Re: can chroot be made safe for non-root?

From: David Wagner (
Date: Wed Oct 16 2002 - 16:18:00 EST

Philippe Troin wrote:
>Eric Buddington <> writes:
>> Would it be reasonable to allow non-root processes to chroot(), if the
>> chroot syscall also changed the cwd for non-root processes?
> fd = open("/", O_RDONLY);
> chroot("/tmp");
> fchdir(fd);
>and you're out of the chroot.

Irrelevant. If a process *wants* to voluntarily sandbox itself, it can
close all open file descriptors before sandboxing.

Please note that
  fd = open("/", O_RDONLY);
does *not* let you escape from the sandbox. This means that a process
can sandbox itself, and once sandboxed, it can no longer escape.
This functionality would be very useful for security purposes (see, e.g.,
"privilege separation").

It is true that there are some tricky issues here. For instance, root
has many ways to escape from a chroot() jail, so you should never use
chroot() to confine processes running as root. Also, if non-root users
can call chroot(), then there may be bad interactions if the chroot-ed
process later calls chroot() again, or execs a setuid program.

However, I believe all of these tricky issues can be dealt with. See, e.g.,
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Wed Oct 23 2002 - 22:00:30 EST