chroot is a command on UNIX-like systems which runs a process under a different root directory.
chroot is used often to:
- Restrict a user to a certain directory (used by ssh, for example)
- Enter a broken system so that it can be repaired (for example, to use tools like package managers which are designed to be run within a working system)
- To install a new system (Gentoo, for example, can install from a
chroot)
What chroot does is to change what a process considers the root directory, which changes where a process expects to find things - for example, when a process is chroot'd into /home/foo/my-chroot, it can reference the file in /home/foo/my-chroot/bin/sh by using /bin/sh.
This effectively "fools" a process so that it is capable of running under a system where the root directory is not the same as what the process expects.
Another consequence is that, in theory (but see below), a process cannot see any deeper than its chroot'd directory, because /.. resolves to /.
However, chroot is not and was never designed to be a security tool, and there are well known exploits that are used to exit them. Instead, on a *BSD one should use jails, and Linux users should consider either linuxjail, or a VServer.
