About Jailkit
Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities.
Jailkit is known to be used in network security appliances from several leading IT security firms, internet servers from several large enterprise organizations, internet servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell or daemon processes.
News
07-02-2010: Jailkit 2.11 released. Jailkit 2.11 is a minor update with mostly documentation updates, some minor Solaris specific updates and a fix for a possible failure of jk_lsh.
22-10-2009: Jailkit 2.10 released. The fixes from 2.9 caused an incompatibility with jk_jailuser which is fixed in this release. This release furthermore fixes some compiler warnings.
14-10-2009: Jailkit 2.9 released. This fixes symlink handling issues in previous versions, where symlinks in the jail that point to the real system caused jk_init and jk_cp to write to the real system instead of the jail. ISPConfig users detected a serious issue on 64bit Linux machines where files in the /lib64 directory could become overwritten.
20-08-2009: Jailkit 2.8 released. Jailkit 2.8 has some minor Solaris compatibility fixes and supports capabilities. On capability-enabled systems you no longer need the setuid root bit on jk_chrootsh and jk_uchroot.
05-04-2009: Jailkit 2.7 released. Jailkit 2.7 fixes a regression in Jailkit 2.6 that may hang jk_chrootsh and jk_uchroot in a certain situation with chroot'ed interactive shells.
31-03-2009: Jailkit 2.6 released. Jailkit 2.6 is a maintenance update with some small code cleanups and fixes for Solaris compatibility.
Download & requirements
The daemons and shells only need libc and posix threads (libpthreads), available on most Unix like systems. The install and check utilities are written in python, and therefore you need to have python installed. Older versions of jailkit required gnu libc, but from version 1.0 jailkit should not require a specific libc anymore. Jailkit is confirmed to work on Solaris, many Linux distributions, OpenBSD, FreeBSD and MacOSX.
The releases are signed with PGP key DAC576E6.
md5 sums for the stable releases:
263c6b7b86cf1323d69ca26b6b9f7556 jailkit-2.11.tar.bz2 94943356ac3bbf243fd045b34602cc22 jailkit-2.11.tar.gz
The latest development snapshot can always be downloaded from savannah.nongnu.org.
Documentation
The jailkit man page provides a general overview of all utilities, the other man pages are specific for the executable.
Online man pages (the package may contain a more recent version):
- jailkit - general overview
- jk_chrootsh - chroot shell (similar to chrsh)
- jk_lsh - limited shell
- jk_socketd - secure logging
- jk_init - initialise a jail
- jk_cp - copy files and dependencies into a jail
- jk_update - update a jail
- jk_check - security test for a jail
- jk_list - list all jailed processes
- jk_chrootlaunch - chroot another daemon in a jail
- jk_procmailwrapper - jailed and non-jailed mail delivery
- jk_addjailuser - add a jailed user account
Contact & Support
For support there are two mailinglists: jailkit-dev and jailkit-users. Both are subscribed-users only to avoid spam.
Bugs reports can be sent to the mailinglist, or can be posted to the bug-tracker at savannah.