How to Use Chroot in Linux and Fix Your Broken System

Be a chroot master!

Chroot Linux

Chroot is a Linux/Unix utility that can change or modify the root filesystem. With the help of the chroot command, you can easily create an isolated filesystem inside your primary filesystem. Chroot is especially helpful to make your work and home environment separated or if you want a test environment to test software in isolation.

Difference Between Chroot and Virtual Machine

At first glance, you can think of chroot as similar to a virtual machine or a containerized system like docker. It is kind of similar, but chroot is a much lighter solution than a virtual machine. The virtual machine needs a hypervisor to install and work on a separate kernel, which is different from the host machine. Unlike a virtual machine, chroot shares the same kernel and processes but creates a jail in the filesystem. Inside the jail, it is not possible to look outside without root permission. Therefore, the isolated filesystem is also called chroot jail.

Different Use Cases of Chroot

  1. Isolated build environment in CI/CD pipeline: Chroot is used to create an isolated build environment for applications in CI/CD pipeline. This helps to build your application with unique dependencies and is completely isolated from all other build environments to remove potential conflicts.
  2. Separate development and testing environment: Often, software that works on the developer machine doesn’t work on the end-user device. This is because the developer has a lot of tools and dependencies installed in his system. Normal people don’t have all those dependencies installed on their machines. To test the software, if it will run on all devices, the developer or tester can easily make a plain vanilla environment using chroot to test their software.
  3. Reduce risk for the developer: As a developer, we often make some programs that interact with our system files without any proper sandboxing. Therefore, if we make a mistake, our software can easily wipe our important data from our device. To reduce such type of risk, the developer often uses chroot to create a new working environment to reduce their risk of losing data.
  4. A different version of the same software: Sometimes you need to install some very old or very recent version of a software or dependency for development purposes. But using such a conflicting dependency can mess up your system. This situation can be easily overcome by using chroot jail.
  5. Fix a broken system: If you have a broken system, you can easily repair it with the help of chroot. Just boot a live Linux environment in the device and mount the filesystem. Using this mount point, you can run different commands to fix your issue. This is discussed further later in this tutorial.
  6. Safely running an FTP server: FTP stands for file transfer protocol. Running an FTP server gives you the control to share only those files that you wanted. Therefore, no remote peer can see your host file system and access them.

Creating a Chroot Environment

This is a quick guide on creating a chroot environment in your system. You can get in-depth information on the arch wiki.

  1. To make a chroot environment, create a new directory inside your home folder. Inside this folder, our isolated filesystem will be present in the future. In this tutorial, I named the folder “mte.”
mkdir ~/mte
  1. We are creating a very minimal Linux environment. We install bash as a shell inside the chroot environment and install ls, rm, and touch to list, remove and create files respectively. Let’s create required directories inside our “mte” directory.
cd ~/mte
mkdir bin
mkdir lib
mkdir lib64
  1. Copy the required binaries from the regular “/bin” directory to the “~/mte” chroot environment.
cp /bin/bash ~/mte/bin
cp /bin/touch ~/mte/bin
cp /bin/ls ~/mte/bin
cp /bin/rm ~/mte/bin
  1. Copying the binaries is not enough. We also have to copy their dependencies to the “mte” folder. To know the required dependencies, we use the ldd command. If you want to know the dependency of bash, then run:
ldd /bin/bash

We get the following output from the above command.

Chroot Ldd, self captured
  1. Listing those dependencies and copying them one by one will be painstakingly slow and boring. Therefore, to automate this process, we are using a bash script. Create a file named “copydependancy.sh” and write these shell commands inside it.
#Setting the chroot directory
mte="~/mte"
 
# enter your binary name
echo -e "Please enter your binary name \n"
 
#Reading from terminal input
read binaryname
 
# Listing all the dependencies
list="$(ldd /bin/$binaryname | egrep -o '/lib.*\.[0-9]')"
 
# Looping through the dependency list
for i in $list; do cp -v --parents "$i" "${mte}"; done

Let’s examine what this script does. At first, this shell script asks for the binary name, then it takes this binary name and finds all the dependency of that binary and saves it inside a list variable. It next runs a for-loop which runs on every item of the list and copies the dependency from our normal “/bin” file to our “mte” chroot directory.

Save this script somewhere else and refer to it when you create a new chroot environment.

Next, change the permission of the script and run it inside the terminal.

chmod +x copydependancy.sh
  1. As all the dependencies are installed in our system, let’s activate our chroot environment. The standard chroot command looks like this:
chroot [-OPTION] [PATH FOR NEW ROOT] [PATH FOR SERVER]

But to fulfill our purpose, we run the following command to activate our chroot environment.

sudo chroot ~/mte /bin/bash

The above command activates a chroot environment in the “~/mte” directory and specifies to run a bash shell. You can see a change in your terminal prompt and can now use the touch, rm, and ls commands to create, remove and list files respectively.

To exit the chroot environment, run the exit command.

If you want to remove the chroot environment completely, delete the “mte” directory from your filesystem.

rm -rf ~/mte

Fix a Broken Bootloader Using Chroot

The most fascinating thing about chroot is that you can enter a broken system and run a command inside it. Therefore, using chroot, you can easily install a critical update to fix a system or reinstall the entire bootloader to fix the issue.

Chroot Wikimedia
Image source: Wikimedia foundation

But for that, you should have a live Linux environment. Make a bootable USB by downloading a Linux ISO and booting from the USB. It gives you a live environment to work with. Mount your system partition to work with chroot.

sudo mount -t ext4 /dev/sda /mnt

Change the “/dev/sda” with your intended system partition name that you want to work with and let the grub bootloader find the information that it needs to fix the bootloader issue.

sudo mount --bind /dev /mnt/dev &&
sudo mount --bind /dev/pts /mnt/dev/pts &&
sudo mount --bind /proc /mnt/proc &&
sudo mount --bind /sys /mnt/sys

Let’s chroot into the “/mnt” directory and enter the broken system.

sudo chroot /mnt

Install, check, and update the grub bootloader in your system. Make sure to use the proper drive name, and don’t copy-paste these commands blindly.

grub-install /dev/sda
grub-install --recheck /dev/sda
update-grub

Exit the shell using the exit command mentioned earlier. Unbind the previously bound directories and unmount the filesystem. Run those commands one after another consecutively.

sudo umount /mnt/sys &&
sudo umount /mnt/proc &&
sudo umount /mnt/dev/pts &&
sudo umount /mnt/dev &&
sudo umount /mnt

Reboot your PC and unplug the live USB. When the computer boots up, your grub bootloader will shine as new, and everything should work perfectly fine.

Frequently Asked Questions

Is Chroot Secure?

Chroot doesn’t imply security. It was never intended to become one. For security, you can use SELinux. If you put someone inside a chroot directory, they don’t have access to the root filesystem, but it doesn’t mean that it makes your system unbreakable. Chroot doesn’t also mean less security – it just represents an equal amount of security as your main system. Nothing more and nothing less.

What are the limitations of Chroot systems?

A Chroot system is not meant to protect against intentional tampering by the root user. In some systems, chrooted programs can get sufficient privilege to create their own chroot environment and break out from the chroot jail. Chroot doesn’t mean complete isolation. You can usually do whatever you want to do in userspace. You can access hardware devices and mount and read anything, provided you don’t have to install any other program, then you will need the root privilege that you don’t have.

Why is Chroot called jail?

Chroot is called jail, as it seems like you’re inside an isolated environment. You can do whatever you want inside this jail but can’t leave without the permission of the root user. Also, you have a limited supply of utility provisioned by the root user and can’t install anything yourself. For all of those restrictions, it is called chroot jail.

Hrishikesh Pathak
Hrishikesh Pathak

Developer and writer. Write about linux and web.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox