How to figure out if a processes has been chroot()’ed

A number of applications (e.g., custom chroot jails, openssh, vsftp, apache) support the ability to chroot themselves. To find out if a process called chroot() at startup, you can check the /proc/<pid>/root entry for the process. For non-chrooted processes this entry will point to /:

$ ps auxwww | grep [s]endmail

root      3643  0.0  0.1  69032  2344 ?        Ss    2011   0:01 sendmail: accepting connections
smmsp     3651  0.0  0.0  59784  1780 ?        Ss    2011   0:01 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue

$ cd /proc/3643

$ ls -lad root

lrwxrwxrwx 1 root root 0 Jan 22 10:23 root -> /

For a chrooted process the root directory will point to the directory passed to the chroot() system call:

$ ps auxwww | grep [n]amed

named    18298  0.0  2.3 243632 49084 ?        Ssl   2011  15:16 /usr/sbin/named -u named -t /var/named/chroot

$ cd /proc/18298

$ ls -lad root

lrwxrwxrwx 1 named named 0 Jan 22 10:19 root -> /var/named/chroot

Chroot environments can be made secure, especially if you follow the coding practices discussed in Building Secure Software and Using Chroot Securely. These are must reads for anyone who plans to use chroot()!

Leave a Reply

Your email address will not be published. Required fields are marked *