Frequently asked questions

Have you checked the jailkit-users mailinglist archive?

Error messages

When I try to start the jk_socketd daemon I get this log message: refusing to run without any sockets, aborting...

Did you specify any sockets for jk_socketd in /etc/jailkit/jk_socketd.ini ?

When I try to log in I get the following in /var/log/messages: "jk_chrootsh[30084]: abort, path /XXX/XXX does not exist"

Does XXX exist inside the jail? Use jk_cp or jk_init to copy it into the jail.

When I try to log in I get the following in the logs: jk_chrootsh[7603]: WARNING: could not execute shell /XXX/XXX for user

What are the permissions of /XXX/XXX inside the jail? do all the libraries for /XXX/XXX exist inside the jail? (On linux you should include ld-linux.so.2, which should be executable!). If you have a normal user account on the same machine, try to start that executable without a jail. If that works the differences must be in the libraries.

I got this message in my logs; how can I fix this? jk_lsh[5256]: regular shell access denied for user XXX

If you want to allow regular shell access, you should use something like bash as shell, and not jk_lsh. jk_lsh always denies regular shell access. jk_lsh should only be used if you want a cvs-only, rsync-only, sftp-only etc. account.

I get errors in the logs that user or group info is not available, but I am sure they are available in the jail/etc/passwd and jail/etc/group.

To access user and group information, programs in the jail need to have all libnss plugins. Check if /lib/libnss_* or /lib64/libnss* files are in the jail.

I get errrors like /dev/null: Device not configured on OpenBSD?!
Sftp fails silently on OpenBSD?!

OpenBSD mounts most paritions (except for /) with option 'nodev'. Remove that option for the mount where your chroot jail resides.

On FreeBSD I get errors that libraries do not exist (/libexec/ld-elf.so.1: Shared object not found), but they are for sure in the jail!

The FreeBSD ldconfig utility does not have an option -r to create a library cache in the jail. You need to copy the library hints into the jail manually. For example: jk_cp -j /usr/home/jail/ /var/run/ld*

I followed the tutorial for sftp-only, but the connection for Windows users is immediately dropped.

Some sftp clients first try to get an interactive shell session, and start sftp from the interactive shell. Mostly this behavior is optional. For example with WinSCP you can choose between "SFTP" and "SFTP with SCP fallback". Use the SFTP option.

Creating a jail

I copied binary XXX to the jail but it doesn't work

Many programs require additional libraries, support files, other binaries etc. If you simply copy the binary in the jail this often will not work. Strategies to find the required files are: 1) take a look inside the package you used to install the program, does it include more files? 2) use ldd /path/to/binary to see all the required libraries. 3) use `locate programname` to see if there are other files and directories that might be related to your program. See HOWTO debug jails for more information.

jk_init outputs all kind of "file does not exist" errors

The default configuration file jk_init.ini does have good defaults for Debian and Ubuntu, and does have some extra paths that are common in other operating systems. You have to tune the file for your operating system if you want to avoid these errors.

Can I run program XXX in a jail?

You can run most programs inside a jail, but see the previous question for common problems.

Symlinks in the jail do not work?

If the symlink contains an absolute path, for example /home/jail/var/tmp, it will not work for a jailed user. Because the jailed user has /home/jail as root, it means this symlink points to /home/jail/home/jail/var/tmp. The symlink should contain the path /var/tmp if you want it to point to /home/jail/var/tmp. Relative links do not have this problem.

How do I give access to files outside the jail?

A jail is used to deny all access to files outside the jail. So this is by definition not possible. So you should do the reverse: put files in the jail. For example mount a filesystem twice (outside *and* inside the jail), or on linux-2.6 mount a directory (as opposed to a filesystem) inside the jail. mount /srv/data /srv/userjail/srv/data -o bind

Installing Jaikit

How do I install Jailkit?

  • Download the latest version
  • Unpack the sources
  • chdir to the top-level sources dir
  • Run './configure'
  • Run 'make'
  • Switch to root; run 'make install'