# Chroot: Intro

[Chroot](https://man.openbsd.org/chroot) refers to **ch**anging the **root**. When a process runs inside a chroot, you change what the process thinks is its root directory.

Normally, a process can access any file within the root filesystem it has permissions for. By changing what the process thinks is its root directory, however, the process is now stuck in a chroot "jail". 

This provides enhanced security: if a program gets compromised, it can only access and modify files within the new root.

## Chrooted OpenBSD daemons

- [openhttpd](/openhttpd/configure) (/var/www/)

- [nsd](/nsd/configure) (/var/nsd/)

- [unbound](/unbound/configure) (/var/unbound/)

## Chrooted third party daemons 

- [ngircd](/ngircd/install) (/var/ngircd/)

- [znc](/znc/chroot) (/home/znc/)

- [wraith](/wraith/chroot) (/home/wraith/)

- [pylink](/pylink/chroot) (/home/pylink/)

## Creating a Chroot

Suppose for a moment we want to chroot an imaginary program. We first call [whereis](https://man.openbsd.org/whereis) on the binary to find its absolute path:

    $ whereis program
    /usr/bin/program


Next, we call [ldd](https://man.openbsd.org/ldd) on the absolute path to find its dependencies:

    $ ldd /usr/bin/program
    /usr/bin/program
            Start            End              Type  Open Ref GrpRef Name
            0000022622dc8000 0000022622dcd000 exe   1    0   0      /usr/bin/program
            000002285bdc7000 000002285c133000 rlib  0    1   0      /usr/lib/libprogram.so.20.0
            00000228c7de6000 00000228c7e16000 rlib  0    2   0      /usr/lib/libm.so.10.1
            000002282f00d000 000002282f101000 rlib  0    2   0      /usr/lib/libc.so.96.0
            0000022914fb2000 0000022914fb2000 ld.so 0    1   0      /usr/libexec/ld.so


We must re-create the filesystem in our chroot, /home/program, and copy all necessary dependencies:

    $ doas mkdir -p /home/program/usr/bin/
    $ doas mkdir -p /home/program/usr/lib/
    $ doas mkdir -p /home/program/usr/libexec/
    $ doas cp /usr/bin/program /home/program/usr/bin/
    $ doas cp /usr/lib/libprogram.so.20.0 /home/program/usr/lib/
    $ doas cp /usr/lib/libm.so.10.1 /home/program/usr/lib/
    $ doas cp /usr/lib/libc.so.96.0 /home/program/usr/lib/
    $ doas cp /usr/libexec/ld.so /home/program/usr/libexec/


Then, to run the chroot:

    $ doas chroot -u daemon -g daemon /home/program program


Sometimes, these dependencies have their own dependencies, so you may need to run ldd and copy files multiple times. Some of these dependencies do not become apparent until you attempt to run the program.

## Drawbacks

- It requires you replicate each dependency inside the chroot every time you install or update the program

- It cannot limit the type of syscalls that the process can make

- It requires you call it as root, so normal users cannot run them

- Chrooted processes still have access to the network

Because of these limitations of a chroot, OpenBSD developed [pledge](https://man.openbsd.org/pledge) and [unveil](https://man.openbsd.org/unveil) to tighten the security of a process, however a simpler approach could be plan 9's private namespaces.