chroot(8)

Example:

Log into your OpenBSD system. Change directory to '/tmp'. Make a temporary test directory. Change directory to the new test directory. Now copy the contents of '/bin' to the directory. Here are the steps from the command line:

$ cd /tmp $ mkdir test $ cd test $ cp -pR bin .

With this setup we can test the chroot. Create a chroot(8) by typing:

$ chroot /tmp/test /bin/sh

It's very important any time you create a chroot(8) that the path to the command you pass in exists in the chroot environment itself. chroot(8) first creates the new root environment and then calls the command. That's why we didn't type `/tmp/test/bin/sh`. Note also that we're not running the sh(1) command from the original root environment. To test that, try running a command that would normally work, like `man sh`:

/bin/sh: man: not found

You get an error because man(1) is found in '/usr/bin'. Your chroot(8) environment doesn't have a '/usr/bin' directory. In fact, it has no directories other than '/bin':

total 12 drwxr-xr-x 3 1000 0 512 Nov 3 05:35 . drwxr-xr-x 3 1000 0 512 Nov 3 05:35 .. drwxr-xr-x 2 1000 0 1024 Dec 30 2008 bin

There are plenty of commands you can run, ls(1) for example, but that's because it's in the '/bin' directory:

-r-xr-xr-x 1 1000 0 82636 Dec 30 2008 /bin/ln -r-xr-xr-x 1 1000 0 180940 Dec 30 2008 /bin/ls

Look back at the `ls -l /var/www` command from before. There's no '/bin' directory. Suppose an attacker managed to exploit a hole in Apache. There's no shell command. There's no '/bin' directory. There's little more than logs and files. By running Apache in a chroot(8) the OpenBSD developers have ensured that this popular service is protected from exploitation should an attacker manage to get find a vulnerability.

Careful application of chroot(8) is one of the many reasons OpenBSD is described as "Secure by Default".