1.\" Copyright (c) 1988, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.Dd July 20, 2021 29.Dt CHROOT 8 30.Os 31.Sh NAME 32.Nm chroot 33.Nd change root directory 34.Sh SYNOPSIS 35.Nm 36.Op Fl G Ar group Ns Op Cm \&, Ns Ar group ... 37.Op Fl g Ar group 38.Op Fl u Ar user 39.Op Fl n 40.Ar newroot 41.Op Ar command Op Ar arg ... 42.Sh DESCRIPTION 43The 44.Nm 45utility changes its current and root directories to the supplied directory 46.Ar newroot 47and then exec's 48.Ar command 49with provided arguments, if supplied, 50or an interactive copy of the user's login shell. 51.Pp 52The options are as follows: 53.Bl -tag -width "-G group[,group ...]" 54.It Fl G Ar group Ns Op Cm \&, Ns Ar group ... 55Run the command with the permissions of the specified groups. 56.It Fl g Ar group 57Run the command with the permissions of the specified 58.Ar group . 59.It Fl u Ar user 60Run the command as the 61.Ar user . 62.It Fl n 63Use the 64.Dv PROC_NO_NEW_PRIVS_CTL 65.Xr procctl 2 66command before chrooting, effectively disabling SUID/SGID bits 67for the calling process and its descendants. 68If 69.Dv security.bsd.unprivileged_chroot 70sysctl is set to 1, it will make it possible to chroot without 71superuser privileges. 72.El 73.Sh ENVIRONMENT 74The following environment variable is referenced by 75.Nm : 76.Bl -tag -width "SHELL" 77.It Ev SHELL 78If set, 79the string specified by 80.Ev SHELL 81is interpreted as the name of 82the shell to exec. 83If the variable 84.Ev SHELL 85is not set, 86.Pa /bin/sh 87is used. 88.El 89.Sh EXAMPLES 90.Bl -tag -width 0n 91.It Sy Example 1\&: No Chrooting into a New Root Directory 92.Pp 93The following command opens the 94.Xr csh 1 95shell after chrooting to the standard root directory. 96.Bd -literal -offset 2n 97.Li # Ic chroot / /bin/csh 98.Ed 99.It Sy Example 2\&: No Execution of a Command with a Changed Root Directory 100.Pp 101The following command changes a root directory with 102.Nm 103and then runs 104.Xr ls 1 105to list the contents of 106.Pa /sbin . 107.Bd -literal -offset 2n 108.Li # Ic chroot /tmp/testroot ls /sbin 109.Ed 110.El 111.Sh SEE ALSO 112.Xr chdir 2 , 113.Xr chroot 2 , 114.Xr setgid 2 , 115.Xr setgroups 2 , 116.Xr setuid 2 , 117.Xr getgrnam 3 , 118.Xr environ 7 , 119.Xr jail 8 120.Sh HISTORY 121The 122.Nm 123utility first appeared in 124.At III 125and 126.Bx 4.3 Reno . 127