jk_socketd(8) - Linux man page

Name

jk_socketd - a daemon to safely create /dev/log inside a chroot

Synopsis

jk_socketd

jk_socketd -p pidfile -n

jk_socketd --pidfile= pidfile --nodetach

Description

The jailkit socket daemon creates a /dev/log socket inside a jail according to /etc/jailkit/jk_socketd.ini and writes all data eventually to syslog using the real /dev/log Programs like jk_lsh and also many daemons need a /dev/log socket to do logging to syslog.

Why not have syslog create the socket inside your jail? Potentially an attacker can disrupt normal system operation by filling your logs through the socket. jk_socketd can limit the number of bytes written trough the socket. The rate limiting is done based on three parameters, the base, the peek and the interval. The interval is the number of seconds that jk_socketd will use to count up to the number of bytes. The base and peek are both a number in bytes.

If the logging is limited by jk_socketd, processes that run inside the jail will be slowed down if they try to use the logging service. If you expect a high logging rate in a jail, it is recommended to use syslog to create the socket in the jail instead of jk_socketd.

A socket is normally only allowed to have base bytes going trough per interval seconds. Only if in the previous interval the number of bytes has been lower than base, peek number of bytes is allowed. So a peek can only happen if the previous interval has been lower than base.

The config file consists of several entries where each entry looks like this:

[/home/testchroot/dev/log]
base = 512
peek = 2048
interval = 5.0

The title of the section is the socket to be created. The directory to create the socket in should exist.

Security

The jailkit socket daemon will change to user nobody and will chroot() into an empty dir once all sockets are opened.

Options

-n --nodetach

do not detach from the terminal and print debugging output

-p pidfile --pidfile=pidfile

write PID to pidfile

-h --help

show help screen

--socket=/path/to/socket

do not read ini file, create specific socket

--base=integer

message rate limit (in bytes) per interval for socket specified by --socket

--peek=integer

message rate limit peek (in bytes) for socket specified by --socket

--interval=float

message rate limit interval in

seconds for socket specified by --socket

Files

/etc/jailkit/jk_socketd.ini

Diagnostics

jk_socketd logs errors to syslog, so check your log files

otherwise run jk_socketd -n and it will not detach from the terminal, and it will print some debugging output.

See Also

jailkit(8) jk_check(8) jk_chrootlaunch(8) jk_chrootsh(8) jk_cp(8) jk_init(8) jk_list(8) jk_lsh(8) jk_procmailwrapper(8) syslogd(8)

Copyright

Copyright (C) 2003, 2004, 2005, 2006 Olivier Sessink

Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved.

Referenced By

jk_addjailuser(8), jk_jailuser(8)

site search Google Custom Search

Library

online dictionary

linux docs

linux man pages

page load time

Toys

world sunlight

moon phase

trace explorer