Use of effective root directories

A program can be confined to a particular directory tree by setting the program's effective root directory to the base directory of the tree (with the chroot system call) and setting the program's working directory inside this same tree. In effect, this is a least-privilege mechanism because it limits the files that even a privileged process can access to those within the tree. This can be particularly effective when the parent (trusted) process so limits trusted or untrusted child processes.

While changing root directories provides protection to files outside of the new root tree, it does pose a potential security problem. Changing the root directory can create a means of comprising the security of the new root tree if this is not done cautiously. This occurs when the runtime linker and shared objects in the new root tree can be forged. This procedure should be used carefully and sparingly.