1 .\" Copyright (c) 1983, 1991, 1993
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 3. Neither the name of the University nor the names of its contributors
13 .\" may be used to endorse or promote products derived from this software
14 .\" without specific prior written permission.
16 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 .\" @(#)chroot.2 8.1 (Berkeley) 6/4/93
30 .Dd September 29, 2020
35 .Nd change root directory
41 .Fn chroot "const char *dirname"
46 is the address of the pathname of a directory, terminated by an ASCII NUL.
51 to become the root directory,
52 that is, the starting point for path searches of pathnames
56 In order for a directory to become the root directory
57 a process must have execute (search) access for that directory.
59 It should be noted that
61 has no effect on the process's current directory.
63 This call is restricted to the super-user.
65 Depending on the setting of the
66 .Ql kern.chroot_allow_open_directories
67 sysctl variable, open filedescriptors which reference directories
73 .Ql kern.chroot_allow_open_directories
78 if there are any directories open.
81 .Ql kern.chroot_allow_open_directories
82 is set to one (the default),
86 if there are any directories open and the
87 process is already subject to the
92 .Ql kern.chroot_allow_open_directories
93 will bypass the check for open directories,
94 mimicking the historic insecure behavior of
96 still present on other systems.
103 will fail and the root directory will be unchanged if:
106 A component of the path name is not a directory.
108 The effective user ID is not the super-user, or one or more
109 filedescriptors are open directories.
110 .It Bq Er ENAMETOOLONG
111 A component of a pathname exceeded 255 characters,
112 or an entire path name exceeded 1023 characters.
114 The named directory does not exist.
116 Search permission is denied for any component of the path name.
118 Too many symbolic links were encountered in translating the pathname.
123 points outside the process's allocated address space.
125 An I/O error occurred while reading from or writing to the file system.
127 Corrupted data was detected while reading from the file system.
135 system call appeared in
141 and was removed in subsequent standards.
143 If the process is able to change its working directory to the target
144 directory, but another access control check fails (such as a check for
145 open directories, or a MAC check), it is possible that this system
146 call may return an error, with the working directory of the process
148 .Sh SECURITY CONSIDERATIONS
149 The system has many hardcoded paths to files which it may load after
151 It is generally recommended to drop privileges immediately after a
155 and restrict write access to a limited subtree of the
159 setup the sandbox so that the sandboxed user will have no write
160 access to any well-known system directories.
162 For complete isolation from the rest of the system, use