diff --git a/man2/chroot.2 b/man2/chroot.2
index 4a70db4c7..357baba30 100644
--- a/man2/chroot.2
+++ b/man2/chroot.2
@@ -73,7 +73,30 @@ capability) may call
 .BR chroot ().
 
 This call changes an ingredient in the pathname resolution process
-and does nothing else.
+and does nothing else. In particular, it is not intended to be used
+for any kind of security purpose, neither to fully sandbox a process nor
+to restrict filesystem syscalls. In the past,
+.BR chroot ()
+has been used by daemons to restrict themselves prior to passing paths
+supplied by untrusted users into syscalls like
+.BR open (2).
+However, if a folder is moved out of the chroot directory, an attacker
+can exploit that to get out of the chroot directory as well. The easiest
+way to do that is to
+.BR chdir (2)
+to the to-be-moved directory, wait for it to be moved out, then open a
+path like ../../../etc/passwd.
+
+
+.\" This is how the "slightly trickier variation" works:
+.\" https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-014-2015.txt#L142
+A slightly
+trickier variation also works under some circumstances if
+.BR chdir (2)
+is not permitted. If a daemon allows a "chroot directory" to be specified,
+that usually means that if you want to prevent remote users from accessing
+files outside the chroot directory, you must ensure that folders are never
+moved out of it.
 
 This call does not change the current working directory,
 so that after the call \(aq\fI.\fP\(aq can
@@ -87,6 +110,7 @@ by doing:
 
 This call does not close open file descriptors, and such file
 descriptors may allow access to files outside the chroot tree.
+
 .SH RETURN VALUE
 On success, zero is returned.
 On error, \-1 is returned, and