freebsd-skq/lib/libc/sys/chroot.2

161 lines
4.7 KiB
Groff
Raw Normal View History

1994-05-27 05:00:24 +00:00
.\" Copyright (c) 1983, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 4. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)chroot.2 8.1 (Berkeley) 6/4/93
1999-08-28 00:22:10 +00:00
.\" $FreeBSD$
1994-05-27 05:00:24 +00:00
.\"
.Dd January 3, 2012
1994-05-27 05:00:24 +00:00
.Dt CHROOT 2
.Os
1994-05-27 05:00:24 +00:00
.Sh NAME
.Nm chroot
.Nd change root directory
.Sh LIBRARY
.Lb libc
1994-05-27 05:00:24 +00:00
.Sh SYNOPSIS
.In unistd.h
1994-05-27 05:00:24 +00:00
.Ft int
.Fn chroot "const char *dirname"
.Sh DESCRIPTION
2002-12-19 09:40:28 +00:00
The
.Fa dirname
argument
1994-05-27 05:00:24 +00:00
is the address of the pathname of a directory, terminated by an ASCII NUL.
2002-07-15 20:59:12 +00:00
The
.Fn chroot
system call causes
1994-05-27 05:00:24 +00:00
.Fa dirname
to become the root directory,
that is, the starting point for path searches of pathnames
beginning with
.Ql / .
.Pp
In order for a directory to become the root directory
a process must have execute (search) access for that directory.
.Pp
It should be noted that
.Fn chroot
has no effect on the process's current directory.
.Pp
This call is restricted to the super-user.
.Pp
Depending on the setting of the
.Ql kern.chroot_allow_open_directories
sysctl variable, open filedescriptors which reference directories
2001-07-15 07:53:42 +00:00
will make the
.Fn chroot
fail as follows:
.Pp
2001-07-15 07:53:42 +00:00
If
.Ql kern.chroot_allow_open_directories
2001-07-15 07:53:42 +00:00
is set to zero,
.Fn chroot
will always fail with
.Er EPERM
if there are any directories open.
.Pp
2001-07-15 07:53:42 +00:00
If
.Ql kern.chroot_allow_open_directories
2001-07-15 07:53:42 +00:00
is set to one (the default),
.Fn chroot
will fail with
.Er EPERM
if there are any directories open and the
process is already subject to the
.Fn chroot
system call.
.Pp
Any other value for
.Ql kern.chroot_allow_open_directories
will bypass the check for open directories
.Pp
Upon successful completion, a value of 0 is returned.
Otherwise,
1994-05-27 05:00:24 +00:00
a value of -1 is returned and
.Va errno
is set to indicate an error.
.Sh ERRORS
2002-07-15 20:59:12 +00:00
The
.Fn chroot
system call
1994-05-27 05:00:24 +00:00
will fail and the root directory will be unchanged if:
.Bl -tag -width Er
1994-05-27 05:00:24 +00:00
.It Bq Er ENOTDIR
A component of the path name is not a directory.
.It Bq Er EPERM
The effective user ID is not the super-user, or one or more
filedescriptors are open directories.
1994-05-27 05:00:24 +00:00
.It Bq Er ENAMETOOLONG
A component of a pathname exceeded 255 characters,
or an entire path name exceeded 1023 characters.
.It Bq Er ENOENT
The named directory does not exist.
.It Bq Er EACCES
Search permission is denied for any component of the path name.
.It Bq Er ELOOP
Too many symbolic links were encountered in translating the pathname.
.It Bq Er EFAULT
2002-12-19 09:40:28 +00:00
The
.Fa dirname
2002-12-19 09:40:28 +00:00
argument
1994-05-27 05:00:24 +00:00
points outside the process's allocated address space.
.It Bq Er EIO
An I/O error occurred while reading from or writing to the file system.
.El
.Sh SEE ALSO
.Xr chdir 2 ,
.Xr jail 2
1994-05-27 05:00:24 +00:00
.Sh HISTORY
The
.Fn chroot
system call appeared in
1994-05-27 05:00:24 +00:00
.Bx 4.2 .
It was marked as
.Dq legacy
in
.St -susv2 ,
and was removed in subsequent standards.
.Sh BUGS
If the process is able to change its working directory to the target
directory, but another access control check fails (such as a check for
open directories, or a MAC check), it is possible that this system
call may return an error, with the working directory of the process
left changed.
.Sh SECURITY CONSIDERATIONS
The system have many hardcoded paths to files where it may load after
the process starts.
It is generally recommended to drop privileges immediately after a
successful
.Nm
call,
and restrict write access to a limited subtree of the
.Nm
root,
for instance,
setup the sandbox so that the sandboxed user will have no write
access to any well-known system directories.