== When _chroot()_ started to confine processes inside the new root

Writing about [[the somewhat surprising history of _chroot()_
ChrootHistory]] did leave me with one question: when did _chroot()_
start to confine processes inside the new root directory hierarchy?
This is an interesting moment because it marks the point where
_chroot()_ stops being a little hack to help emulation and instead
turns into a security feature.

(The first use of _chroot()_ as a security feature seems to be in
the 4.2BSD _ftpd_, as covered [[in the first entry ChrootHistory]].
I can't be completely sure of this because I can't find an easily
searchable version of the [[tuhs.org http://www.tuhs.org/]] 4.1c
BSD tree.)

Early versions of _chroot()_ appear to be trivially escapable by
things like '_cd /; cd .._', which puts you in the parent of the
nominal root directory. A version of the _chroot()_ system call
that did not allow this appears in 4.1c BSD; you can see the code
in [[_namei()_
http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.1cBSD/a/sys/sys/ufs_nami.c]].
Unlike [[the 4BSD version of the same code
http://minnie.tuhs.org/cgi-bin/utree.pl?file=4BSD/usr/src/sys/sys/nami.c]],
this code specifically checks to see if you are trying to look up
'_.._' at the chroot root directory, and remaps the result if you
are.

I don't know for sure why this change appeared in 4.1c BSD, but
it's possible to speculate. The 4BSD _namei()_ is essentially the
same as the V7 _namei()_, but the 4.1c BSD _namei()_ is significantly
changed in several ways (for example, it has a lot more comments).
4.1c BSD is the first appearance of two significant changes related
to _namei()_; it's when BSD introduced both a _rename()_ system
call and the BSD {{AB:FFS:Fast File System, aka UFS}}. It also seems
to have seen a significant reorganization of the kernel source code
away from its previous V7-like appearance. So I suspect that when
the BSD people were changing _namei()_ around anyways because of
other changes, they noticed and fixed the chroot escape. With the
chroot escape fixed, it was then used as a security feature in the
4.2BSD _ftpd_.

([[The history portion of the Wikipedia page on _chroot_
https://en.wikipedia.org/wiki/Chroot#History]] is no help, because
it's clearly wrong unless you creatively reinterpret what it's
saying. _chroot()_ was not 'added' to BSD at any point, because BSD
inherited it from V7 from the start. This bit of history appears
to come from [[the references section
http://docs.freebsd.org/44doc/papers/jail/jail-9.html]] of FreeBSD's
[[Jails: Confining the omnipotent root
http://docs.freebsd.org/44doc/papers/jail/jail.html]] ([[via
http://docs.freebsd.org/44doc/]]) from 2000 and may refer either
to the addition of a _chroot(2)_ manpage or the _namei()_ changes.)

=== Sidebar: The peculiar history of _chroot()_ documentation

In V7, [[as I discovered ChrootHistory]], _chroot()_ is documented
in the _chdir()_ manpage. However, while 32V, 3BSD, and 4BSD all
still have the _chroot()_ system call, documentation for it has
disappeared from their _chdir()_ manpages. A _chroot()_ manpage
(re)appears only in 4.1c BSD.

The 32V _chdir()_ manpage seems to be the V7 manpage with the
_chroot()_ documentation removed (and it definitely isn't the V6
_chdir()_ manpage). It may be that the _chroot()_ stuff was removed
because the 32V people thought it was a hack that was better off
not being documented, or maybe 32V got their manpages from an earlier
version of V7 that didn't have the _chroot()_ addition.