`chroot` Usage

1. Overview

chroot is a Linux command used to change the root directory (/) of a process and its child processes to a specified directory. In other words, it changes the program's root directory path, making the program unable to access higher-level file systems. It is commonly used for environment isolation, creating sandboxes, system recovery, and other scenarios.

2. How It Works

When using the chroot command, the specified path becomes the new root directory. When the process runs, file system access will be relative to the new root directory (chroot directory), and other parts of the system will not be visible.

chroot <new_root> [command]

<new_root>: Specifies the new root directory.
[command]: Optional command, indicating the command to be executed in the new root directory environment. If no command is specified, an interactive shell will be started by default.

3. Basic Usage

3.1. Enter `chroot` Environment

sudo chroot /path/to/new_root

This command will switch the root directory to /path/to/new_root and start an interactive shell.

3.2. Execute Commands in `chroot` Environment

sudo chroot /path/to/new_root /bin/bash

Execute /bin/bash in the /path/to/new_root directory and enter a new environment.

4. Creating a Basic `chroot` Environment

Create New Root Directory

sudo mkdir -p /path/to/new_root

Mount Necessary Virtual File Systems

Some system files, such as /proc, need to be mounted in the chroot environment.

sudo mount -t proc /proc /path/to/new_root/proc
sudo mount -t sysfs /sys /path/to/new_root/sys
sudo mount -o bind /dev /path/to/new_root/dev
sudo mount -o bind /dev/pts /path/to/new_root/dev/pts

Mounting directories such as /proc, /sys, /dev, and /dev/pts is to ensure that processes can correctly access and use these virtual file systems, which provide important system information and device interfaces. Without these mounts, some programs or commands may fail because they depend on files in these directories to obtain system status or interact with hardware.

/proc is a virtual file system that provides data about system processes, kernel information, and other runtime information. In a chroot environment, if /proc is not mounted, many programs and commands (such as ps, top, free, etc.) cannot work properly because they depend on information in /proc to obtain status about the current system and processes.

/sys is also a virtual file system that provides dynamic information about system hardware, kernel parameters, device status, etc. Many device drivers and system services depend on files in /sys for hardware management and system configuration. Without mounting /sys, some programs may not be able to obtain hardware information or interact with devices.

For example:

Number of CPU cores in the system

Network interface configuration

Battery status (on laptops)

The /dev directory contains all device files (such as hard drives, terminals, USB devices, etc.). These device files are interfaces for user-space programs to interact with hardware devices. For programs running in a chroot environment, access to device files is necessary.

For example:

/dev/sda: Hard drive device file

/dev/null: Device for discarding data

/dev/tty: Terminal device

Without mounting /dev, programs cannot access hardware devices or interact with terminals, network interfaces, etc.

The /dev/pts directory is used to manage pseudo-terminal devices (pty). It stores terminal-related device files, such as /dev/pts/0, etc. This is very important for supporting multi-user, multi-terminal systems, especially for environments running interactive shells and command-line programs.

For example, when you use ssh or tmux to log into the system, terminal devices are usually represented through /dev/pts. Without mounting /dev/pts, you will not be able to start or use interactive terminals (such as when executing bash or sh commands in a chroot environment).

Install Necessary Libraries and Commands

Ensure that the required libraries and programs are installed in the new root directory. You may need to copy or mount some files to make the chroot environment run normally.

sudo cp /bin/bash /path/to/new_root/bin/
sudo cp /lib/x86_64-linux-gnu/libtinfo.so.6 /path/to/new_root/lib/x86_64-linux-gnu/
sudo cp /lib/x86_64-linux-gnu/libc.so.6 /path/to/new_root/lib/x86_64-linux-gnu/

Enter chroot Environment

sudo chroot /path/to/new_root /bin/bash

At this point, you have entered a new chroot environment with the root directory as /path/to/new_root.

5. Use Cases

5.1. System Recovery

When the system cannot start or is damaged, you can use chroot to enter the system and fix problems. For example, enter the system's root file system through chroot to reinstall the bootloader or fix damaged files.

sudo mount /dev/sda1 /mnt
sudo mount --bind /dev /mnt/dev
sudo mount --bind /proc /mnt/proc
sudo mount --bind /sys /mnt/sys
sudo chroot /mnt

5.2. Isolated Environment (Sandbox)

chroot can be used to create a restricted environment, limiting a process to only access specific directories. It is commonly used as the foundation implementation of containerization technology, although modern containers use more powerful tools (such as Docker) to provide isolation.

5.3. Software Package Compilation

When building specific versions of programs or testing, you can create a clean environment to avoid the influence of existing packages in the system.

5.4. Running Specific Versions of Applications

If you need to run a specific version of a program, you can use chroot to isolate old versions of libraries and binaries.

6. Precautions

Permission Issues

chroot requires sufficient permissions, and usually only root users can perform this operation.

Security

chroot only provides a simple isolation method and cannot completely prevent process escape or access to sensitive information. Stronger security measures (such as using namespaces or containers) should be used for high-security requirement environments.

File System Dependencies

Some processes require specific system files (such as /dev, /proc, /sys, etc.). If these virtual file systems are not mounted, programs may crash or not work properly.

Cannot Escape

chroot itself cannot prevent processes from escaping from the chroot environment, so it is not recommended to rely solely on chroot for high-security requirement scenarios (such as sandboxes, containers).

7. Summary

chroot is a powerful tool for isolating processes in a specific directory tree. It is very useful in system recovery, isolated testing, build environments, and other aspects. However, it is not a perfect security isolation tool, and modern containerization technologies provide stronger isolation and security.

You can expand the content of the document according to your needs, such as adding more detailed security discussions, usage examples, etc.

1. Overview​

2. How It Works​

3. Basic Usage​

3.1. Enter chroot Environment​

3.2. Execute Commands in chroot Environment​

4. Creating a Basic chroot Environment​

5. Use Cases​

5.1. System Recovery​

5.2. Isolated Environment (Sandbox)​

5.3. Software Package Compilation​

5.4. Running Specific Versions of Applications​

6. Precautions​

7. Summary​