chroot

Each process/command on Linux and Unix-like system has current working directory called root directory of a process/command. You can change the root directory of a command using chroot command, which ends up changing the root directory for both current running process and its children.

 

What is chroot?

Chroot is an operation that changes the apparent root directory for the current running process and their children. It creates a virtualized environment in a Unix and Unix-like operating systems, separating it from the main operating system and directory structure. A program that is run in such a modified environment cannot name (and therefore normally not access) files outside the designated directory tree. This confined virtual environment is often called a “chroot jail“. Only a privileged process and root user can use chroot command. Chroot has also been used by POSIX systems for their FTP servers, to isolate untrusted FTP clients.

chroot structure
chroot structure

 

When it is used?

A chroot environment can be used to create and host a separate virtualized copy of the software system. This can be useful for:

  • Privilege separation for unprivileged process such as Web-server or DNS server.
  • Setting up a test environment.
  • Run old programs or ABI in-compatibility programs without crashing application or system.
  • System recovery.
  • Reinstall the bootloader such as Grub or Lilo.
  • Password recovery – Reset a forgotten password and more.

Limitations

The chroot mechanism is not intended to defend against intentional tampering by privileged (root) users. On most systems, chroot contexts do not stack properly and chrooted programs with sufficient privileges may perform a second chroot to break out. To mitigate the risk of this security weakness, chrooted programs should relinquish root privileges as soon as practical after chrooting, or other mechanisms – such as FreeBSD Jails – should be used instead. Note that some systems, such as FreeBSD, take precautions to prevent the second chroot attack.

Syntax

The basic syntax is as follows:

 chroot /path/to/new/root command

OR

  chroot /path/to/new/root /path/to/server

OR

  chroot [options] /path/to/new/root /path/to/server