4 files changed, 354 insertions, 0 deletions
diff --git a/usr.sbin/chroot/Makefile b/usr.sbin/chroot/Makefile
new file mode 100644
index 000000000000..f4c0c2b95610
--- /dev/null
+++ b/usr.sbin/chroot/Makefile
@@ -0,0 +1,4 @@
+PROG=	chroot
+MAN=	chroot.8
+
+.include <bsd.prog.mk>
diff --git a/usr.sbin/chroot/Makefile.depend b/usr.sbin/chroot/Makefile.depend
new file mode 100644
index 000000000000..6ef78fac5cbf
--- /dev/null
+++ b/usr.sbin/chroot/Makefile.depend
@@ -0,0 +1,15 @@
+# Autogenerated - do NOT edit!
+
+DIRDEPS = \
+	include \
+	include/xlocale \
+	lib/${CSU_DIR} \
+	lib/libc \
+	lib/libcompiler_rt \
+
+
+.include <dirdeps.mk>
+
+.if ${DEP_RELDIR} == ${_DEP_RELDIR}
+# local dependencies - needed for -jN in clean tree
+.endif
diff --git a/usr.sbin/chroot/chroot.8 b/usr.sbin/chroot/chroot.8
new file mode 100644
index 000000000000..4a1a5a396631
--- /dev/null
+++ b/usr.sbin/chroot/chroot.8
@@ -0,0 +1,128 @@
+.\" Copyright (c) 1988, 1991, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd July 25, 2025
+.Dt CHROOT 8
+.Os
+.Sh NAME
+.Nm chroot
+.Nd change root directory
+.Sh SYNOPSIS
+.Nm
+.Op Fl G Ar group Ns Op Cm \&, Ns Ar group  ...
+.Op Fl g Ar group
+.Op Fl u Ar user
+.Op Fl n
+.Ar newroot
+.Op Ar command Op Ar arg ...
+.Sh DESCRIPTION
+The
+.Nm
+utility changes its current and root directories to the supplied directory
+.Ar newroot
+and then exec's
+.Ar command
+with provided arguments, if supplied,
+or an interactive copy of the user's login shell.
+.Pp
+The options are as follows:
+.Bl -tag -width "-G group[,group ...]"
+.It Fl G Ar group Ns Op Cm \&, Ns Ar group  ...
+Run the command with the specified groups as supplementary groups.
+.It Fl g Ar group
+Run the command with the specified
+.Ar group
+as the real, effective and saved groups.
+.It Fl u Ar user
+Run the command with the specified
+.Ar user
+as the real, effective and saved users.
+.It Fl n
+Use the
+.Dv PROC_NO_NEW_PRIVS_CTL
+.Xr procctl 2
+command before chrooting, effectively disabling SUID/SGID bits
+for the calling process and its descendants.
+If
+.Dv security.bsd.unprivileged_chroot
+sysctl is set to 1, it will make it possible to chroot without
+superuser privileges.
+.El
+.Sh ENVIRONMENT
+The following environment variable is referenced by
+.Nm :
+.Bl -tag -width "SHELL"
+.It Ev SHELL
+If set,
+the string specified by
+.Ev SHELL
+is interpreted as the name of
+the shell to exec.
+If the variable
+.Ev SHELL
+is not set,
+.Pa /bin/sh
+is used.
+.El
+.Sh EXAMPLES
+.Bl -tag -width 0n
+.It Sy Example 1\&: No Chrooting into a New Root Directory
+.Pp
+The following command opens the
+.Xr csh 1
+shell after chrooting to the standard root directory.
+.Bd -literal -offset 2n
+.Li # Ic chroot / /bin/csh
+.Ed
+.It Sy Example 2\&: No Execution of a Command with a Changed Root Directory
+.Pp
+The following command changes a root directory with
+.Nm
+and then runs
+.Xr ls 1
+to list the contents of
+.Pa /sbin .
+.Bd -literal -offset 2n
+.Li # Ic chroot /tmp/testroot ls /sbin
+.Ed
+.El
+.Sh SEE ALSO
+.Xr chdir 2 ,
+.Xr chroot 2 ,
+.Xr setgid 2 ,
+.Xr setgroups 2 ,
+.Xr setuid 2 ,
+.Xr getgrnam 3 ,
+.Xr environ 7 ,
+.Xr jail 8
+.Sh HISTORY
+The
+.Nm
+utility first appeared in
+.At III
+and
+.Bx 4.3 Reno .
diff --git a/usr.sbin/chroot/chroot.c b/usr.sbin/chroot/chroot.c
new file mode 100644
index 000000000000..e1af0a4131d3
--- /dev/null
+++ b/usr.sbin/chroot/chroot.c
@@ -0,0 +1,207 @@
+/*-
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+#include <sys/procctl.h>
+
+#include <ctype.h>
+#include <err.h>
+#include <errno.h>
+#include <grp.h>
+#include <limits.h>
+#include <paths.h>
+#include <pwd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+static void usage(void) __dead2;
+
+static gid_t
+resolve_group(const char *group)
+{
+	char *endp;
+	struct group *gp;
+	unsigned long gid;
+
+	gp = getgrnam(group);
+	if (gp != NULL)
+		return (gp->gr_gid);
+
+	/*
+	 * Numeric IDs don't need a trip through the database to check them,
+	 * POSIX seems to think we should generally accept a numeric ID as long
+	 * as it's within the valid range.
+	 */
+	errno = 0;
+	gid = strtoul(group, &endp, 0);
+	if (errno == 0 && *endp == '\0' && gid <= GID_MAX)
+		return (gid);
+
+	errx(1, "no such group '%s'", group);
+}
+
+static uid_t
+resolve_user(const char *user)
+{
+	char *endp;
+	struct passwd *pw;
+	unsigned long uid;
+
+	pw = getpwnam(user);
+	if (pw != NULL)
+		return (pw->pw_uid);
+
+	errno = 0;
+	uid = strtoul(user, &endp, 0);
+	if (errno == 0 && *endp == '\0' && uid <= UID_MAX)
+		return (uid);
+
+	errx(1, "no such user '%s'", user);
+}
+
+int
+main(int argc, char *argv[])
+{
+	const char	*group, *p, *shell, *user;
+	char		*grouplist;
+	long		ngroups_max;
+	gid_t		gid, *gidlist;
+	uid_t		uid;
+	int		arg, ch, error, gids;
+	bool		nonprivileged;
+
+	gid = 0;
+	uid = 0;
+	gids = 0;
+	user = group = grouplist = NULL;
+	gidlist = NULL;
+	nonprivileged = false;
+	while ((ch = getopt(argc, argv, "G:g:u:n")) != -1) {
+		switch(ch) {
+		case 'u':
+			user = optarg;
+			if (*user == '\0')
+				usage();
+			break;
+		case 'g':
+			group = optarg;
+			if (*group == '\0')
+				usage();
+			break;
+		case 'G':
+			grouplist = optarg;
+
+			/*
+			 * XXX Why not allow us to drop all of our supplementary
+			 * groups?
+			 */
+			if (*grouplist == '\0')
+				usage();
+			break;
+		case 'n':
+			nonprivileged = true;
+			break;
+		case '?':
+		default:
+			usage();
+		}
+	}
+	argc -= optind;
+	argv += optind;
+
+	if (argc < 1)
+		usage();
+
+	if (group != NULL)
+		gid = resolve_group(group);
+
+	if (grouplist != NULL) {
+		ngroups_max = sysconf(_SC_NGROUPS_MAX);
+		if ((gidlist = malloc(sizeof(gid_t) * ngroups_max)) == NULL)
+			err(1, "malloc");
+		for (gids = 0; (p = strsep(&grouplist, ",")) != NULL &&
+		    gids < ngroups_max; ) {
+			if (*p == '\0')
+				continue;
+
+			gidlist[gids++] = resolve_group(p);
+		}
+		if (p != NULL && gids == ngroups_max)
+			errx(1, "too many supplementary groups provided");
+	}
+
+	if (user != NULL)
+		uid = resolve_user(user);
+
+	if (nonprivileged) {
+		arg = PROC_NO_NEW_PRIVS_ENABLE;
+		error = procctl(P_PID, getpid(), PROC_NO_NEW_PRIVS_CTL, &arg);
+		if (error != 0)
+			err(1, "procctl");
+	}
+
+	if (chdir(argv[0]) == -1)
+		err(1, "%s", argv[0]);
+	if (chroot(".") == -1) {
+		if (errno == EPERM && !nonprivileged && geteuid() != 0)
+			errx(1, "unprivileged use requires -n");
+		err(1, "%s", argv[0]);
+	}
+
+	if (gidlist != NULL && setgroups(gids, gidlist) == -1)
+		err(1, "setgroups");
+	if (group && setgid(gid) == -1)
+		err(1, "setgid");
+	if (user && setuid(uid) == -1)
+		err(1, "setuid");
+
+	if (argv[1]) {
+		execvp(argv[1], &argv[1]);
+		err(1, "%s", argv[1]);
+	}
+
+	if (!(shell = getenv("SHELL")))
+		shell = _PATH_BSHELL;
+	execlp(shell, shell, "-i", (char *)NULL);
+	err(1, "%s", shell);
+	/* NOTREACHED */
+}
+
+static void
+usage(void)
+{
+	(void)fprintf(stderr, "usage: chroot [-g group] [-G group,group,...] "
+	    "[-u user] [-n] newroot [command]\n");
+	exit(1);
+}