jk_init(8)jk_initjk_init(8)NAMEjk_init - a utility to quicky create functional jail directories
SYNOPSISjk_init-j jail section
jk_init-v -f -k -j jail section
DESCRIPTION
It is not an easy task to setup a jail (a changed root) in a functional
way. If you want the user to be able to run cvs for example, it will
not work to simply copy the cvs binary into the users jail. You will
find that cvs needs libraries as well. cvs also needs the /dev/null
device. Finally you need something to start cvs: you need a shell too.
And the shell might need files like /etc/passwd and /etc/nsswitch.conf.
With jk_init you can automate these tasks. You can create a section in
the configfile /etc/jailkit/jk_init.ini that has all the files, direc‐
tories and devices, and you can use jk_init to setup such a jail with a
single command. The default configfile has examples for cvs, sftp, scp,
rsync and more for Debian and Ubuntu Linux. For other operating systems
the defaults might need some (minor) updates.
EXAMPLE
An example configfile section might look like this:
[jk_lsh]
comment = Jailkit limited shell
paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini
users = root
groups = root
need_logsocket = 1
includesections = uidbasics
[sftp]
comment = ssh secure ftp with Jailkit limited shell
paths = /usr/lib/sftp-server
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null
emptydirs = /svr
The comment entry specifies the comment that is shown if jk_init option
-l or --list is used. The paths entry specifies which files and direc‐
tories need to be copied into the jail. Executables and libraries are
checked for any required libraries, and these requirements are copied
too. All files are created with user root as owner. The paths_w_owner
entry specifies which paths need to be copied with their current owner‐
ship. This can be used to copy files that need to be writable by a
server process that does not run as user root (for example database
files). The users and groups entries specify which users and groups
that need to be present in <jail>/etc/passwd. If the need_logsocket
entry is set to "1" the jk_socketd.ini file is modified to include a
/dev/log socket in this jail. The devices entry specifies which devices
are required in the jail. The includesections entry specifies which
other sections need to be processed as well when processing the current
section. In the above example, the jk_lsh section is automatically
included if the sftp section is processed. Finally the emptydirs entry
specifies which directories to create as empty directories. This can be
useful to create for example mountpoints in the jail.
DEPRECATED CONFIGFILE ENTRIES
The entries executables , regularfiles , directories and libraries are
all replaced by the entry paths. They are still supported, but are
handled similar to the paths entry.
LIMITATIONS
Many unix like operating systems install files in different locations.
The defaulkt jk_init config file has defaults taken from Debian and
Ubuntu. The default config file may not work on other platforms. You
probably need to customise jk_init.ini for your platform and your
applications.
OPTIONS-f --force
Force overwriting of existing files
-v --verbose
Will give verbose output
-k --hardlink
Try to create hardlinks instead of copying the files
-c configfile --configfile=configfile
Use alternative configfile
-l --list
List available sections in the config file
-j --jail <jail>
Specify the jail directory to operate on.
-h --help
The help screen
FILES
/etc/jailkit/jk_init.ini
SEE ALSOjailkit(8)jk_check(8)jk_chrootlaunch(8)jk_chrootsh(8)jk_cp(8)jk_jailuser(8)jk_list(8)jk_lsh(8)jk_procmailwrapper(8)jk_socketd(8)jk_uchroot(8)jk_update(8)chroot(2)ldd(1)mknod(1)ln(1)chmod(1)mkdir(1)COPYRIGHT
Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Olivier
Sessink
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved.
JAILKIT 07-02-2010 jk_init(8)