabled, theOpenSSH daemon will chroot an unprivileged helper process into an empty directory to handle pre-authentication network traffic for each client. The daemon can also sandbox SFTP and shell sessions in a chroot (from version 4.9p1 onwards).[17]
ChromeOS can use a chroot to run a Linux instance usingCrouton,[18] providing an otherwise thin OS with access to hardware resources. The security implications related in this article apply here.
To have a functional chroot environment in Linux, the kernel virtual file systems and configuration files also have to be mounted/copied from host to chroot.
# Mount Kernel Virtual File SystemsTARGETDIR="/mnt/chroot"mount-tprocproc$TARGETDIR/procmount-tsysfssysfs$TARGETDIR/sysmount-tdevtmpfsdevtmpfs$TARGETDIR/devmount-ttmpfstmpfs$TARGETDIR/dev/shmmount-tdevptsdevpts$TARGETDIR/dev/pts# Copy /etc/hosts/bin/cp-f/etc/hosts$TARGETDIR/etc/# Copy /etc/resolv.conf/bin/cp-f/etc/resolv.conf$TARGETDIR/etc/resolv.conf# Link /etc/mtabchroot$TARGETDIRrm/etc/mtab2>/dev/nullchroot$TARGETDIRln-s/proc/mounts/etc/mtab
chroot(2): change root directory – FreeBSD System CallsManualchroot(8): change root directory – FreeBSD System Manager'sManualchroot(2): change root directory – Linux Programmer'sManual – System Calls from Manned.org| File system | |
|---|---|
| Processes | |
| User environment | |
| Text processing | |
| Shell builtins | |
| Searching | |
| Documentation | |
| Software development | |
| Miscellaneous | |
