plucky (8) jk_chrootlaunch.8.gz

Provided by: jailkit_2.23-2_amd64 bug

NAME

       jk_chrootlaunch  -  a launcher that can start a daemon in a jail, with a specified uid and
       gid

SYNOPSIS

       jk_chrootlaunch [-h] [-p pidfile ] [-u user]  [-g  group]  -j  jaildir  -x  executable  --
       [executable options]

       jk_chrootlaunch  [--help]  [--pidfile=  pidfile  ]  [--user  user]  [--group group] --jail
       jaildir --exec executable -- [executable options]

DESCRIPTION

       This launcher can be used to start some other process  inside  a  jail.  That  process  is
       typically  a daemon that cannot do chroot(2) itself. The process can optionally be started
       with a certain user ID or group ID. Optionally this utility can write a  pidfile  to  some
       location.

       This  utility  needs to make the chroot(2) call to jail the process, therefore it can only
       be started in a useful way by user root. Because you can break out of  a  jail  with  root
       privileges  it  is  recommended to start the daemon as some other user and group using the
       --user and --group options. If this  is  not  possible  because  that  daemon  needs  root
       privileges  as  well  (for example to open a port below 1024) the jail can perhaps delay a
       hacker, but it cannot prevent it.

       There are several daemons that should not be started by jk_chrootlaunch. All daemons  that
       do  a  chroot(2)  themselves  (for  example  jk_socketd,  postfix  and  openvpn) can do it
       themselves much better. Daemons that need access to files on the real system (for  example
       the  samba  smbd  daemon) can also not be jailed, unless you can move all those files into
       the jail and do not need them on the real system.

OPTIONS

       -j --jail
              the directory to jail the process in

       -u --user
              the name or uid of the user to start the process as

       -g --group
              the name or gid of the group to start the process as

       -x --exec
              the executable to start

       --     any options after the -- are passed to the executable

EXAMPLE

       Suppose you want to start Apache inside a jail. Apache needs root  privileges  because  it
       needs  to  open  TCP  port  80.  But after opening port 80 it will start subprocesses as a
       regular user (for example user www-data). Therefore the subprocesses cannot break  out  of
       the jail. Apache can also write it's own pidfile, so we also don't need that option.

       First  we  create  the jail using jk_init(8).  The apachectl program is a shell script, it
       also needs /bin/sh and /usr/bin/kill. We also have to  copy  these  into  the  jail  using
       jk_cp(8).  Apache also needs its modules from /usr/lib/apache, copy those as well. Then we
       can start Apache:

       jk_chrootlaunch -j /home/webjail -x /home/webjail/usr/sbin/apachectl -- start

       There are some smarter ways  to  do  this.  You  can  remove  the  /bin/sh  and  /bin/kill
       executables from the jail if you edit the apachectl script, and add jk_chrootlaunch to the
       script itself.

DIAGNOSTICS

       jk_chrootlaunch logs errors to syslog, so check  your  log  files.  On  most  systems  the
       command grep jk_ /var/log/* will give you the information you need.

SEE ALSO

       jailkit(8)    jk_check(8)    jk_chrootlaunch(8)    jk_chrootsh(8)    jk_cp(8)   jk_init(8)
       jk_jailuser(8)  jk_list(8)  jk_lsh(8)  jk_procmailwrapper(8)  jk_socketd(8)  jk_uchroot(8)
       jk_update(8) chroot(2)

       Copyright (C) 2003, 2004, 2005, 2006, 2007, 2018 Olivier Sessink

       Copying  and distribution of this file, with or without modification, are permitted in any
       medium without royalty provided the copyright notice and this notice are preserved.