Search:  
Gentoo Wiki

HOWTO_JailKit


This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Contents

About

Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier using these utilities.

Jailkit is often used on CVS servers (in a chroot and limited to cvs), sftp/scp servers (both in a chroot and limited to sftp/scp as well as not in a chroot but only limited to sftp/scp), and also on general servers with accounts where the shell accounts are in a chroot. Jailkit is furthermore used to jail daemon processes, for example apache servers, bzflag servers, squid proxy servers, etc.

The jk_chrootsh tool is similiar to app-misc/jail, but Jailkit has several more tools to build chroot jails, check chroot jails, and deploy chroot jails.

Step by step howto

Authors note

I just built an ebuild. Firstly, I wanted to test the program; secondly, I wanted to train my ebuild writing skills. --the_mgt 17:43, 18 September 2005 (GMT)

Note: I do not maintain this software nor did I test it. I just built an ebuild which is able to install the software. That's all for the moment.
Note: The software is confirmed to work well, the ebuild is also confirmed

The ebuild

It installed on two systems (pentium-m, c3) flawlessly.

on the 'pentium.m' it compiled with:"-O3 -march=pentium3 -mcpu=i686 -pipe -mmmx -fomit-frame-pointer -ftracer -ffast-math -fno-guess-branch-probability -fcse-skip-blocks -fcaller-saves -fforce-mem -fsched-interblock -mieee-fp -fno-math-errno -funsafe-math-optimizations -fno-trapping-math -ffinite-math-only"

Just for added info, I got it compiled on an AMD Duron with the following flagsCHOST="i686-pc-linux-gnu" CFLAGS="-march=athlon-tbird -O2 -pipe -fomit-frame-pointer" CXXFLAGS="${CFLAGS}"--ecosta 09:36, 12 February 2006 (GMT)

It compiles with and without 'procmail' installed.I only took care of the ebuild functionallity, i will test the rest.

This is the ebuild:

File: /usr/portage/app-misc/jailkit/jailkit-2.0.ebuild
inherit eutils
DESCRIPTION="This Ebuild will install the Jailkit, which will allow to easily put programs and users in a chrooted environment"
HOMEPAGE="http://olivier.sessink.nl/jailkit/"
SRC_URI="http://olivier.sessink.nl/jailkit/${P}.tar.bz2"
LICENSE="BSD"
SLOT="0"
KEYWORDS="~x86"
IUSE=""
DEPEND=""
RDEPEND="sys-libs/glibc
        >=dev-lang/python-2.0"

S=${WORKDIR}/${P}

src_compile() {
        ### fixing some pathes to fit the sandbox conditions. otherwise it tries  to install in /        
        sed 's:${iniprefix}:${iniprefix}/jailkit/:' < ${S}/Makefile.in > ${S}/Makefile.in_tmp
        sed 's:if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then:if ! grep ${prefix}/sbin/jk_chrootsh ${iniprefix}/shells ; then:' < ${S}/Makefile.in_tmp > ${S}/Makefile.in
        sed 's:echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;:echo /usr/sbin/jk_chrootsh >> ${iniprefix}/shells ;:' < ${S}/Makefile.in > ${S}/Makefile.in_tmp
        cp ${S}/Makefile.in_tmp ${S}/Makefile.in && rm ${S}/Makefile.in_tmp

        ### fixing issues with wrong python path of the sandbox
        sed 's;sed -e "s!LIBDIR='\''\[a-z/]\*'\''!LIBDIR='\''\${PYLIBDIR}'\''!" -e "s:#!/usr/bin/python:#!$(PYTHONPATH):" <;cp;' < ${S}/py/Makefile.in > ${S}/py/Makefile.in_tmp
        sed 's;>;;' < ${S}/py/Makefile.in_tmp > ${S}/py/Makefile.in && rm ${S}/py/Makefile.in_tmp && rm ${S}/py/Makefile.in_tmp

        #compiling
        econf || die "econf failed"
        emake || die "make failed"
}

src_install() {
        make  \
                prefix=${D}/usr \
                iniprefix=${D}/etc \
                mandir=${D}/usr/share/man \
                infodir=${D}/usr/share/info \
                libdir=${D}/usr/$(get_libdir) \
                install || die "Install failed"
}
pkg_postinst() {
        einfo
        einfo "Use at your own risk, don't file bugreports to gentoo!"
        einfo "The author of this ebuild does not maintain this software!"
        einfo "contact the user list http://lists.nongnu.org/mailman/listinfo/jailkit-users"
        einfo "or the dev list http://lists.nongnu.org/mailman/listinfo/jailkit-dev"
        einfo
}

How to install

Add PORTDIR_OVERLAY="/usr/local/portage" to your /etc/make.conf (if you didn't already). Execute mkdir /usr/local/portage/app-misc/jailkit/ -p, and then copy the ebuild text into a file called "jailkit-2.0.ebuild" in the created directory

ebuild /usr/local/portage/app-misc/jailkit/jailkit-2.0.ebuild digest
ACCEPT_KEYWORDS="~x86" emerge jailkit

If it works and you want to keep it, add "app-misc/jailkit" to your package.keywords file:

echo "app-misc/jailkit ~x86" >> /etc/portage/package.keywords

Usage

For usage documentary, look at the programs homepage, it has many examples online. The Jailkit-users mailinglist archives are also a very good source of information.

Update: Infact you can find basic setup here: http://olivier.sessink.nl/jailkit/howtos_chroot_shell.html

I just noticed one bug that I had at least... after I added a user sftp doesn't work for him.. I Found a solution in one of the forums:

At first, ssh worked fine for jailed users, but sftp and scp did not. To get sftp to work, I needed to add /dev/null to the chrooted environment. I edited sftp section in /etc/jailkit/jk_init.ini to look like this:

[sftp]
comment = ssh secure ftp
executables = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null

Then I ran

jk_init -v /home/jail sftp

And it's works now =)

Credits

Retrieved from "http://www.gentoo-wiki.info/HOWTO_JailKit"

Last modified: Fri, 05 Sep 2008 10:26:00 +0000 Hits: 8,097