I still think that Linux should do the chdir() before the chroot(). If you
can provide a reason why - besides "because that's the way it has been
done" - I'd say you have a valid point. Until then I remain unconvinced,
because of the possible security concerns from lax programming.
I disagree. Programs need to work on more systems than just Linux, so
portability is important. It's impossible to prevent people from making
arbitrarily stupid mistakes, so being gratuitously incompatible just to
try to prevent one kind of stupid mistake just isn't worth it.
I'll note that Solaris's chroot(1) *does* do an explicit change pwd to
the new root. This is the right place to do it, and in fact it solves
the original problem that someone reported (which was with the command
line chroot call, not the system call).
The system call interface should be as flexible as possible, and that
means chroot() should only change the root directory. (For example,
what if you're in /foo/bar/baz/quux/brie, and you want to set the root
to /foo/bar --- why should chroot() change your default directory as
well? Especially if other Unix systems don't. Compatibility and
portability are important!) By changing the chroot shell command, we
become compatible with other systems, and prevent the specific case of
lossage that was reported.