Gentoo Wiki


This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc



Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier using these utilities.

Jailkit is often used on CVS servers (in a chroot and limited to cvs), sftp/scp servers (both in a chroot and limited to sftp/scp as well as not in a chroot but only limited to sftp/scp), and also on general servers with accounts where the shell accounts are in a chroot. Jailkit is furthermore used to jail daemon processes, for example apache servers, bzflag servers, squid proxy servers, etc.

The jk_chrootsh tool is similiar to app-misc/jail, but Jailkit has several more tools to build chroot jails, check chroot jails, and deploy chroot jails.

Step by step howto

Authors note

I just built an ebuild. Firstly, I wanted to test the program; secondly, I wanted to train my ebuild writing skills. --the_mgt 17:43, 18 September 2005 (GMT)

Note: I do not maintain this software nor did I test it. I just built an ebuild which is able to install the software. That's all for the moment.
Note: The software is confirmed to work well, the ebuild is also confirmed

The ebuild

It installed on two systems (pentium-m, c3) flawlessly.

on the 'pentium.m' it compiled with:"-O3 -march=pentium3 -mcpu=i686 -pipe -mmmx -fomit-frame-pointer -ftracer -ffast-math -fno-guess-branch-probability -fcse-skip-blocks -fcaller-saves -fforce-mem -fsched-interblock -mieee-fp -fno-math-errno -funsafe-math-optimizations -fno-trapping-math -ffinite-math-only"

Just for added info, I got it compiled on an AMD Duron with the following flagsCHOST="i686-pc-linux-gnu" CFLAGS="-march=athlon-tbird -O2 -pipe -fomit-frame-pointer" CXXFLAGS="${CFLAGS}"--ecosta 09:36, 12 February 2006 (GMT)

It compiles with and without 'procmail' installed.I only took care of the ebuild functionallity, i will test the rest.

This is the ebuild:

File: /usr/portage/app-misc/jailkit/jailkit-2.0.ebuild
inherit eutils
DESCRIPTION="This Ebuild will install the Jailkit, which will allow to easily put programs and users in a chrooted environment"


src_compile() {
        ### fixing some pathes to fit the sandbox conditions. otherwise it tries  to install in /        
        sed 's:${iniprefix}:${iniprefix}/jailkit/:' < ${S}/ > ${S}/Makefile.in_tmp
        sed 's:if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then:if ! grep ${prefix}/sbin/jk_chrootsh ${iniprefix}/shells ; then:' < ${S}/Makefile.in_tmp > ${S}/
        sed 's:echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;:echo /usr/sbin/jk_chrootsh >> ${iniprefix}/shells ;:' < ${S}/ > ${S}/Makefile.in_tmp
        cp ${S}/Makefile.in_tmp ${S}/ && rm ${S}/Makefile.in_tmp

        ### fixing issues with wrong python path of the sandbox
        sed 's;sed -e "s!LIBDIR='\''\[a-z/]\*'\''!LIBDIR='\''\${PYLIBDIR}'\''!" -e "s:#!/usr/bin/python:#!$(PYTHONPATH):" <;cp;' < ${S}/py/ > ${S}/py/Makefile.in_tmp
        sed 's;>;;' < ${S}/py/Makefile.in_tmp > ${S}/py/ && rm ${S}/py/Makefile.in_tmp && rm ${S}/py/Makefile.in_tmp

        econf || die "econf failed"
        emake || die "make failed"

src_install() {
        make  \
                prefix=${D}/usr \
                iniprefix=${D}/etc \
                mandir=${D}/usr/share/man \
                infodir=${D}/usr/share/info \
                libdir=${D}/usr/$(get_libdir) \
                install || die "Install failed"
pkg_postinst() {
        einfo "Use at your own risk, don't file bugreports to gentoo!"
        einfo "The author of this ebuild does not maintain this software!"
        einfo "contact the user list"
        einfo "or the dev list"

How to install

Add PORTDIR_OVERLAY="/usr/local/portage" to your /etc/make.conf (if you didn't already). Execute mkdir /usr/local/portage/app-misc/jailkit/ -p, and then copy the ebuild text into a file called "jailkit-2.0.ebuild" in the created directory

ebuild /usr/local/portage/app-misc/jailkit/jailkit-2.0.ebuild digest
ACCEPT_KEYWORDS="~x86" emerge jailkit

If it works and you want to keep it, add "app-misc/jailkit" to your package.keywords file:

echo "app-misc/jailkit ~x86" >> /etc/portage/package.keywords


For usage documentary, look at the programs homepage, it has many examples online. The Jailkit-users mailinglist archives are also a very good source of information.

Update: Infact you can find basic setup here:

I just noticed one bug that I had at least... after I added a user sftp doesn't work for him.. I Found a solution in one of the forums:

At first, ssh worked fine for jailed users, but sftp and scp did not. To get sftp to work, I needed to add /dev/null to the chrooted environment. I edited sftp section in /etc/jailkit/jk_init.ini to look like this:

comment = ssh secure ftp
executables = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null

Then I ran

jk_init -v /home/jail sftp

And it's works now =)


Retrieved from ""

Last modified: Fri, 05 Sep 2008 10:26:00 +0000 Hits: 8,097