Jailkit howto - creating an cvs only shell in a chroot jail


We want to create an account that can do cvs only, and since one can read and write files trough cvs, the account should run cvs inside a chroot jail.


Assume the account on machine cvsserver is for user mike in group cvs, and the jail is /home/cvsjail.

Cvs in a chroot jail

First we need to copy cvs into the jail. Cvs needs some libraries, you can find them using ldd /usr/bin/cvs, we have to copy those as well. The cvs program needs /dev/null and a writable /tmp/ directory, so we'll have to create those too. Most things can be done by a recent jk_init version:

jk_init -v -j /home/cvsjail cvs mkdir /home/cvsjail/tmp/ chown root:cvs /home/cvsjail/tmp/ chmod g+w /home/cvsjail/tmp/

Note that the jk_init.ini file in the Jailkit tarball has defaults for Debian and Ubuntu. If you use jk_init on other operating systems you may need to use a different jk_init.ini file, or update the file locations in jk_init.ini yourself.

Inside the jail, user mike needs to get a shell to execute cvs, and only cvs. We use jk_lsh to do this. Copy jk_lsh and it's libraries into the chroot jail, this can be done using jk_cp or with jk_init:

jk_init -v -j /home/cvsjail jk_lsh

Jail the user

To jail user mike, he should have jk_chrootsh as shell in /etc/passwd. This shell will, like chrsh, chroot to the directory, drop privileges and execute the real shell. Either edit the files manually, or use jk_jailuser

adduser mike jk_jailuser -m -j /home/cvsjail mike

The entry in /etc/passwd should look like:


Now edit the /home/cvsjail/etc/passwd file, it should show something like:


jk_lsh can do some logging, but in order to do so it needs to have a /dev/log socket. This can be done using syslog, or by the jk_socketd. Edit /etc/jailkit/jk_socketd.ini and make sure it shows a section like:

[/home/cvsjail/dev/log] base = 1024 peak = 10240 interval = 0.5

Now restart jk_socketd, for example, kill it and restart it:

killall jk_socketd ; jk_socketd

Any jk_socketd errors are logged into /var/log/daemon.log. If you try to login right now, you will find an error in /var/log/auth.log saying that mike is not allowed to run a regular shell. And that is true, he's only allowed to do cvs.

Executing cvs, and only cvs

To allow mike to use cvs, we have to allow that, so we edit /home/cvsjail/etc/jailkit/jk_lsh.ini so it allows cvs. In this example we do this for everybody in the cvs group:

[group cvs] paths= /usr/bin executables= /usr/bin/cvs

Running cvs

Now everything is done. This is an example to create a cvs directory in mike his homedirectory:

export CVS_RSH=ssh export CVSROOT=:ext:mike@cvsserver:/home/mike/ cvs init


If you use procmail for email delivery, users can execute commands outside the jail using a .procmailrc in their homedir. You should use jk_procmailwrapper so users inside a jail cannot use mail delivery, or use aliases so procmail is not executed for these users.

If you want to allow users to download their entire cvs tree, you could enable sftp and scp as well. Copy them into the jail (use jk_init) and allow them in /home/cvsjail/etc/jailkit/jk_lsh.ini and you're done!