Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
jk_chrootsh(8)			  jk_chrootsh			jk_chrootsh(8)

       jk_chrootsh - a shell that will put the user inside a changed root


       jk_chrootsh  can	 be used as a shell for	a user (e.g. in	/etc/passwd or
       your ldap store). That user will	be put into a changed root. The	direc-
       tory  where  to	put the	user in	is read	from the users home directory,
       the last	occurring /./ sequence is used to mark	the  location  of  the
       changed root. An	example	line in	/etc/passwd would look like


       In this example the user	will be	chroot-ed into /home/testchroot

       Inside  the  chroot-ed  directory,  it will look	for /etc/passwd	and it
       will execute the	shell for the user from	that file. For the above exam-
       ple the /etc/passwd file	inside the jail	should have an entry like


       Notice  that  the home directory	and the	shell are local	inside the ch-

       jk_chrootsh needs certain elevated privileges  to  make	the  chroot(2)
       system  call.  Therefore	it is setuid root. It will drop	its root priv-
       eleges immediately after	making the chroot() system call. Since Jailkit
       2.8  jk_chrootsh	 may also use the CAP_SYS_CHROOT capability on systems
       that support capabilities, and then the setuid bit can be removed.

       By default jk_chrootsh does not copy  any  environment  variables.  For
       some  functionality,  however,  environment variables need to be	copied
       (e.g. the TERM variable for a functional	 terminal  emulation,  or  the
       DISPLAY variable	for X forwarding). In /etc/jailkit/jk_chrootsh.ini the
       required	environment variables can be listed. An	example	config file is
       shown  below.  In the example, user bill	will get the DISPLAY variable,
       and all users in	group jail will	get the	TERM and PATH variables.

       By default jk_chrootsh requires a home directory	owned by the user with
       the  same  group	 as  the primary group from the	user, and requires the
       home directory to be non-writable for group and others. You  can	 relax
       these requirements in the configfile as shown below.


       env= DISPLAY

       [group jail]
       env = TERM, PATH

       If  user	bill is	in group jail, however,	he will	not get	the TERM vari-
       able in the above example. Neither will any  user  with	primary	 group
       jail  get relaxed requirements for the ownership	and the	permissions of
       the home	directory. First the user is checked, and only if no user sec-
       tion  is	found the primary group	section	is looked for, and if no group
       section is found, the DEFAULT section is	used.

       Normally	jk_chrootsh will pass all arguments it is called with  to  the
       shell  in  the jail. You	can force jk_chrootsh to call the shell	inside
       the jail	with a single argument --login by setting injail_login_shell=1
       in the config file.

       jk_chrootsh  can	 be  configured	 not  to read the final	shell from the
       /etc/passwd file	in the jail. An	example	configfile is shown below.

       [group jail2]

       /etc/passwd /etc/jailkit/jk_chrootsh.ini

       jk_chrootsh logs	everything to syslog, please check the log files. Log-
       ging  is	sent to	the LOG_AUTH facility with levels LOG_ERR and LOG_CRIT
       for critical errors, LOG_NOTICE for non-critical	errors,	 and  LOG_INFO
       for normal events. On most systems the command grep jk_ /var/log/* will
       give you	the information	you need.

       commonly	made mistakes are:

       forgetting  to  add  the	 user  to  JAIL/etc/passwd  or	the  group  to

       forgetting  to  have  the  correct  permissions on all files inside the
       jail, or	forgetting files inside	the jail (the shell itself, or any li-
       braries used by the shell)

       referring to a file outside the chroot

       jailkit(8)    jk_check(8)    jk_chrootlaunch(8)	 jk_cp(8)   jk_init(8)
       jk_jailuser(8) jk_list(8) jk_lsh(8) jk_procmailwrapper(8) jk_socketd(8)
       jk_uchroot(8) jk_update(8) chroot(2) syslogd(8)

       Copyright  (C)  2003,  2004,  2005, 2006, 2007, 2008, 2009, 2010, 2011,
       2012, 2013, 2014, 2018 Olivier Sessink

       Copying and distribution	of this	file, with  or	without	 modification,
       are  permitted in any medium without royalty provided the copyright no-
       tice and	this notice are	preserved.

JAILKIT				  07-02-2010			jk_chrootsh(8)


Want to link to this manual page? Use this URL:

home | help