chroot - Unix, Linux Command


Previous Page
Next Page  


chroot - chroot is an operation that changes the apparent root directory for the current running process and their children.


chroot [options] 


chrootchroot runs a command or an interactive shell from another directory, and treats that directory as root. This process is called changing root and the new root directory is referred to as chroot jail.Changing root is commonly done for performing system maintenance on systems where booting and/or logging in is no longer possible. If no command is specified, chroot executes the command '${SHELL} -i'. By default, this is '/bin/sh -i'. This will drop you into a sh shell as root in the NEWROOT directory.


Tag Description
--userspec=USER:GROUP specify user and group (ID or name) to use.
--groups=G_LIST specify supplementary groups as g1,g2,..,gN.
--version output version information, and exit.
--help display a help message, and exit.



$ sudo chroot /home/master/box /bin/bash
# chroot /home/master/box /bin/bash (with root privillages)

The /bin/bash path. This is already chroot system path, not our original system path. This command will invoke bash from /home/master/bin/bash, not from our Ubuntu /bin/bash. Don't remove the first slash (/) of /bin/bash or your chroot will fail. Do this command on root of our chroot directory structure (/home/master/box). And use sudo or it will fail too. Notice that your bash prompt will change into bash-x.y# (with x.y is its version number).

Now execute some commands. You will notice any command outside chroot bash will fail (error: command not found). Only bash and its built-in command can be invoked. This means our chroot jail is success. The chroot bash can't see any directory outside our /home/master/box. We've succeed to isolate bash inside a chroot jail.


Build a mini-jail for testing purpose with bash and ls command only. First, set jail location using mkdir command:

 First, set jail location using mkdir command:
      $ J=$HOME/jail

Create directories inside $J:
      $ mkdir -p $J
      $ mkdir -p $J/{bin,lib64,lib}
      $ cd $J

Copy /bin/bash and /bin/ls into $J/bin/ location using cp command:
      $ cp -v /bin/{bash,ls} $J/bin

Copy required libs in $J. Use ldd command to print shared library dependencies for bash:
      $ ldd /bin/bash

Sample outputs: =>  (0x00007fff8d987000) => /lib64/ (0x00000032f7a00000) => /lib64/ (0x00000032f6e00000) => /lib64/ (0x00000032f7200000)
	/lib64/ (0x00000032f6a00000)
Copy libs in $J correctly from the above output:
      $ cp -v /lib64/ /lib64/ /lib64/ /lib64/ $J/lib64/

Sample outputs:

`/lib64/' -> `/home/vivek/jail/lib64/'
`/lib64/' -> `/home/vivek/jail/lib64/'
`/lib64/' -> `/home/vivek/jail/lib64/'
`/lib64/' -> `/home/vivek/jail/lib64/'
Copy required libs in $J for ls command. Use ldd command to print shared library dependencies for ls command:
      $ ldd /bin/ls

Sample outputs: =>  (0x00007fff68dff000) => /lib64/ (0x00000032f8a00000) => /lib64/ (0x00000032f7a00000) => /lib64/ (0x00000032fda00000) => /lib64/ (0x00000032fbe00000) => /lib64/ (0x00000032f7200000) => /lib64/ (0x00000032f6e00000)
	/lib64/ (0x00000032f6a00000) => /lib64/ (0x00000032f7600000) => /lib64/ (0x00000032f9600000)
You can copy libs one-by-one or try bash shell for loop as follows:

      list="$(ldd /bin/ls | egrep -o '/lib.*\.[0-9]')"
      for i in $list; do cp  -v "$i" "${J}${i}"; done
Sample outputs:

`/lib64/' -> `/home/vivek/jail/lib64/'
`/lib64/' -> `/home/vivek/jail/lib64/'
`/lib64/' -> `/home/vivek/jail/lib64/'
`/lib64/' -> `/home/vivek/jail/lib64/'
`/lib64/' -> `/home/vivek/jail/lib64/'
`/lib64/' -> `/home/vivek/jail/lib64/'
`/lib64/' -> `/home/vivek/jail/lib64/'
`/lib64/' -> `/home/vivek/jail/lib64/'
`/lib64/' -> `/home/vivek/jail/lib64/'

Finally, chroot into your new jail: $ sudo chroot $J /bin/bash

Previous Page
Next Page