Provided by: jailkit_2.23-2_amd64 
NAME
jk_socketd - a daemon to create a rate-limited /dev/log socket inside a chroot
SYNOPSIS
jk_socketd
jk_socketd -p pidfile -n
jk_socketd --pidfile= pidfile --nodetach
DESCRIPTION
The jailkit socket daemon creates a rate-limited /dev/log socket inside a jail according to
/etc/jailkit/jk_socketd.ini and writes all data eventually to syslog using the real /dev/log Programs
like jk_lsh and also many daemons need a /dev/log socket to do logging to syslog.
jk_socketd is an alternative for syslog to create /dev/log inside the jail (see your syslog manual how to
accomplish this). However, if you are worrying about an attacker disrupting normal system operation by
filling your logs you should use jk_socketd. jk_socketd can limit the number of bytes written trough the
socket. If the logging is limited by jk_socketd, processes that run inside the jail will be slowed down
if they try to use the logging service. If you expect a high logging rate in a jail, it is recommended to
use syslog to create the socket in the jail instead of jk_socketd.
On (Open)Solaris /dev/log is not a socket and therefore jk_socketd will not function. On (Open)Solaris
you should create the devices /dev/log and /dev/conslog in the jail to enable logging inside the jail.
The rate limiting is done based on three parameters, the base, the peak and the interval. The interval is
the number of seconds that jk_socketd will use to count up to the number of bytes. The base and peak are
both a number in bytes.
A socket is normally only allowed to have base bytes going trough per interval seconds. Only if in the
previous interval the number of bytes has been lower than base, peak number of bytes is allowed. So a
peak can only happen if the previous interval has been lower than base.
The config file consists of several entries where each entry looks like this:
[/home/testchroot/dev/log]
base = 512
peak = 2048
interval = 5.0
The title of the section is the socket to be created. The directory to create the socket in should exist.
Security
The jailkit socket daemon will change to user nobody and will chroot() into an empty dir once all sockets
are opened. If the /dev/log socket is closed by the syslog daemon (for example during log rotation),
jk_socketd needs a restart to open it again.
OPTIONS
-n --nodetach
do not detach from the terminal and print debugging output
-p pidfile --pidfile=pidfile
write PID to pidfile
-h --help
show help screen
--socket=/path/to/socket
do not read ini file, create specific socket
--base=integer
message rate limit (in bytes) per interval for socket specified by --socket
--peak=integer
message rate limit peak (in bytes) for socket specified by --socket
--interval=float
message rate limit interval in seconds for socket specified by --socket
FILES
/etc/jailkit/jk_socketd.ini
DIAGNOSTICS
jk_socketd logs errors to syslog, so check your log files
otherwise run jk_socketd -n and it will not detach from the terminal, and it will print some debugging
output.
SEE ALSO
jailkit(8) jk_check(8) jk_chrootlaunch(8) jk_chrootsh(8) jk_cp(8) jk_init(8) jk_jailuser(8) jk_list(8)
jk_lsh(8) jk_procmailwrapper(8) jk_uchroot(8) jk_update(8) chroot(2) syslogd(8)
COPYRIGHT
Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Olivier Sessink
Copying and distribution of this file, with or without modification, are permitted in any medium without
royalty provided the copyright notice and this notice are preserved.
JAILKIT 02-08-2012 jk_socketd(8)