Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities.
Jailkit is a specialized tool that is developed with a focus on security. It will abort in a secure way if the configuration, the system setup or the environment is not 100% secure, and it will send useful log messages that explain what is wrong to syslog.
Jailkit is known to be used in network security appliances from several leading IT security firms, internet servers from several large enterprise organizations, internet servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell or daemon processes.
29-9-2019: Jailkit 2.21 released. Jailkit 2.21 is a maintenance release that adds full python 3 compatibility. Also the long deprecated jk_addjailuser utility has been removed.
8-10-2018: Jailkit 2.20 released. Jailkit 2.20 is a minor maintenance release. It fixes jk_procmailwrapper functionality for users with a regular dot in their home directory, and improves jk_update and jk_cp for some corner cases.
18-11-2015: Jailkit 2.19 released. Jailkit 2.19 is a bugfix for 2.18, somehow a bug URL was pasted into the ini file location for jk_chtoosh.ini causing it not to find the ini file anymore. This is fixed and is the only change in 2.19.
04-11-2015: Jailkit 2.18 released. Jailkit 2.18 is a minor maintenance release. It fixes support for very high uid numbers, adds option injail_login_shell to jk_chrootsh and has some minor updated to jk_init.ini.
03-01-2014: Jailkit 2.17 released. Jailkit 2.17 is a minor bugfix release. It fixes compiling with -lcap on RedHat Enterprise Linux, allows jk_chrootsh to be called -su, it improves argument handling and error messages, and makes jk_cp honor the -j option again.
18-04-2013: Jailkit 2.16 released. Jailkit 2.16 is a minor bugfix release. It fixes a compile problem with -lcap and -pthreads used simultaneous, it fixes the environment cleaning function, the defaults for jk_init.ini are improved for 64bit systems, and various error messages are improved.
07-06-2012: Jailkit 2.15 released. Jailkit 2.15 is a minor feature enhancement release. It handles symlinks for /bin /lib and /sbin now if they point into /usr (such as Fedora 17 has) and it uses -pthreads instead of -lpthreads if available such that it will compile on some modern Linux versions.
28-04-2011: Jailkit 2.14 released. Jailkit 2.14 fixes a infinite loop in jk_cp and jk_init if ldd output for some reason contains two slashes (//lib/libfoo.so). Furthermore, jk_chrootsh can now be called as 'su'.
10-10-2010: Jailkit 2.13 released. Jailkit 2.13 fixes a regression in the build system that could set the location of the configuration directory to the wrong path.
12-09-2010: Jailkit 2.12 released. Jailkit 2.12 is a minor feature update. Both jk_cp and jk_init can now resolve binaries using the PATH environment variable.
07-02-2010: Jailkit 2.11 released. Jailkit 2.11 is a minor update with mostly documentation updates, some minor Solaris specific updates and a fix for a possible failure of jk_lsh.
22-10-2009: Jailkit 2.10 released. The fixes from 2.9 caused an incompatibility with jk_jailuser which is fixed in this release. This release furthermore fixes some compiler warnings.
14-10-2009: Jailkit 2.9 released. This fixes symlink handling issues in previous versions, where symlinks in the jail that point to the real system caused jk_init and jk_cp to write to the real system instead of the jail. ISPConfig users detected a serious issue on 64bit Linux machines where files in the /lib64 directory could become overwritten.
20-08-2009: Jailkit 2.8 released. Jailkit 2.8 has some minor Solaris compatibility fixes and supports capabilities. On capability-enabled systems you no longer need the setuid root bit on jk_chrootsh and jk_uchroot.
05-04-2009: Jailkit 2.7 released. Jailkit 2.7 fixes a regression in Jailkit 2.6 that may hang jk_chrootsh and jk_uchroot in a certain situation with chroot'ed interactive shells.
31-03-2009: Jailkit 2.6 released. Jailkit 2.6 is a maintenance update with some small code cleanups and fixes for Solaris compatibility.
Download & requirements
The daemons and shells only need libc and posix threads (libpthreads), available on most Unix like systems. The install and check utilities are written in python, and therefore you need to have python installed. Older versions of jailkit required gnu libc, but from version 1.0 jailkit should not require a specific libc anymore. Jailkit is confirmed to work on Solaris, many Linux distributions, OpenBSD, FreeBSD and MacOSX.
The old (<2.20) releases are signed with PGP key DAC576E6. I had some issues with my gpg key, 2.20 is signed with a different key. Releases 2.21 and further are signed with key 64979277BAFF2D4CB637AC3B291C63A6B78DFBA1.
- jailkit-2.21.tar.bz2 with PGP signature (signed dec 10 2019)
- jailkit-2.21.tar.gz with PGP signature (signed dec 10 2019)
sha256 sums for the stable releases:
a6bc1a713cd553c80ed7618398479513698f7e12fae019fbb60239f8b7290f7103b6ddd780252327e4382225e6a06add6e2d65dd96b80393aab623ce10637cf6 jailkit-2.21.tar.bz2 6ebdd5d2840d760840f4d279033e7484c50e21a083d69204e36b37e7743cbd6fed6e358a1083c8fc64dfb9f1173a4f14500e5d96925e94ba0231ce01eb47bd15 jailkit-2.21.tar.gz
md5 sums for the stable releases:
d61ea1788a8aa2bf7eeb812e1ac7d316 jailkit-2.21.tar.bz2 d316dc22b9f3ab7464c8bd73c2539304 jailkit-2.21.tar.gz
The latest development snapshot can always be downloaded from savannah.nongnu.org.
The jailkit man page provides a general overview of all utilities, the other man pages are specific for the executable.
Online man pages (the package may contain a more recent version):
- jailkit - general overview
- jk_chrootsh - chroot shell (similar to chrsh)
- jk_lsh - limited shell
- jk_socketd - secure logging
- jk_init - initialise a jail
- jk_cp - copy files and dependencies into a jail
- jk_update - update a jail
- jk_check - security test for a jail
- jk_list - list all jailed processes
- jk_chrootlaunch - chroot another daemon in a jail
- jk_procmailwrapper - jailed and non-jailed mail delivery
Contact & Support
Bugs reports can be sent to the mailinglist, or can be posted to the bug-tracker at savannah.