Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities.
Jailkit is known to be used in network security appliances from several leading IT security firms, internet servers from several large enterprise organizations, internet servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell or daemon processes.
03-01-2014: Jailkit 2.17 released. Jailkit 2.17 is a minor bugfix release. It fixes compiling with -lcap on RedHat Enterprise Linux, allows jk_chrootsh to be called -su, it improves argument handling and error messages, and makes jk_cp honor the -j option again.
18-04-2013: Jailkit 2.16 released. Jailkit 2.16 is a minor bugfix release. It fixes a compile problem with -lcap and -pthreads used simultaneous, it fixes the environment cleaning function, the defaults for jk_init.ini are improved for 64bit systems, and various error messages are improved.
07-06-2012: Jailkit 2.15 released. Jailkit 2.15 is a minor feature enhancement release. It handles symlinks for /bin /lib and /sbin now if they point into /usr (such as Fedora 17 has) and it uses -pthreads instead of -lpthreads if available such that it will compile on some modern Linux versions.
28-04-2011: Jailkit 2.14 released. Jailkit 2.14 fixes a infinite loop in jk_cp and jk_init if ldd output for some reason contains two slashes (//lib/libfoo.so). Furthermore, jk_chrootsh can now be called as 'su'.
10-10-2010: Jailkit 2.13 released. Jailkit 2.13 fixes a regression in the build system that could set the location of the configuration directory to the wrong path.
12-09-2010: Jailkit 2.12 released. Jailkit 2.12 is a minor feature update. Both jk_cp and jk_init can now resolve binaries using the PATH environment variable.
07-02-2010: Jailkit 2.11 released. Jailkit 2.11 is a minor update with mostly documentation updates, some minor Solaris specific updates and a fix for a possible failure of jk_lsh.
22-10-2009: Jailkit 2.10 released. The fixes from 2.9 caused an incompatibility with jk_jailuser which is fixed in this release. This release furthermore fixes some compiler warnings.
14-10-2009: Jailkit 2.9 released. This fixes symlink handling issues in previous versions, where symlinks in the jail that point to the real system caused jk_init and jk_cp to write to the real system instead of the jail. ISPConfig users detected a serious issue on 64bit Linux machines where files in the /lib64 directory could become overwritten.
20-08-2009: Jailkit 2.8 released. Jailkit 2.8 has some minor Solaris compatibility fixes and supports capabilities. On capability-enabled systems you no longer need the setuid root bit on jk_chrootsh and jk_uchroot.
05-04-2009: Jailkit 2.7 released. Jailkit 2.7 fixes a regression in Jailkit 2.6 that may hang jk_chrootsh and jk_uchroot in a certain situation with chroot'ed interactive shells.
31-03-2009: Jailkit 2.6 released. Jailkit 2.6 is a maintenance update with some small code cleanups and fixes for Solaris compatibility.
Download & requirements
The daemons and shells only need libc and posix threads (libpthreads), available on most Unix like systems. The install and check utilities are written in python, and therefore you need to have python installed. Older versions of jailkit required gnu libc, but from version 1.0 jailkit should not require a specific libc anymore. Jailkit is confirmed to work on Solaris, many Linux distributions, OpenBSD, FreeBSD and MacOSX.
The releases are signed with PGP key DAC576E6.
md5 sums for the stable releases:
b608f10537b3af285efb24acd4e2b6ec jailkit-2.17.tar.bz2 7b5a68abe89a65e0e29458cc1fd9ad0b jailkit-2.17.tar.gz
The latest development snapshot can always be downloaded from savannah.nongnu.org.
The jailkit man page provides a general overview of all utilities, the other man pages are specific for the executable.
Online man pages (the package may contain a more recent version):
- jailkit - general overview
- jk_chrootsh - chroot shell (similar to chrsh)
- jk_lsh - limited shell
- jk_socketd - secure logging
- jk_init - initialise a jail
- jk_cp - copy files and dependencies into a jail
- jk_update - update a jail
- jk_check - security test for a jail
- jk_list - list all jailed processes
- jk_chrootlaunch - chroot another daemon in a jail
- jk_procmailwrapper - jailed and non-jailed mail delivery
- jk_addjailuser - add a jailed user account
Contact & Support
Bugs reports can be sent to the mailinglist, or can be posted to the bug-tracker at savannah.