Jailkit howto - creating a regular shell in a chroot jail

Objectives

We want to create some accounts that can do most basic things with bash, but in a chroot jail.

Assumptions

Assume the account on machine shellserver is for user jane, with group jane, and the jail is /home/jail. We also have the account sharon in the same jail.

Setting up the jk_init config file

The provided jk_init.ini has defaults that are valid for 32bit Debian and 32bit Ubuntu Linux. Other distributions and operating systems may have files at different locations. For example multiarch 32bit/64bit systems may need libraries from /lib64.

Setting up the chroot jail

Older jailkit releases did not create the root of the chroot jail. This had to be done manually:

mkdir /home/jail chown root:root /home/jail

The latest jailkit release automatically creates the root of the jail if it does not yet exist.

We want to give Jane and Sharon some utilities in the chroot jail:

jk_init -v -j /home/jail basicshell editors extendedshell netutils ssh sftp scp

Jail the user

To jail user jane and sharon, they should have jk_chrootsh as shell in /etc/passwd. Just add them as regular user using the command you always use (e.g. adduser), and then use jk_jailuser to move them to the jail.

jk_jailuser -m -j /home/jail jane

The entries in /etc/passwd should then look like:

jane:x:1016:1016::/home/jail/./home/jane:/usr/sbin/jk_chrootsh sharon:x:1017:1017::/home/jail/./home/sharon:/usr/sbin/jk_chrootsh

Obviously these home directories should exist, and should be owned by jane/sharon

We also want a /tmp/ directory in the jail for all users in the jail.

mkdir /home/jail/tmp chmod a+rwx /home/jail/tmp

Bash as shell in the jail

Edit the /home/jail/etc/passwd file, the entries for Jane and Sharon should show something like:

jane:x:1016:1016::/home/jane:/bin/bash sharon:x:1017:1017::/home/sharon:/bin/bash

The /home/jail/etc/group file is:

jane:x:1016 sharon:x:1017

Finalizing

If you use procmail for email delivery, users can execute commands outside the jail using a .procmailrc in their homedir. You should use jk_procmailwrapper so users inside a jail cannot use mail delivery, or use aliases so procmail is not executed for these users.

Maintenance

With jk_update any updates on the real system can be updated in the jail. jk_update simply scans files in the jail, compares them with their original counterpart, and if the original counterpart is newer it will update the file in the jail. First make a 'dry-run' in which jk_update will show what it is going to do:

jk_update -j /home/jail -d

If you are satisfied with the result, do the real update with

jk_update -j /home/jail

Navigation

Copyright © 2003,2004,2005,2006,2007,2008,2009,2010,2011 Olivier Sessink. Other projects by Olivier Sessink:
Bluefish
Directory Assistant
Scannedonly samba anti-virus