FreeBSD Manual Pages
jk_check(8) jk_check jk_check(8) NAME jk_check - a utility that will check a jail for security problems SYNOPSIS jk_check jail jk_check -v -c configfile jail DESCRIPTION jk_check will run several tests on all files and directories in a jail. The tests are: -test for setuid (set user id) or setgid (set group id) files -test for file modifications, using an MD5 checksum on the file in the jail and the same file in the real root -test for group writable or world writable directories -test for matching user information in the jail and on the real system It will test directories based on the config file /etc/jailkit/jk_check.ini but also based on jail patterns (dir/./dir) found in the home directories in /etc/passwd EXAMPLE Minimal configfile The most minimal configuration looks like: [/home/testchroot] This will include all the files and directories in /home/testchroot for testing. More extended configfile Often you want to ignore some tests on some directories, the following configfile shows some examples: [/home/testchroot] ignorepatheverywhere = ignorepathoncompare = /home/testchroot/home, /home/testchroot/etc ignorewritableforgroup = /home/testchroot/home ignorewritableforothers = /home/testchroot/home/tmp ignoresetuidexecuteforuser = /home/testchroot/usr/bin/smbmnt ignoresetuidexecuteforgroup = /home/testchroot/usr/bin/smbmnt ignoresetuidexecuteforothers = ignorepatheverywhere no single test is performed in these directories. You should not use this option unless you what you are doing. ignorepathoncompare files in listed directories are not compared with their non-jail counterparts. Useful for directories like /etc/ and /home/ where you know you'll have different files inside the jail and outside the jail ignorewritableforgroup listed directories that are writable for the group are not re- ported ignorewritableforothers listed directories that are writable for others are not reported ignoresetuidexecuteforuser ignore the setuid bit on a file that is executable for a user, a file with -rws------ permissions that is. Use with care! Remem- ber that user root can break out of a jail, therefore any pro- gram running with root privileges is theoretically capable of breaking out of the jail! ignoresetuidexecuteforgroup ignore the setuid bit for a file that is executable for the group, a file with -rws--x--- permissions that is. ignoresetuidexecuteforothers ignore the setuid bit for a file that is executable for others, a file with -rws--x--x permissions that is OPTIONS -v Will give verbose output -c configfile Use alternative configfile -h The help screen FILES /etc/jailkit/jk_check.ini SEE ALSO jailkit(8) jk_chrootlaunch(8) jk_chrootsh(8) jk_cp(8) jk_init(8) jk_jailuser(8) jk_list(8) jk_lsh(8) jk_procmailwrapper(8) jk_socketd(8) jk_uchroot(8) jk_update(8) chroot(2) COPYRIGHT Copyright (C) 2003, 2004, 2005, 2006, 2007, Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright no- tice and this notice are preserved. JAILKIT 07-02-2010 jk_check(8)
NAME | SYNOPSIS | DESCRIPTION | EXAMPLE | OPTIONS | FILES | SEE ALSO | COPYRIGHT
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=jk_check&sektion=8&manpath=FreeBSD+Ports+15.0>