About chroot

Chroot stands for change root. It basically redefines the operational environment for an application, more precisely it redefines the “root” directory for an application. By definition, the root directory is the starting point of access on the navigation tree; when you change the root of an application, you make the directory of that application the starting point of access; this precludes view or access to system-wide files.

For example, consider the file sample.htm located in the root (/) directory, /sample.htm. When located at the root, this file becomes a global file accessible to anybody who has root privileges.

If you change the root of this file to the relevant site’s home directory (for example, /var/www/html/), then the file acquires a new root environment, which is, /var/www/html/sample.htm, so only people with access rights to the site can view or use the file.

Since files are locked into a secure area of the operational environment and denied access to global files it is also in non-technical terminology said to be "jailed".

Why chroot?

Changing the root of a directory or application secures it from unauthorized access by isolating it from other users on the system. When you change the root of an directory or application, other users on the system can not view or access the directory or application resources. Thus, users are limited in the commands or exploits they can carry out on the files.

Changing the root of a directory or application enhances security but thwarts optimal use of resources by posing resource sharing constraints. For example, changing the root of CGI scripts mandates that you copy the libraries and configuration files necessary for running CGI scripts into the new root directory.

Related Topics