GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
* Sign Up! *

Support
Customer Portal
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
CHROOT(2) FreeBSD System Calls Manual CHROOT(2)

chroot, fchrootchange root directory

Standard C Library (libc, -lc)

#include <unistd.h>

int
chroot(const char *dirname);

int
fchroot(int fd);

The dirname argument is the address of the pathname of a directory, terminated by an ASCII NUL. The () system call causes dirname to become the root directory, that is, the starting point for path searches of pathnames beginning with ‘/’.

In order for a directory to become the root directory a process must have execute (search) access for that directory.

It should be noted that () has no effect on the process's current directory.

This call is restricted to the super-user, unless the ‘security.bsd.unprivileged_chroot’ sysctl variable is set to 1 and the process has enabled the PROC_NO_NEW_PRIVS_CTL procctl(2).

Depending on the setting of the ‘kern.chroot_allow_open_directories’ sysctl variable, open file descriptors which reference directories will make the () fail as follows:

If ‘kern.chroot_allow_open_directories’ is set to zero, () will always fail with EPERM if there are any directories open.

If ‘kern.chroot_allow_open_directories’ is set to one (the default), () will fail with EPERM if there are any directories open and the process is already subject to the chroot() system call.

Any other value for ‘kern.chroot_allow_open_directories’ will bypass the check for open directories, mimicking the historic insecure behavior of () still present on other systems.

The () system call is identical to chroot() except it takes a file descriptor instead of path.

Upon successful completion, the value 0 is returned; otherwise the value -1 is returned and the global variable errno is set to indicate the error.

The chroot() and fchroot() system calls will fail and the root directory will be unchanged if:

[]
The effective user ID is not the super-user and the ‘security.bsd.unprivileged_chroot’ sysctl is 0.
[]
The effective user ID is not the super-user and the process has not enabled the PROC_NO_NEW_PRIVS_CTL procctl(2).
[]
One or more file descriptors are open directories and the ‘kern.chroot_allow_open_directories’ sysctl is not set to permit this.
[]
An I/O error occurred while reading from or writing to the file system.
[]
Corrupted data was detected while reading from the file system.

The chroot() system call will fail and the root directory will be unchanged if:

[]
A component of the path name is not a directory.
[]
A component of a pathname exceeded 255 characters, or an entire path name exceeded 1023 characters.
[]
The named directory does not exist.
[]
Search permission is denied for any component of the path name.
[]
Too many symbolic links were encountered in translating the pathname.
[]
The dirname argument points outside the process's allocated address space.

The fchroot() system call will fail and the root directory will be unchanged if:

[]
Search permission is denied for the directory referenced by the file descriptor.
[]
The argument fd is not a valid file descriptor.
[]
The file descriptor does not reference a directory.

chdir(2), jail(2)

The chroot() system call appeared in Version 7 AT&T UNIX. It was marked as “legacy” in Version 2 of the Single UNIX Specification (“SUSv2”), and was removed in subsequent standards. The fchroot() system call first appeared in FreeBSD 15.0.

If the process is able to change its working directory to the target directory, but another access control check fails (such as a check for open directories, or a MAC check), it is possible that this system call may return an error, with the working directory of the process left changed.

The system has many hardcoded paths to files which it may load after the process starts. It is generally recommended to drop privileges immediately after a successful chroot call, and restrict write access to a limited subtree of the chroot root. For instance, setup the sandbox so that the sandboxed user will have no write access to any well-known system directories.

For complete isolation from the rest of the system, use jail(2) instead.

April 27, 2026 FreeBSD 15.1-RELEASE
Search for    or go to Top of page |  Section 2 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.