Ubuntu Manpage: jk_chrootsh - a shell that will put the user inside a changed root

NAME

       jk_chrootsh - a shell that will put the user inside a changed root

SYNOPSIS

       jk_chrootsh

DESCRIPTION

jk_chrootsh can be used as a shell for a user (e.g. in /etc/passwd or your ldap store).
That user will be put into a changed root. The directory where to put the user in is read
from the users home directory, the last occurring /./ sequence is used to mark the
location of the changed root. An example line in /etc/passwd would look like

test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh

In this example the user will be chroot-ed into /home/testchroot

Inside the chroot-ed directory, it will look for /etc/passwd and it will execute the shell
for the user from that file. For the above example the /etc/passwd file inside the jail
should have an entry like

test:x:10000:10000::/home/test:/usr/sbin/jk_lsh

Notice that the home directory and the shell are local inside the chroot

jk_chrootsh needs certain elevated privileges to make the chroot(2) system call. Therefore
it is setuid root. It will drop its root privileges immediately after making the chroot()
system call. Since Jailkit 2.8 jk_chrootsh may also use the CAP_SYS_CHROOT capability on
systems that support capabilities, and then the setuid bit can be removed.

By default jk_chrootsh does not copy any environment variables. For some functionality,
however, environment variables need to be copied (e.g. the TERM variable for a functional
terminal emulation, or the DISPLAY variable for X forwarding). In
/etc/jailkit/jk_chrootsh.ini the required environment variables can be listed. An example
config file is shown below. In the example, user bill will get the DISPLAY variable, and
all users in group jail will get the TERM and PATH variables.

By default jk_chrootsh requires a home directory owned by the user with the same group as
the primary group from the user, and requires the home directory to be non-writable for
group and others. You can relax these requirements in the configfile as shown below.

[DEFAULT]
relax_home_group=1

[bill]
env= DISPLAY
relax_home_owner=1
relax_home_group_permissions=1
relax_home_other_permissions=1

[group jail]
env = TERM, PATH
injail_login_shell=1

If user bill is in group jail, however, he will not get the TERM variable in the above
example. Neither will any user with primary group jail get relaxed requirements for the
ownership and the permissions of the home directory. First the user is checked, and only
if no user section is found the primary group section is looked for, and if no group
section is found, the DEFAULT section is used.

Normally jk_chrootsh will pass all arguments it is called with to the shell in the jail.
You can force jk_chrootsh to call the shell inside the jail with a single argument --login
by setting injail_login_shell=1 in the config file.

jk_chrootsh can be configured not to read the final shell from the /etc/passwd file in the
jail. An example configfile is shown below.

[group jail2]
skip_injail_passwd_check=1
injail_shell=/bin/bash

FILES

       /etc/passwd /etc/jailkit/jk_chrootsh.ini

DIAGNOSTICS

       jk_chrootsh  logs everything to syslog, please check the log files. Logging is sent to the
       LOG_AUTH facility with levels LOG_ERR and LOG_CRIT for  critical  errors,  LOG_NOTICE  for
       non-critical errors,  and LOG_INFO for normal events. On most systems the command grep jk_
       /var/log/* will give you the information you need.

       commonly made mistakes are:

       forgetting to add the user to JAIL/etc/passwd or the group to JAIL/etc/group

       forgetting to have the correct permissions on all files inside  the  jail,  or  forgetting
       files inside the jail (the shell itself, or any libraries used by the shell)

       referring to a file outside the chroot

COPYRIGHT