Version française
Home     About     Download     Resources     Contact us    

This site is updated infrequently. For up-to-date information, please visit the new OCaml website at

Browse thread
How does chroot work ?
[ Home ] [ Index: by date | by threads ]
[ Search: ]

[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
Date: 2010-12-18 (19:31)
From: Gerd Stolpmann <info@g...>
Subject: Re: [Caml-list] How does chroot work ?
Am Samstag, den 18.12.2010, 18:09 +0100 schrieb Gregory Bellier:
> Hi !
> For security reasons, I would like to chroot a child process but I
> can't do it unless this process is root.
> How does it work exactly ?

If everybody could chroot it would be possible to change passwords and
do other privileged operations in the new chroot (it depends on the OS
how dangerous this really is, but POSIX assumes it is dangerous).
Because of this it is restricted to root.

Furthermore, chroot is not designed for enhancing the security. A root
process can undo chroot (look it up in the web, it's tricky but
possible). If a normal user could chroot, everybody could also break

So, usually you would start a new process as root, establish the chroot
there, and setuid to a non-privileged user for doing the real work. If
you cannot start as root, you could alternatively also set the setuid
bit of the executable. However, running a process with setuid root adds
new security dangers, so it is questionable whether you can improve the
overall security by such means.

I'd advise not to use chroot unless you exactly understand what you are


> Thanks in advance.
> Gregory.
> _______________________________________________
> Caml-list mailing list. Subscription management:
> Archives:
> Beginner's list:
> Bug reports:

Gerd Stolpmann, Bad Nauheimer Str.3, 64289 Darmstadt,Germany
Phone: +49-6151-153855                  Fax: +49-6151-997714