jk_chrootsh(8)jk_chrootshjk_chrootsh(8)NAMEjk_chrootsh - a shell that will put the user inside a changed root
SYNOPSISjk_chrootshDESCRIPTIONjk_chrootsh can be used as a shell for a user (e.g. in /etc/passwd or
your ldap store). That user will be put into a changed root. The direc‐
tory where to put the user in is read from the users home directory,
the last occurring /./ sequence is used to mark the location of the
changed root. An example line in /etc/passwd would look like
test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh
In this example the user will be chroot-ed into /home/testchroot
Inside the chroot-ed directory, it will look for /etc/passwd and it
will execute the shell for the user from that file. For the above exam‐
ple the /etc/passwd file inside the jail should have an entry like
test:x:10000:10000::/home/test:/usr/sbin/jk_lsh
Notice that the home directory and the shell are local inside the
chroot
jk_chrootsh needs certain elevated privileges to make the chroot(2)
system call. Therefore it is setuid root. It will drop its root priv‐
eleges immediately after making the chroot() system call. Since Jailkit
2.8 jk_chrootsh may also use the CAP_SYS_CHROOT capability on systems
that support capabilities, and then the setuid bit can be removed.
By default jk_chrootsh does not copy any environment variables. For
some functionality, however, environment variables need to be copied
(e.g. the TERM variable for a functional terminal emulation, or the
DISPLAY variable for X forwarding). In /etc/jailkit/jk_chrootsh.ini the
required environment variables can be listed. An example config file is
shown below. In the example, user bill will get the DISPLAY variable,
and all users in group jail will get the TERM and PATH variables.
By default jk_chrootsh requires a home directory owned by the user with
the same group as the primary group from the user, and requires the
home directory to be non-writable for group and others. You can relax
these requirements in the configfile as shown below.
[DEFAULT]
relax_home_group=1
[bill]
env= DISPLAY
relax_home_owner=1
relax_home_group_permissions=1
relax_home_other_permissions=1
[group jail]
env = TERM, PATH
injail_login_shell=1
If user bill is in group jail, however, he will not get the TERM vari‐
able in the above example. Neither will any user with primary group
jail get relaxed requirements for the ownership and the permissions of
the home directory. First the user is checked, and only if no user sec‐
tion is found the primary group section is looked for, and if no group
section is found, the DEFAULT section is used.
Normally jk_chrootsh will pass all arguments it is called with to the
shell in the jail. You can force jk_chrootsh to call the shell inside
the jail with a single argument --logjn by setting injail_login_shell=1
in the config file.
jk_chrootsh can be configured not to read the final shell from the
/etc/passwd file in the jail. An example configfile is shown below.
[group jail2]
skip_injail_passwd_check=1
injail_shell=/bin/bash
FILES
/etc/passwd /etc/jailkit/jk_chrootsh.ini
DIAGNOSTICSjk_chrootsh logs everything to syslog, please check the log files. Log‐
ging is sent to the LOG_AUTH facility with levels LOG_ERR and LOG_CRIT
for critical errors, LOG_NOTICE for non-critical errors, and LOG_INFO
for normal events.
commonly made mistakes are:
forgetting to add the user to JAIL/etc/passwd or the group to
JAIL/etc/group
forgetting to have the correct permissions on all files inside the
jail, or forgetting files inside the jail (the shell itself, or any
libraries used by the shell)
referring to a file outside the chroot
SEE ALSOjailkit(8)jk_check(8)jk_chrootlaunch(8)jk_cp(8)jk_init(8)jk_jailuser(8)jk_list(8)jk_lsh(8)jk_procmailwrapper(8)jk_socketd(8)jk_uchroot(8)jk_update(8)chroot(2)syslogd(8)COPYRIGHT
Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011,
2012, 2013, 2014 Olivier Sessink
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved.
JAILKIT 07-02-2010 jk_chrootsh(8)