Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
jk_lsh(8)			    jk_lsh			     jk_lsh(8)

NAME
       jk_lsh -	a shell	that limits the	binaries it will execute

SYNOPSIS
       jk_lsh -c command

DESCRIPTION
       The  jailkit  limited  shell jk_lsh is not an interactive shell.	jk_lsh
       will only execute commands that are passed during startup (e.g. /bin/sh
       -c command) and will deny to start all but explicitly allowed commands.
       All other commands, or regular shell access are	denied.	 This  can  be
       used  to	restrict an account to a specific use. For example, jk_lsh can
       be used to make rsync-, cvs-, sftp- or scp-only accounts,  or  even  an
       account that can	start firefox or opera but nothing else.

       The  allowed  actions  are read from /etc/jailkit/jk_lsh.ini If you run
       jk_lsh inside a changed root jail, make sure jk_lsh.ini is present  in-
       side that chroot	jail.

LIMITATIONS
       Some  shells can	process	complex	commandlines, such as command1 && com-
       mand2, or kill `ps |grep	foo`. The limited shell	jk_lsh cannot do  any-
       thing  like  that, another shell	should be used if you want enable such
       features. It is not planned to include this in any future version.

OPTIONS
       jk_lsh can do word expansion such as *.txt expanding to each file  that
       ends  with  .txt.  This	is  very useful	when running rsync or scp with
       jk_lsh. Option allow_word_expansion should be set to 1 in order to  al-
       low this.

       jk_lsh  can  also  set environment variables. This is a comma separated
       list with key=value pairs.

       Options can be set for a	specific user, for  the	 primary  group	 of  a
       user, or	for all	users in section DEFAULT.

EXAMPLE
       An example config file for user test or group test is shown below

       [DEFAULT]
       executables = /usr/bin/scp, /usr/lib/sftp-server, /usr/bin/rsync
       paths = /usr/bin/, /usr/lib
       allow_word_expansion = 1

       [test]
       executables = /usr/bin/scp, /usr/lib/sftp-server
       paths = /usr/bin/, /usr/lib
       allow_word_expansion = 0
       umask = 002

       [group test]
       executables = /usr/bin/rsync
       paths = /usr/bin/
       allow_word_expansion = 1
       environment=TERM=linux,FOO=bar

       If  user	test has primary group test, however, he can not execute rsync
       in the above example. First the user section is checked,	and only if no
       user section is found the primary group section is looked for, and only
       if no group section is found, the DEFAULT section is looked for.	If  no
       section is found, jk_lsh	aborts.

       The  executables	 entry specifies all executables that jk_lsh will exe-
       cute. The paths entry specifies in which	directories jk_lsh  will  look
       for  these  executables	if  no path is specified. The PATH environment
       variable	is ignored by jk_lsh. The allow_word_expansion if  set	to  1,
       will  make jk_lsh do word expansion (*, ?, ~, $)	using wordexp(3) which
       is very useful for remote commands like	rsync  server:./*  .   or  scp
       server:somedir/*	/tmp/ umask if you want	a specific umask

       The  common  way	 to use	jk_lsh is to use it as default shell for those
       restricted accounts. It is recomended to	run these  accounts  inside  a
       changed root using jk_chrootsh(8)

FILES
       /etc/jailkit/jk_lsh.ini	   /etc/passwd	   JAIL/etc/jailkit/jk_lsh.ini
       JAIL/etc/passwd

DIAGNOSTICS
       jk_lsh logs errors to syslog, so	check  your  log  files.  If  you  run
       jk_lsh  inside  a  changed  root,  you  have to have a /dev/log in that
       changed root. See jk_socketd(8) for more	information how	to do this.

SEE ALSO
       jailkit(8)  jk_check(8)	jk_chrootlaunch(8)   jk_chrootsh(8)   jk_cp(8)
       jk_init(8) jk_jailuser(8) jk_lsh(8) jk_procmailwrapper(8) jk_socketd(8)
       jk_uchroot(8) jk_update(8) chroot(2)

COPYRIGHT
       Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008,  2009,	 2010  Olivier
       Sessink

       Copying	and  distribution  of this file, with or without modification,
       are permitted in	any medium without royalty provided the	copyright  no-
       tice and	this notice are	preserved.

JAILKIT				  07-02-2010			     jk_lsh(8)

NAME | SYNOPSIS | DESCRIPTION | LIMITATIONS | OPTIONS | EXAMPLE | FILES | DIAGNOSTICS | SEE ALSO | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=jk_lsh&sektion=8&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help