Home Linux Community Forums Linux System Administration Linux Security Need to call chroot under normal unprevileged user

Need to call chroot under normal unprevileged user

Link to this post 24 Mar 10

Its been last two days over after my search started . But I didn't find answer any where ?. I need to call chroot as part of normal user, but to my surprise it can only be called by SUper user with CAP_SYS_CHROOT capabilities. I am not sure how to add this capability to my user . Please help me in solving my situation.

Link to this post 24 Mar 10

You are correct that chroot can only be called by the root user, this is because of potential security risks relating to privileged escalation inside the chrooted container, please read

However depending on what exactly you are trying to accomplish it may be possible to restrict users inside a chrooted contained by using daemon application settings or it may even be better to refine the user rights and leave them inside the standard filesystem.

Please tell us what exactly you are trying to do and we can offer our recommendation for properly securing the user actions.

Link to this post 24 Mar 10


Thanks for your immediate reponse. My only requirement is I call chroot from a perl script . This perl script needs to run under normal user . I am using grsecurity to avoid double chroot and breaking of chroot issues. Currently the point where I stand is I must run the perl script under un previleged user, but it should do chroot. Seems little wierd right , but this is what my application requires now . Adding capablility CAP_SYS_CHROOT to the normal user I guess must solve my requirement. But I am not sure how to add this capablity to my user.

Hope you got my requirements.


Link to this post 25 Mar 10

I must work now, I will research this item more when I get home this evening. Hopefully someone else can chime in with an answer before I return.

Link to this post 25 Mar 10

Part of the problem, besides the need to run chroot as root user is the fact that the directory that is the new root directory must contain all the commands, files, libraries that will be needed during the time chroot is in process. Please provide some rationale why you think you need to do a chroot in your perl script. What exactly are you trying to accomplish?

Link to this post 25 Mar 10


My requirement is simple, Apache receives request and calls my perl handler. The handler script needs to identify which script it needs to run and based on this it needs to go to the particular chroot jail and run the script securely, btw it prints the output to response. We have this new roots already created with necessary libraries and binaries. Hope you got my req .

Jai :(

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Linux Training / Board

/** BC-056 Ameex changes to add tracking code - 2016-01-22 **/ ?>