A chroot jail is a way to isolate a process and its children from the rest of the system. It should only be used for processes that don’t run as root, as root users can break out of the jail very easily.
The idea is that you create a directory tree where you copy or link in all the system files needed for a process to run. You then use the
chroot() system call to change the root directory to be at the base of this new tree and start the process running in that chroot’d environment. Since it can’t actually reference paths outside the modified root, it can’t perform operations (read/write etc.) maliciously on those locations.
On Linux, using a bind mounts is a great way to populate the chroot tree. Using that, you can pull in folders like
/usr/lib while not pulling in
/usr, for example. Just bind the directory trees you want to directories you create in the jail directory.
“chroot jail” is a misnomer that should really die out, but people keep using it.
chroot is a tool that lets you simulate a directory on your filesystem as the root of the filesystem. That means you can have a folder structure like:
-- foo -- bar -- baz -- bazz
chroot foo and do
ls /, you’ll see:
-- bar -- baz
As far as
ls (and any other tools you run) are concerned, those are the only directories on the filesystem. The reason “jail” is a misnomer is
chroot is not intended to force a program to stay in that simulated filesystem; a program that knows it’s in a chroot “jail” can fairly easily escape, so you shouldn’t use
chroot as a security measure to prevent a program from modifying files outside your simulated filesystem
Basically you are just changing the root directory of your environment. So
/some-jail/ (or whatever directory you want)
When an application accesses / they’ll get /some-jail/. Also the application can’t break out of /some-jail/ so you know it won’t access anything else on your machine. Its a very simple way of saying ‘hey you can only access these things that I am giving you, and you can’t access anything else on the system.