Jailkit is a set of utilities to enhance the possibilities of chroot jails. Jailkit contains a set of tools and config files to automate the deployment of chroot jails. Jailkit also contains various tools to limit user accounts to specific files or specific commands, configured from a config file. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities.
Jailkit is a specialized set of tools that is developed with a focus on security. It will abort in a secure way if the configuration, the system setup or the environment is not 100% secure, and it will send useful log messages that explain what is wrong to syslog.
Jailkit is very stable software with a very stable and high quality codebase. It is known to be used in network security appliances from several leading IT security firms, internet servers from several large enterprise organizations, internet servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell or daemon processes.
03-10-2021: Jailkit 2.23 released. Jailkit 2.23 is a minor maintenance release. jk_init has two fixes (failure to create the correct devices in a certain situation, and failure to copy all required libraries in a very specific situation). Also the man page locations are cleaned up.
28-4-2021: Jailkit 2.22 released. Jailkit 2.22 fixes a python3 compatibility problem in jk_update and adds logging when an invalid word expansion syntax is used. The defaults in jk_init.ini have been improved as well.
29-9-2019: Jailkit 2.21 released. Jailkit 2.21 is a maintenance release that adds full python 3 compatibility. Also the long deprecated jk_addjailuser utility has been removed.
Download & requirements
The daemons and shells only need libc and posix threads (libpthreads), available on most Unix like systems. The install and check utilities are written in python, and therefore you need to have python installed. Older versions of jailkit required gnu libc, but from version 1.0 jailkit should not require a specific libc anymore. Jailkit is confirmed to work on Solaris, many Linux distributions, OpenBSD, FreeBSD and MacOSX.
The old (<2.20) releases are signed with PGP key DAC576E6. I had some issues with my gpg key, 2.20 is signed with a different key. Releases 2.21 and further are signed with key 64979277BAFF2D4CB637AC3B291C63A6B78DFBA1.
- jailkit-2.23.tar.bz2 with PGP signature (signed oct 03 2021)
- jailkit-2.23.tar.gz with PGP signature (signed oct 03 2021)
sha256 sums for the stable releases:
aa27dc1b2dbbbfcec2b970731f44ced7079afc973dc066757cea1beb4e8ce59c jailkit-2.23.tar.bz2 490bbc2b955f0f03dc56789decd828287321b8ec234123cecf2fdf2aacce3f5a jailkit-2.23.tar.gz
md5 sums for the stable releases:
e2e95fce135cc7e83471ea683f22f3d9 jailkit-2.23.tar.bz2 c7018645430248613c6241bf529d95ef jailkit-2.23.tar.gz
The latest development snapshot can always be downloaded from savannah.nongnu.org.
The jailkit man page provides a general overview of all utilities, the other man pages are specific for the executable.
Online man pages (the package may contain a more recent version):
- jailkit - general overview
- jk_chrootsh - chroot shell (similar to chrsh)
- jk_lsh - limited shell
- jk_socketd - secure logging
- jk_init - initialise a jail
- jk_cp - copy files and dependencies into a jail
- jk_update - update a jail
- jk_check - security test for a jail
- jk_list - list all jailed processes
- jk_chrootlaunch - chroot another daemon in a jail
- jk_procmailwrapper - jailed and non-jailed mail delivery
Contact & Support
Bugs reports can be sent to the mailinglist, or can be posted to the bug-tracker at savannah.