man schroot (Commandes) - securely enter a chroot environment


schroot - securely enter a chroot environment


schroot [OPTION]... [COMMAND]


schroot allows the user to run a command or a login shell in a chroot environment. If no command is specified, a login shell will be started in the user's current working directory inside the chroot.

If the user is not a member of the allowed groups (or if changing to root, the allowed root groups) for the specified chroot(s), the user will be required to authenticate themselves (typically with a password, but this depends upon the PAM configuration). All chroot usage will be logged in the system logs.

If no chroot is specified, the chroot name or alias default will be used as a fallback. This is equivalent to [lq]--chroot=default[rq].


schroot accepts the following options:

Basic options

-h, --help
Show help summary.
-a, --all
Select all chroots and active sessions. When a command has been specified, the command will be run in all chroots and active sessions. If --info has been used, display information about all chroots. This option does not make sense to use with a login shell (when no command has been specified). This option is equivalent to --all-chroots --all-sessions.
Select all chroots. Identical to --all, but active sessions are not considered.
Select all active sessions. Identical to --all, but chroots are not considered.
-c, --chroot=chroot
Specify a chroot to use. This option may be used multiple times to specify more than one chroot, in which case its effect is similar to --all.
-u, --user=user
Run as a different user. The default is to run as the current user. If required, the user may be required to authenticate themselves with a password.
-l, --list
List all available chroots.
-i, --info
Print detailed information about the specified chroots.
Print location (path) of the specified chroots. Note that chroot types which can only be used within a session will not have a location until they are active.
Print configuration of the specified chroots. This is useful for testing that the configuration in use is the same as the configuration file. Any comments in the original file will be missing.
-p, --preserve-environment
Preserve the user's environment inside the chroot environment. The default is to use a clean environment; this option copies the entire user environment and sets it in the session. The environment variables allowed are subject to certain restrictions; see the section [lq]Environment[rq], below.
-q, --quiet
Print only essential messages.
-v, --verbose
Print all messages.
-V, --version
Print version information.

Session options

-b, --begin-session
Begin a session. A unique session identifier (UUID) is returned on standard output. The UUID is required to use the other session options.
Recover an existing session. If an existing session has become unavailable, for example becoming unmounted due to a reboot, this option will make the session available for use again, for example by remounting it. -r, --run-session=UUID Run an existing session.
-e, --end-session=UUID
End an existing session.
-f, --force
Force a session operation, even if it would otherwise fail. This may be used to forcibly end a session, even if it has active users. This does not guarantee that the session will be ended cleanly; filesystems may not be unmounted, for example.


CR]$ CB]schroot -l







CR]$ CB]schroot -i -c sid

CR]Name: sid

CR]Description: Debian unstable

CR]Location: /srv/chroot/sid

CR]Priority: 3

CR]Groups: sbuild

CR]Root Groups: root

CR]Aliases: unstable default

Use --all or -c multiple times to use all or multiple chroots, respectively.

CR]$ CB]schroot -c sid /bin/ls

CR][sid chroot] Running command: [lq]/bin/ls[rq]

CR]CVS sbuild-chroot.c sbuild-session.h schroot.conf.5

CR]Makefile sbuild-chroot.h schroot.1

CR] sbuild-config.c

CR] sbuild-config.h schroot.c

CR]pam sbuild-session.c schroot.conf

CR]$ CB]schroot -c sid -- ls -1 | head -n 5

CR][sid chroot] Running command: [lq]ls -1[rq]






Use -- to allow options beginning with [oq]-[cq] or [oq]--[cq] in the command to run in the chroot. This prevents them being interpreted as options for schroot itself. Note that the top line was echoed to standard error, and the remaining lines to standard output. This is intentional, so that program output from commands run in the chroot may be piped and redirected as required; the data will be the same as if the command was run directly on the host system.

CR]$ CB]schroot -c sid -u root


CR][sid chroot] (rleigh[->]root) Running login shell: [lq]/bin/bash[rq]


If the user [lq]rleigh[rq] was in root-groups in schroot.conf, they would be granted root access without authentication, but the PAM authorisation step is still applied.


None known at this time.


By default, the environment is not preserved, and the following environment variables are defined: HOME, LOGNAME, PATH, SHELL, TERM (preserved if already defined), and USER.

The following, potentially dangerous, environment variables are always removed for safety: BASH_ENV, CDPATH, ENV, HOSTALIASES, IFS, KRB5_CONFIG, KRBCONFDIR, KRBTKFILE, KRB_CONF, LD_.*, LOCALDOMAIN, NLSPATH, PATH_LOCALE, RES_OPTIONS, TERMINFO, TERMINFO_DIRS, and TERMPATH.


The system-wide chroot definition file. This file must be owned by the root user, and not be writable by other.
The system-wide chroot setup and execution directories. See schroot-setup(5).
PAM configuration.


Roger Leigh.


Copyright © 2005-2006 Roger Leigh <>

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.