Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
jk_chrootsh(8)			  jk_chrootsh			jk_chrootsh(8)

NAME
       jk_chrootsh - a shell that will put the user inside a changed root

SYNOPSIS
       jk_chrootsh

DESCRIPTION
       jk_chrootsh  can	 be used as a shell for	a user (e.g. in	/etc/passwd or
       your ldap store). That user will	be put into a changed root. The	direc-
       tory  where  to	put the	user in	is read	from the users home directory,
       the last	occurring /./ sequence is used to mark	the  location  of  the
       changed root. An	example	line in	/etc/passwd would look like

       test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh

       In this example the user	will be	chroot-ed into /home/testchroot

       Inside  the  chroot-ed  directory,  it will look	for /etc/passwd	and it
       will execute the	shell for the user from	that file. For the above exam-
       ple the /etc/passwd file	inside the jail	should have an entry like

       test:x:10000:10000::/home/test:/usr/sbin/jk_lsh

       Notice  that  the home directory	and the	shell are local	inside the ch-
       root

       jk_chrootsh needs certain elevated privileges  to  make	the  chroot(2)
       system  call.  Therefore	it is setuid root. It will drop	its root priv-
       eleges immediately after	making the chroot() system call. Since Jailkit
       2.8  jk_chrootsh	 may also use the CAP_SYS_CHROOT capability on systems
       that support capabilities, and then the setuid bit can be removed.

       By default jk_chrootsh does not copy  any  environment  variables.  For
       some  functionality,  however,  environment variables need to be	copied
       (e.g. the TERM variable for a functional	 terminal  emulation,  or  the
       DISPLAY variable	for X forwarding). In /etc/jailkit/jk_chrootsh.ini the
       required	environment variables can be listed. An	example	config file is
       shown  below.  In the example, user bill	will get the DISPLAY variable,
       and all users in	group jail will	get the	TERM and PATH variables.

       By default jk_chrootsh requires a home directory	owned by the user with
       the  same  group	 as  the primary group from the	user, and requires the
       home directory to be non-writable for group and others. You  can	 relax
       these requirements in the configfile as shown below.

       [DEFAULT]
       relax_home_group=1

       [bill]
       env= DISPLAY
       relax_home_owner=1
       relax_home_group_permissions=1
       relax_home_other_permissions=1

       [group jail]
       env = TERM, PATH
       injail_login_shell=1

       If  user	bill is	in group jail, however,	he will	not get	the TERM vari-
       able in the above example. Neither will any  user  with	primary	 group
       jail  get relaxed requirements for the ownership	and the	permissions of
       the home	directory. First the user is checked, and only if no user sec-
       tion  is	found the primary group	section	is looked for, and if no group
       section is found, the DEFAULT section is	used.

       Normally	jk_chrootsh will pass all arguments it is called with  to  the
       shell  in  the jail. You	can force jk_chrootsh to call the shell	inside
       the jail	with a single argument --login by setting injail_login_shell=1
       in the config file.

       jk_chrootsh  can	 be  configured	 not  to read the final	shell from the
       /etc/passwd file	in the jail. An	example	configfile is shown below.

       [group jail2]
       skip_injail_passwd_check=1
       injail_shell=/bin/bash

FILES
       /etc/passwd /etc/jailkit/jk_chrootsh.ini

DIAGNOSTICS
       jk_chrootsh logs	everything to syslog, please check the log files. Log-
       ging  is	sent to	the LOG_AUTH facility with levels LOG_ERR and LOG_CRIT
       for critical errors, LOG_NOTICE for non-critical	errors,	 and  LOG_INFO
       for normal events. On most systems the command grep jk_ /var/log/* will
       give you	the information	you need.

       commonly	made mistakes are:

       forgetting  to  add  the	 user  to  JAIL/etc/passwd  or	the  group  to
       JAIL/etc/group

       forgetting  to  have  the  correct  permissions on all files inside the
       jail, or	forgetting files inside	the jail (the shell itself, or any li-
       braries used by the shell)

       referring to a file outside the chroot

SEE ALSO
       jailkit(8)    jk_check(8)    jk_chrootlaunch(8)	 jk_cp(8)   jk_init(8)
       jk_jailuser(8) jk_list(8) jk_lsh(8) jk_procmailwrapper(8) jk_socketd(8)
       jk_uchroot(8) jk_update(8) chroot(2) syslogd(8)

COPYRIGHT
       Copyright  (C)  2003,  2004,  2005, 2006, 2007, 2008, 2009, 2010, 2011,
       2012, 2013, 2014, 2018 Olivier Sessink

       Copying and distribution	of this	file, with  or	without	 modification,
       are  permitted in any medium without royalty provided the copyright no-
       tice and	this notice are	preserved.

JAILKIT				  07-02-2010			jk_chrootsh(8)

NAME | SYNOPSIS | DESCRIPTION | FILES | DIAGNOSTICS | SEE ALSO | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=jk_chrootsh&sektion=8&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help