jailkit(8) - Linux man page
Name
jailkit - utilities for jailing a user or processDescription
Jailkit is a set of utilities to limit user accounts to a specific directory and to specific commands. Setting up a jail is a lot easier using these utilities. A jail is a directory in your system, and the user cannot see/do anything outside that directory. The user is jailed in the directory. The chroot(2) system call is used to put the user inside the jail.
If you want the user to be able to do one thing, that one thing should be possible inside the jail. For example if you want the user to be able to run scp, you need to have a copy of scp installed in the jail, and also means to execute it (a shell). As you understand, the fewer executables you have in a jail, and the harder they are to start them, the more work a hacker needs to break out of it.
Security Considerations
DO NOT RELY ON THE JAIL. If you don't trust a process on a regular system, don't trust it in a jail. A bad configured jail might even make the situation worse!
The super user (root), or any process running with root privileges, can break out of a jail created with chroot(2) It is therefore important that the jail does not contain any files that are set user id root (also called setuid).
Normal users can create files that are setuid (set user id) root, creating a hardlink to an existing setuid root binary. For example 'ln /bin/su /jail/my_su' will create a setuid root binary in /jail/. If the user now modifies /jail/lib/libc... or /jail/etc/passwd the user might gain root privileges! No directory inside the jail except for the homedirectory should, therefore, be writable by the user. Especially the jail directory itself should not be writable by the user. If the jail is on a separate filesystem, furthermore, this jail filesystem can mounted with the nosuid flag.
Contents
jk_init can be used to quickly create a jail with several files or directories needed for a specific task. There are many tasks in /etc/jailkit/jk_init.ini predefined. For example a limited shell, a jail to run apache, a jail for just sftp and scp can be quickly set it up by jk_init. It will copy the binaries, the required libraries (and symlinks) and other files like /etc/passwd
jk_cp can be used to copy a file into a jail, the file will be copied with the same permissions, except for any setuid or setgid permissions, they are removed. If the file is a binary executable, the libraries are copied as well.
jk_check can be used to check a jail for any potential security problems. It checks for setuid and setgid programs, it checks for any modified programs, it checks for world writable directories and more. Very convenient to run daily from the cron daemon. It is controlled by /etc/jailkit/jk_check.ini
jk_chrootsh is a shell for a user that will jail the user in a specific directory, called the JAIL. It does this by using the chroot (change root) system call. The JAIL must contain some basic files, like /etc/passwd and a shell to execute. jk_chrootsh will read the shell to execute inside the JAIL from JAIL/etc/passwd. jk_chrootsh is typically run from /etc/passwd as default shell for some user.
jk_lsh is a limited shell, that will only allow certain commands to be executed based on a config file /etc/jailkit/jk_lsh.ini. It is typically started from /etc/passwd or started by jk_chrootsh inside a jail from JAIL/etc/passwd (recommended) in which case the config file is JAIL/etc/jailkit/jk_lsh.ini. Use this program if you want to deny regular shell access (e.g. logins) but you want to allow execution from commands like sftp, scp, rsync or cvs.
jk_socketd is a daemon that will allow logging to syslog from a jail, in a safe way. It will limit the logging rate based on /etc/jailkit/jk_socketd.ini
jk_chrootlaunch is a utility to start a daemon that cannot do a chroot(2) call itself in a jail. It can change the user and group id after jailing the process, and before executing the daemon.
jk_jailuser is a script to move an existing user account into a
jail
jk_list lists all jailed processes on a system, with the PID, UID,
and their jail
jk_procmailwrapper is a wrapper for procmail, it will run the .procmailrc from jailed users inside the jail, the .procmailrc from regular users on the normal system.
Example
Suppose you need to create an account 'test' that can do sftp and scp only. You want it in a jail called /home/sftproot where it will have a homedirectory /home/test
#initialise the jail mkdir /home/sftproot jk_init /home/sftproot jk_lsh jk_init /home/sftproot sftp jk_init /home/sftproot scp # create the account jk_addjailuser /home/sftproot test # edit the jk_lsh configfile in the jail, see man jk_lsh # you can use every editor you want, I chose 'joe' joe /home/sftproot/etc/jailkit/jk_lsh.ini # now restart jk_socketd killall jk_socketd jk_socketd # test the account sftp test@localhost # check the logs if everything is correct tail /var/log/daemon.log /var/log/auth.log
Files
The jailkit config files are all located in /etc/jailkit/
See Also
jk_check(8) jk_chrootlaunch(8) jk_chrootsh(8) jk_cp(8) jk_init(8) jk_list(8) jk_lsh(8) jk_procmailwrapper(8) jk_socketd(8) chroot(2)
Copyright
Copyright (C) 2003, 2004, 2005, 2006, Olivier Sessink
Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved.
