How to break out of a chroot jail Summary: Great stuff from the hacker underground Andrew's guess as to how chroot works: chroot could work by either playing at the file name level or at the inode level. My guess is the latter. This involves two changes: 1) the root inode ("/") is the chrooted directory; 2) any attempt to chdir("..") at the new root is disallowed. Note that this is complete speculation with no grounding in fact. The exploit: the basic problem is that file descriptors are a capability. So, a malicious program can escape chroot by: 1) opening up "/"; 2) Invoking chroot to a new subdirectory (chroot "/foo"); 3) Changing the current directory back to the original root directory (obtained in step 1); 4) Repeated invoking chdir(".."). Possible fixes: 1) change the ".." entry for chrooted directories. 2) disallow chroot for untrusted apps 3) handle the problem at the naming level, by always prepending the root directories name during the open system call.