Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
jk_chrootsh(8)			  jk_chrootsh			jk_chrootsh(8)

NAME
       jk_chrootsh - a shell that will put the user inside a changed root

SYNOPSIS
       jk_chrootsh

DESCRIPTION
       jk_chrootsh  can	 be used as a shell for	a user (e.g. in	/etc/passwd or
       your ldap store). That user will	be put into a changed root. The	direc-
       tory where to put the user in is	read from the  users  home  directory,
       the  last  occurring  /./  sequence is used to mark the location	of the
       changed root. An	example	line in	/etc/passwd would look like

       test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh

       In this example the user	will be	chroot-ed into /home/testchroot

       Inside the chroot-ed directory, it will look  for  /etc/passwd  and  it
       will execute the	shell for the user from	that file. For the above exam-
       ple the /etc/passwd file	inside the jail	should have an entry like

       test:x:10000:10000::/home/test:/usr/sbin/jk_lsh

       Notice  that  the home directory	and the	shell are local	inside the ch-
       root

       jk_chrootsh needs certain elevated privileges  to  make	the  chroot(2)
       system  call. Therefore it is setuid root. It will drop its root	privi-
       leges immediately after making the chroot() system call.	Since  Jailkit
       2.8  jk_chrootsh	 may also use the CAP_SYS_CHROOT capability on systems
       that support capabilities, and then the setuid bit can be removed.

       By default jk_chrootsh does not copy  any  environment  variables.  For
       some  functionality,  however,  environment variables need to be	copied
       (e.g. the TERM variable for a functional	 terminal  emulation,  or  the
       DISPLAY variable	for X forwarding). In /etc/jailkit/jk_chrootsh.ini the
       required	environment variables can be listed. An	example	config file is
       shown  below.  In the example, user bill	will get the DISPLAY variable,
       and all users in	group jail will	get the	TERM and PATH variables.

       By default jk_chrootsh requires a home directory	owned by the user with
       the same	group as the primary group from	the  user,  and	 requires  the
       home  directory	to be non-writable for group and others. You can relax
       these requirements in the configfile as shown below.

       [DEFAULT]
       relax_home_group=1

       [bill]
       env= DISPLAY
       relax_home_owner=1
       relax_home_group_permissions=1
       relax_home_other_permissions=1

       [group jail]
       env = TERM, PATH
       injail_login_shell=1

       If user bill is in group	jail, however, he will not get the TERM	 vari-
       able  in	 the  above  example. Neither will any user with primary group
       jail get	relaxed	requirements for the ownership and the permissions  of
       the home	directory. First the user is checked, and only if no user sec-
       tion  is	found the primary group	section	is looked for, and if no group
       section is found, the DEFAULT section is	used.

       Normally	jk_chrootsh will pass all arguments it is called with  to  the
       shell  in  the jail. You	can force jk_chrootsh to call the shell	inside
       the jail	with a single argument --login by setting injail_login_shell=1
       in the config file.

       jk_chrootsh can be configured not to read  the  final  shell  from  the
       /etc/passwd file	in the jail. An	example	configfile is shown below.

       [group jail2]
       skip_injail_passwd_check=1
       injail_shell=/bin/bash

FILES
       /etc/passwd /etc/jailkit/jk_chrootsh.ini

DIAGNOSTICS
       jk_chrootsh logs	everything to syslog, please check the log files. Log-
       ging  is	sent to	the LOG_AUTH facility with levels LOG_ERR and LOG_CRIT
       for critical errors, LOG_NOTICE for non-critical	errors,	 and  LOG_INFO
       for normal events. On most systems the command grep jk_ /var/log/* will
       give you	the information	you need.

       commonly	made mistakes are:

       forgetting  to  add  the	 user  to  JAIL/etc/passwd  or	the  group  to
       JAIL/etc/group

       forgetting to have the correct permissions  on  all  files  inside  the
       jail, or	forgetting files inside	the jail (the shell itself, or any li-
       braries used by the shell)

       referring to a file outside the chroot

SEE ALSO
       jailkit(8)    jk_check(8)    jk_chrootlaunch(8)	 jk_cp(8)   jk_init(8)
       jk_jailuser(8) jk_list(8) jk_lsh(8) jk_procmailwrapper(8) jk_socketd(8)
       jk_uchroot(8) jk_update(8) chroot(2) syslogd(8)

COPYRIGHT
       Copyright (C) 2003, 2004, 2005, 2006, 2007,  2008,  2009,  2010,	 2011,
       2012, 2013, 2014, 2018 Olivier Sessink

       Copying	and  distribution  of this file, with or without modification,
       are permitted in	any medium without royalty provided the	copyright  no-
       tice and	this notice are	preserved.

JAILKIT				  07-02-2010			jk_chrootsh(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=jk_chrootsh&sektion=8&manpath=FreeBSD+Ports+15.0>

home | help