Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
APPJAIL-USER(1)		    General Commands Manual	       APPJAIL-USER(1)

NAME
       appjail-user -- Hints and parameters for	trusted	users

DESCRIPTION
       appjail(1)  is  designed	 to  be	run by the root	user, but this doesn't
       mean you	can't run it as	an unprivileged	user.  appjail(1) wraps	an ex-
       ternal tool to run itself with the appropriate privileges.

       The idea	is to create the illusion that appjail(1) runs	the  same  for
       both an unprivileged user and a privileged user,	but in reality it runs
       as a privileged user, i.e. the root user. Of course, to create this il-
       lusion the external tool	must be	installed and configured properly.

       We  recommend  security/doas  because it	is lightweight,	simple and se-
       cure.  security/sudo has	not yet	 been  widely  tested,	but  the  same
       process can be achieved with it.

   Trusted User	Group
       This  only  makes  sense	 if  you  want	to allow multiple users	to run
       appjail(1) as root because you can configure your external tool to have
       a single	user run it.

	     # pw groupadd -n appjail -M $USER

   External Tool Configuration
       security/doas is	used in	this example, so doas.conf(5) is the  file  we
       need  to	edit, that is, we need to put some options to allow appjail(1)
       and appjail-config(1) to	run using the group we configured  earlier  in
       "Trusted	User Group" or a single	user.

	     # appjail(1)
	     permit nopass :appjail as root cmd	appjail
	     # Some applications, specifically x11 applications, require 'keepenv'
	     # to be set.
	     #permit nopass keepenv :appjail as	root cmd appjail
	     # appjail-config(1)
	     permit nopass :appjail as root cmd	appjail-config

   Unprivileged	User
       After  configuring  the	external  tool	as specified in	"External Tool
       Configuration" we should	call appjail and  appjail-config-user  without
       problems.

       In   the	  case	of  appjail-config(1),	we  must  explicitly  call  it
       appjail-config-user instead of simply appjail-config.  This is a	design
       decision	since the version with the -user suffix	introduces  a  bit  of
       overhead.

	     $ appjail jail list
	     STATUS  NAME   TYPE  VERSION	PORTS  NETWORK_IP4
	     UP	     jtest  thin  14.0-RELEASE	-      -
	     $ appjail-config-user set -j jtest	devfs_ruleset=15

SEE ALSO
       appjail(1) doas(1) appjail.conf(5) doas.conf(5)

AUTHORS
       Jess Daniel Colmenares Oviedo <DtxdF@disroot.org>

CAVEATS
   Legacy Tool
       There   is   a  legacy  and  deprecated	tool  on  your	system	called
       appjail-user.  This is for  backward-compatibility  and	should	no  be
       used.

   Filesystem Permissions
       Some Makejail's instructions operate with a file	and those instructions
       don't  perform any modification,	so if you create a file	as an unprivi-
       leged user and the Makejail file	calls some instruction such  as	 COPY,
       the  file  is copied as is and this may not make	sense for the applica-
       tion running inside the jail.

SECURITY CONSIDERATIONS
       This document assumes that the reader has the appropriate privileges to
       be root,	so granting unprivileged users to run  appjail(1)  effectively
       grants  those  users the	privilege to become root.  If you only want to
       run certain appjail(1) subcommands, configure your external tool	to  do
       so.

FreeBSD	Ports 14.quarterly	March 24, 2024		       APPJAIL-USER(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=appjail-user&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help