Skip to Content [alt-c]


In reply to Comment by Reader Richard Yao

Anonymous on 2014-07-15 at 21:15:

You are mistaken. Linux does have chroot(2) and therefore "chroot jails". The "chroot jail" concept dates back at least to SVr4 and is older than namespaces and cgroups. In fact, chroot is probably the original Unix "container" mechanism. The problems with chroot are well-known, in particular that it only affects filesystem access and that root can easily escape from a chroot jail. Other problems come from the isolation provided by chroot--if /dev isn't bind-mounted inside the chroot jail or a duplicate /dev/urandom created inside the jail, a jailed process does not have access to it. Similarly, data in /proc is inaccessible unless /proc is mounted inside the jail. Most programs that use chroot for security intentionally lock themselves into a very limited environment, thus the use case for a getentropy syscall.


Post a Reply

Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with > are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim (good for code).
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.
  • Use the Preview button to check your formatting.