A chroot jail is a technique of controlling what a process—a user, for example—can access on a file system by changing the root directory of that process’s environment. This new root directory is called a “jail” because the process and any child processes that it spawns will be unable to “break out” of that location and access other parts of the file system. For example, if you change a process’s root location to /home/ user/ then, when it references the root (/), the process will be confined to /home/user/ instead of the actual root of the file system. This is useful in separating privileged access on the file system so that a malicious or rogue process cannot cause damage outside of its jail.
The chroot command is used to actually change the root directory for an environment. For example, chroot /home/user /usr/bin/bash will create the new root directory using the Bash shell as the process inside the jail.
Syntax
The syntax of the chroot command is:
# chroot [options] {new root directory} [command]
chroot Command Examples
1. Run command as new root directory:
# chroot path/to/new/root command
2. Specify user and group (ID or name) to use:
# chroot --userspec=user:group
Changing the Root Directory
You can change the root directory in Linux with the chroot command. This effectively moves the root directory for the current process to point to some other location within the filesystem. Once you have done a chroot command, you lose access to anything that was higher in the file hierarchy than your current root directory, since there is no way to go any higher than root within the filesystem.
chroot doesn’t just change the directory, but also runs a command, falling back to running a shell if you don’t specify a different command.