chroot is a

shell Shell may refer to: Architecture and design * Shell (structure), a thin structure ** Concrete shell, a thin shell of concrete, usually with no interior columns or exterior buttresses Science Biology * Seashell, a hard outer layer of a marine ani ...

command Command may refer to: Computing * Command (computing), a statement in a computer language * command (Unix), a Unix command * COMMAND.COM, the default operating system shell and command-line interpreter for DOS * Command key, a modifier key on A ...

and a

system call In computing, a system call (syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, accessing a hard disk drive ...

Unix Unix (, ; trademarked as UNIX) is a family of multitasking, multi-user computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, a ...

and

Unix-like A Unix-like (sometimes referred to as UN*X, *nix or *NIX) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Uni ...

operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

s that changes the apparent

root directory In a Computing, computer file system, and primarily used in the Unix and Unix-like operating systems, the root directory is the first or top-most Directory (computing), directory in a hierarchy. It can be likened to the trunk of a Tree (data st ...

for the current running process and its

children A child () is a human being between the stages of childbirth, birth and puberty, or between the Development of the human body, developmental period of infancy and puberty. The term may also refer to an unborn human being. In English-speaking ...

. A program that is run in such a modified environment cannot name (and therefore normally cannot access) files outside the designated directory tree. The term ''chroot'' may refer to the

or the command-line utility. The modified environment is called a chroot jail.

History

The chroot system call was introduced during development of

Version 7 Unix Version 7 Unix, also called Seventh Edition Unix, Version 7 or just V7, was an important early release of the Unix operating system. V7, released in 1979, was the last Bell Laboratories release to see widespread distribution before the commerc ...

in 1979. One source suggests that

Bill Joy William Nelson Joy (born November 8, 1954) is an American computer engineer and venture capitalist. He co-founded Sun Microsystems in 1982 along with Scott McNealy, Vinod Khosla, and Andy Bechtolsheim, and served as Chief Scientist and CTO ...

added it on 18 March 1982 – 17 months before 4.2BSD was released – in order to test its installation and build system. All versions of BSD that had a kernel have chroot(2). An early use of the term "jail" as applied to chroot comes from Bill Cheswick creating a honeypot to monitor a

hacker A hacker is a person skilled in information technology who achieves goals and solves problems by non-standard means. The term has become associated in popular culture with a security hackersomeone with knowledge of bug (computing), bugs or exp ...

in 1991. The first article about a jailbreak has been discussed on the security column of SunWorld Online which is written by Carole Fennelly; the August 1999 and January 1999 editions cover most of the chroot() topics. To make it useful for

virtualization In computing, virtualization (abbreviated v12n) is a series of technologies that allows dividing of physical computing resources into a series of virtual machines, operating systems, processes or containers. Virtualization began in the 1960s wit ...

FreeBSD FreeBSD is a free-software Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version was released in 1993 developed from 386BSD, one of the first fully functional and free Unix clones on affordable ...

expanded the concept and in its 4.0 release in 2000 introduced the

jail A prison, also known as a jail, gaol, penitentiary, detention center, correction center, correctional facility, or remand center, is a facility where people are imprisoned under the authority of the state, usually as punishment for various cr ...

command. By 2002, an article written by Nicolas Boiteux described how to create a jail on Linux. By 2003, first internet microservices providers with Linux jails provide SAAS/PAAS (shell containers, proxy, ircd, bots, ...) services billed for consumption into the jail by usage. By 2005,

Sun The Sun is the star at the centre of the Solar System. It is a massive, nearly perfect sphere of hot plasma, heated to incandescence by nuclear fusion reactions in its core, radiating the energy from its surface mainly as visible light a ...

released Solaris Containers (also known as Solaris Zones), described as "chroot on steroids." By 2008, LXC (upon which Docker was later built) adopted the "container" terminology and gained popularity in 2013 due to inclusion into

Linux kernel The Linux kernel is a Free and open-source software, free and open source Unix-like kernel (operating system), kernel that is used in many computer systems worldwide. The kernel was created by Linus Torvalds in 1991 and was soon adopted as the k ...

3.8 of user namespaces.

Uses

A chroot environment can be used to create and host a separate virtualized copy of the software system. This can be useful for: ; Testing and development : A test environment can be set up in the chroot for software that would otherwise be too risky to deploy on a production system. ; Dependency control : Software can be developed, built and tested in a chroot populated only with its expected dependencies. This can prevent some kinds of linkage skew that can result from developers building projects with different sets of program libraries installed. ; Compatibility : Legacy software or software using a different ABI must sometimes be run in a chroot because their supporting libraries or data files may otherwise clash in name or linkage with those of the host system. ; Recovery : Should a system be rendered unbootable, a chroot can be used to move back into the damaged environment after bootstrapping from an alternate root file system (such as from installation media, or a

Live CD A live CD (also live DVD, live disc, or live operating system) is a complete booting, bootable computer installation including operating system which runs directly from a CD-ROM or similar storage device into a computer's memory, rather than lo ...

). ; Privilege separation : Programs are allowed to carry open

file descriptor In Unix and Unix-like computer operating systems, a file descriptor (FD, less frequently fildes) is a process-unique identifier (handle) for a file or other input/output resource, such as a pipe or network socket. File descriptors typically h ...

s (for files, pipelines and network connections) into the chroot, which can simplify jail design by making it unnecessary to leave working files inside the chroot directory. This also simplifies the common arrangement of running the potentially vulnerable parts of a privileged program in a sandbox, in order to pre-emptively contain a security breach. Note that chroot is not necessarily enough to contain a process with root privileges.

Limitations

The chroot mechanism is not intended to defend against intentional tampering by privileged (root) users. A notable exception is

NetBSD NetBSD is a free and open-source Unix-like operating system based on the Berkeley Software Distribution (BSD). It was the first open-source BSD descendant officially released after 386BSD was fork (software development), forked. It continues to ...

, on which chroot is considered a security mechanism and no escapes are known. On most systems, chroot contexts do not stack properly and chrooted programs with sufficient privileges may perform
second chroot
to break out. To mitigate the risk of this security weakness, chrooted programs should relinquish root privileges as soon as practical after chrooting, or other mechanisms – such as

FreeBSD jail The jail mechanism is an implementation of FreeBSD's OS-level virtualisation that allows system administrators to partition a FreeBSD-derived computer system into several independent mini-systems called ''jails'', all sharing the same kernel, with ...

s – should be used instead. Note that some systems, such as

, take precautions to prevent a second chroot attack. On systems that support device nodes on ordinary filesystems, a chrooted

root user In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the ...

can still create device nodes and mount the file systems on them; thus, the chroot mechanism is not intended by itself to be used to block low-level access to system devices by privileged users. It is not intended to restrict the use of resources like I/O, bandwidth, disk space or CPU time. Most Unixes are not completely file system-oriented and leave potentially disruptive functionality like networking and process control available through the system call interface to a chrooted program. At startup, programs expect to find scratch space, configuration files, device nodes and shared libraries at certain preset locations. For a chrooted program to successfully start, the chroot directory must be populated with a minimum set of these files. This can make chroot difficult to use as a general sandboxing mechanism. Tools such a
Jailkit
can help to ease and automate this process. Only the

can perform a chroot. This is intended to prevent users from putting a

setuid The Unix and Linux access rights flags setuid and setgid (short for ''set user identity'' and ''set group identity'') allow users to run an executable with the file system permissions of the executable's owner or group respectively and to chang ...

program inside a specially crafted chroot jail (for example, with a fake and file) that would fool it into a

privilege escalation Privilege escalation is the act of exploiting a Software bug, bug, a Product defect, design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resource (computer science), resources that ar ...

. Some Unixes offer extensions of the chroot mechanism to address at least some of these limitations (see Implementations of operating system-level virtualization technology).

Graphical applications on chroot

It is possible to run graphical applications on a chrooted environment, using methods such as: * Use xhost (or copy the secret from .Xauthority) * Nested X servers like Xnest or the more modern

Xephyr Xephyr is a display server software implementing the X11 display server protocol based on KDrive which targets a window on a host X Server as its framebuffer. It is written by Matthew Allum. Xephyr is an X-on-X implementation and runs on X.O ...

(or start a real X server from inside the jail) * Accessing the chroot via SSH using the X11 forwarding (ssh -X) feature
xchroot
an extended version of chroot for users and Xorg/X11 forwarding (socat/mount) * An X11 VNC server and connecting a VNC client outside the environment. * Atoms is a Linux Chroot Management Tool with a User-Friendly GUI.

Notable applications

The Postfix mail transfer agent may operate as a pipeline of individually chrooted helper programs. Like 4.2BSD before it, the Debian and Ubuntu internal package-building farms use chroots extensively to catch unintentional build dependencies between packages. SUSE uses a similar method with its ''build'' program. Fedora, Red Hat, and various other RPM-based distributions build all RPMs using a chroot tool such a
mock
Many FTP servers for POSIX systems use the chroot mechanism to sandbox untrusted FTP clients. This may be done by forking a process to handle an incoming connection, then chrooting the child (to avoid having to populate the chroot with libraries required for program startup). If privilege separation is enabled, the OpenSSH daemon will chroot an unprivileged helper process into an empty directory to handle pre-authentication network traffic for each client. The daemon can also sandbox SFTP and shell sessions in a chroot (from version 4.9p1 onwards).

ChromeOS ChromeOS, sometimes styled as chromeOS and formerly styled as Chrome OS, is an operating system designed and developed by Google. It is derived from the open-source operating system and uses the Google Chrome web browser as its principal user ...

can use a chroot to run a Linux instance using Crouton, providing an otherwise thin OS with access to hardware resources. The security implications related in this article apply here.

Linux host kernel virtual file systems and configuration files

To have a functional chroot environment in Linux, the kernel virtual file systems and configuration files also have to be mounted/copied from host to chroot. # Mount Kernel Virtual File Systems TARGETDIR="/mnt/chroot" mount -t proc proc $TARGETDIR/proc mount -t sysfs sysfs $TARGETDIR/sys mount -t devtmpfs devtmpfs $TARGETDIR/dev mount -t tmpfs tmpfs $TARGETDIR/dev/shm mount -t devpts devpts $TARGETDIR/dev/pts # Copy /etc/hosts /bin/cp -f /etc/hosts $TARGETDIR/etc/ # Copy /etc/resolv.conf /bin/cp -f /etc/resolv.conf $TARGETDIR/etc/resolv.conf # Link /etc/mtab chroot $TARGETDIR rm /etc/mtab 2> /dev/null chroot $TARGETDIR ln -s /proc/mounts /etc/mtab

References

External links

* * *
Integrating GNU/Linux with Android using chroot
{{Core Utilities commands Computer security procedures Free virtualization software Unix process- and task-management-related software Virtualization software Linux kernel features System calls