Why chroot is a security feature for (anonymous) FTP
I recently ran across Is chroot a security feature? (via); following Betteridge's law of headlines, the article's answer is 'no', for good reasons that I will let you read in the article. However, I mildly disagree with the article on a philosophical level for the case of anonymous ftp and things like it. Chroot is a security feature for ftpd because ftpd does something special; anonymous ftp adds an additional security context to your system that wasn't there before.
Before you set up anonymous ftp, your system had the familiar Unix
security contexts of user, group, and 'all logins'. Anonymous ftp
adds the additional context of 'everyone on the network'. This
context is definitely not the same as 'everyone with a login on the
system' (it's much broader), and so there's good reasons to want
to distinguish between the two. This is especially the case if you
allow people to write things through anonymous ftp, since Unixes
traditionally have and rely on various generally writable directories
/var/tmp, but also things like queue submission
directories). You almost certainly don't want to open those up to
everyone on the network just because you opened them up to everyone
on the machine.
(The more your Unix machine is only used by a small group of people and the broader the scope of the network it's on, the more difference there is between these contexts. If you take a small research group's Unix machine and put it on the ARPANET, you have a relatively maximal case.)
Ftpd could implement this additional security context itself, as most web servers do. But as web servers demonstrate, this would be a bunch of code and configuration, and it wouldn't necessarily always work (over the years, various web servers and web environments have had various bugs here). Rolling your own access permission system is a complicated thing. Having the kernel do it for you in a simple and predictable way is much easier, and that way you get chroot.
(Now that I've followed this chain of thought, I don't think it's
a coincidence that the first use of
chroot() for security seems
to have been 4.2 BSD's ftpd.)