Re: Non-root chroot

On Fri, 1 Aug 2025 at 08:19, Jason Bacon <bacon4000@gmail.com> wrote:
>
>
> I'm wondering if there is any way to perform a simple chroot without
> having root privileges.

There is a sysctl, security.bsd.unprivileged_chroot, that you can set
to allow unprivileged users to chroot(2).

The typical concern with unprivileged chroot is that a setuid/setgid
binary could then be used for privilege escalation. For this reason,
when invoked in an unprivileged context the chroot(2) system call
requires that the PROC_NO_NEW_PRIVS process control is set, so that
setuid/setgid flags will be ignored. chroot(8) has a -n command line
flag to set this process control:

$ chroot -n /some/path /bin/sh
$ id
uid=1001(emaste) gid=1001(emaste) groups=1001(emaste)
$ su
su: not running setuid