Ubuntu Manpage: jk_chrootsh - a shell that will put the user inside a changed root

NAME

       jk_chrootsh - a shell that will put the user inside a changed root

SYNOPSIS

       jk_chrootsh

DESCRIPTION

jk_chrootsh can be used as a shell for a user (e.g. in /etc/passwd or your ldap store). That user will be
put into a changed root. The directory where to put the user in is read from the users home directory,
the last occurring /./ sequence is used to mark the location of the changed root. An example line in
/etc/passwd would look like

test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh

In this example the user will be chroot-ed into /home/testchroot

Inside the chroot-ed directory, it will look for /etc/passwd and it will execute the shell for the user
from that file. For the above example the /etc/passwd file inside the jail should have an entry like

test:x:10000:10000::/home/test:/usr/sbin/jk_lsh

Notice that the home directory and the shell are local inside the chroot

jk_chrootsh needs certain elevated privileges to make the chroot(2) system call. Therefore it is setuid
root. It will drop its root privileges immediately after making the chroot() system call. Since Jailkit
2.8 jk_chrootsh may also use the CAP_SYS_CHROOT capability on systems that support capabilities, and then
the setuid bit can be removed.

By default jk_chrootsh does not copy any environment variables. For some functionality, however,
environment variables need to be copied (e.g. the TERM variable for a functional terminal emulation, or
the DISPLAY variable for X forwarding). In /etc/jailkit/jk_chrootsh.ini the required environment
variables can be listed. An example config file is shown below. In the example, user bill will get the
DISPLAY variable, and all users in group jail will get the TERM and PATH variables.

By default jk_chrootsh requires a home directory owned by the user with the same group as the primary
group from the user, and requires the home directory to be non-writable for group and others. You can
relax these requirements in the configfile as shown below.

[DEFAULT]
relax_home_group=1

[bill]
env= DISPLAY
relax_home_owner=1
relax_home_group_permissions=1
relax_home_other_permissions=1

[group jail]
env = TERM, PATH
injail_login_shell=1

If user bill is in group jail, however, he will not get the TERM variable in the above example. Neither
will any user with primary group jail get relaxed requirements for the ownership and the permissions of
the home directory. First the user is checked, and only if no user section is found the primary group
section is looked for, and if no group section is found, the DEFAULT section is used.

Normally jk_chrootsh will pass all arguments it is called with to the shell in the jail. You can force
jk_chrootsh to call the shell inside the jail with a single argument --login by setting
injail_login_shell=1 in the config file.

jk_chrootsh can be configured not to read the final shell from the /etc/passwd file in the jail. An
example configfile is shown below.

[group jail2]
skip_injail_passwd_check=1
injail_shell=/bin/bash

FILES

       /etc/passwd /etc/jailkit/jk_chrootsh.ini

DIAGNOSTICS

       jk_chrootsh logs everything to syslog, please check the log  files.  Logging  is  sent  to  the  LOG_AUTH
       facility  with  levels LOG_ERR and LOG_CRIT for critical errors, LOG_NOTICE for non-critical errors,  and
       LOG_INFO for normal events. On most systems the command grep jk_ /var/log/* will give you the information
       you need.

       commonly made mistakes are:

       forgetting to add the user to JAIL/etc/passwd or the group to JAIL/etc/group

       forgetting to have the correct permissions on all files inside the jail, or forgetting files  inside  the
       jail (the shell itself, or any libraries used by the shell)

       referring to a file outside the chroot

COPYRIGHT