61c4a6f317
1. Note what settings give historic behavior 2. Recommend jail under security considerations.
166 lines
4.9 KiB
Groff
166 lines
4.9 KiB
Groff
.\" Copyright (c) 1983, 1991, 1993
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" @(#)chroot.2 8.1 (Berkeley) 6/4/93
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd September 29, 2020
|
|
.Dt CHROOT 2
|
|
.Os
|
|
.Sh NAME
|
|
.Nm chroot
|
|
.Nd change root directory
|
|
.Sh LIBRARY
|
|
.Lb libc
|
|
.Sh SYNOPSIS
|
|
.In unistd.h
|
|
.Ft int
|
|
.Fn chroot "const char *dirname"
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Fa dirname
|
|
argument
|
|
is the address of the pathname of a directory, terminated by an ASCII NUL.
|
|
The
|
|
.Fn chroot
|
|
system call causes
|
|
.Fa dirname
|
|
to become the root directory,
|
|
that is, the starting point for path searches of pathnames
|
|
beginning with
|
|
.Ql / .
|
|
.Pp
|
|
In order for a directory to become the root directory
|
|
a process must have execute (search) access for that directory.
|
|
.Pp
|
|
It should be noted that
|
|
.Fn chroot
|
|
has no effect on the process's current directory.
|
|
.Pp
|
|
This call is restricted to the super-user.
|
|
.Pp
|
|
Depending on the setting of the
|
|
.Ql kern.chroot_allow_open_directories
|
|
sysctl variable, open filedescriptors which reference directories
|
|
will make the
|
|
.Fn chroot
|
|
fail as follows:
|
|
.Pp
|
|
If
|
|
.Ql kern.chroot_allow_open_directories
|
|
is set to zero,
|
|
.Fn chroot
|
|
will always fail with
|
|
.Er EPERM
|
|
if there are any directories open.
|
|
.Pp
|
|
If
|
|
.Ql kern.chroot_allow_open_directories
|
|
is set to one (the default),
|
|
.Fn chroot
|
|
will fail with
|
|
.Er EPERM
|
|
if there are any directories open and the
|
|
process is already subject to the
|
|
.Fn chroot
|
|
system call.
|
|
.Pp
|
|
Any other value for
|
|
.Ql kern.chroot_allow_open_directories
|
|
will bypass the check for open directories,
|
|
mimicking the historic insecure behavior of
|
|
.Fn chroot
|
|
still present on other systems.
|
|
.Sh RETURN VALUES
|
|
.Rv -std
|
|
.Sh ERRORS
|
|
The
|
|
.Fn chroot
|
|
system call
|
|
will fail and the root directory will be unchanged if:
|
|
.Bl -tag -width Er
|
|
.It Bq Er ENOTDIR
|
|
A component of the path name is not a directory.
|
|
.It Bq Er EPERM
|
|
The effective user ID is not the super-user, or one or more
|
|
filedescriptors are open directories.
|
|
.It Bq Er ENAMETOOLONG
|
|
A component of a pathname exceeded 255 characters,
|
|
or an entire path name exceeded 1023 characters.
|
|
.It Bq Er ENOENT
|
|
The named directory does not exist.
|
|
.It Bq Er EACCES
|
|
Search permission is denied for any component of the path name.
|
|
.It Bq Er ELOOP
|
|
Too many symbolic links were encountered in translating the pathname.
|
|
.It Bq Er EFAULT
|
|
The
|
|
.Fa dirname
|
|
argument
|
|
points outside the process's allocated address space.
|
|
.It Bq Er EIO
|
|
An I/O error occurred while reading from or writing to the file system.
|
|
.It Bq Er EINTEGRITY
|
|
Corrupted data was detected while reading from the file system.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr chdir 2 ,
|
|
.Xr jail 2
|
|
.Sh HISTORY
|
|
The
|
|
.Fn chroot
|
|
system call appeared in
|
|
.At v7 .
|
|
It was marked as
|
|
.Dq legacy
|
|
in
|
|
.St -susv2 ,
|
|
and was removed in subsequent standards.
|
|
.Sh BUGS
|
|
If the process is able to change its working directory to the target
|
|
directory, but another access control check fails (such as a check for
|
|
open directories, or a MAC check), it is possible that this system
|
|
call may return an error, with the working directory of the process
|
|
left changed.
|
|
.Sh SECURITY CONSIDERATIONS
|
|
The system have many hardcoded paths to files where it may load after
|
|
the process starts.
|
|
It is generally recommended to drop privileges immediately after a
|
|
successful
|
|
.Nm
|
|
call,
|
|
and restrict write access to a limited subtree of the
|
|
.Nm
|
|
root,
|
|
for instance,
|
|
setup the sandbox so that the sandboxed user will have no write
|
|
access to any well-known system directories.
|
|
.Pp
|
|
For complete isolation from the rest of the system, use
|
|
.Xr jail 2
|
|
instead.
|