linux-user-chroot man page

linux-user-chroot — safely allow normal users to chroot


linux-user-chroot [--unshare-ipc] [--unshare-pid] [--unshare-net] [--seccomp-profile-version] [--mount-proc DIR] [--mount-readonly DIR] [--mount-bind SOURCE DEST] [--chdir DIR] ROOTDIR PROGRAM ARGS...


linux-user-chroot is a setuid program that allows non-root users to safely use some Linux kernel container features. It is primarily intended for use by build systems. The user needs to create a directory tree with the build dependencies needed, and only those, and then linux-user-chroot runs the actual build commands such that the commands only see the directory tree. This is useful for ensuring the build gets the right version of its build dependencies, for example.

linux-user-chroot works similary to chroot(8), but does not require the caller to have root privileges. It uses Linux containers to restrict the chroot to make this safe. The command run inside the chroot is run as the calling user, not as root.

linux-user-chroot executes a command, and sets the root directory for the command to the directory specified by the user (ROOTDIR). Additionally, it creates a "nosuid" bind mount over the root filesystem, to prevent the build from gaining privileges using setuid binaries. The command can further be restricted from accessing the network, and it can be set up with new process ID and SysV IPC namespaces.


Create a new SysV IPC namespace for the command.
Create a new process ID (PID) namespace for the command. This prevents the command from seeing any other processes in the system, except itself and the processes it itself creates.
Create a new, empty networking stack. This prevents the command from using any networking, including loopback.
--mount-proc DIR
Mount the proc filesystem at DIR.
--mount-devapi DIR
Mount just the API devices (null, full, urandom etc) at DIR.
--mount-readonly DIR
Make DIR be read-only for the command.
--mount-bind SOURCE DEST
Add a bind mount while the command is executing.
--chdir DIR
After setting the new root directory for the command, change the current working directory to be DIR.
--seccomp-profile-version VERSION

Seccomp is a tool to restrict the system calls applications can make. As linux-user-chroot is designed for build systems, we do not need to expose the entire kernel system call interface. Currently a number of

This argument is an integer, where -1 means "no seccomp", and "0" enables the first profile version. This is an opt-in system to any future versions.

Exit Status

The exit status is the exit status of the executed command, or 1 if linux-user-chroot failed to execute the command.


To build software in the real system, but without networking:

linux-user-chroot --unshare-net --chdir "$(pwd)"
make clean all check

See Also