Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages
chroot_safe(1) FreeBSD General Commands Manual chroot_safe(1)

chroot_safe - Chroot dynamically linked applications in a sane and safe manner

chroot_safe user chroot_directory application [arguments...]

chroot_safe is a tool to chroot any application in a safe and sane manner without requring binaries, shared libraries etc within the chroot or any support from the application. Works with any dynamically linked application.

Normally when you chroot applications not having native support for chroot there is a number of obstacles to overcome

The binary must be within the chroot jail
All libraries used by the binary must be within the chroot jail
chroot does not drop root privileges
su nobody -c does not chroot

Shortcomings 3 & 4 can be addressed by writing a small tool replacing chroot, but you still have limitations 1 & 2.

chroot_safe addresses all four of these shortcomings by at runtime linking instrument the application to perform a full chroot and drop all root privileges just after dynamic linking has completed but before the application as such is started. This is done via a small LD_PRELOAD stub and a shell wrapper giving instructions on how to chroot.

Here is a silly example demonstrating the power of this application: chroot "ls -l" to /tmp in a safe manner without needing to prepare anything in /tmp
chroot_safe nobody /tmp ls -l

Note: This example does not work on FreeBSD or other platforms where ls is statically linked.

You can also find a howto chroot an anonymous CVS server online at the chroot_safe website

This application utilizes some shared library loading tricks to instrument the application with the required chroot hooks. Because of this it won't work on statically linked applications.

If there is any problem chrooting the application an error message is printed on stderr, and execution of the application is terminated.

Root privileges are required to chroot applications.

For details on the inner workings see the comments in the source.

Henrik Nordstrom <>

Send bug fixes or improvements to the author

chroot(8), su(1),
9 Apr 2005 1.4

Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.