Jailkit is a set of utilities to enhance the possibilities of chroot jails. Jailkit contains a set of tools and config files to automate the deployment of chroot jails. Jailkit also contains various tools to limit user accounts to specific files or specific commands, configured from a config file. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities.
Jailkit is a specialized set of tools that is developed with a focus on security. It will abort in a secure way if the configuration, the system setup or the environment is not 100% secure, and it will send useful log messages that explain what is wrong to syslog.
Jailkit is very stable software with a very stable and high quality codebase. It is known to be used in network security appliances from several leading IT security firms, internet servers from several large enterprise organizations, internet servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell or daemon processes.
28-4-2021: Jailkit 2.22 released. Jailkit 2.22 fixes a python3 compatibility problem in jk_update and adds logging when an invalid word expansion syntax is used. The defaults in jk_init.ini have been improved as well.
29-9-2019: Jailkit 2.21 released. Jailkit 2.21 is a maintenance release that adds full python 3 compatibility. Also the long deprecated jk_addjailuser utility has been removed.
8-10-2018: Jailkit 2.20 released. Jailkit 2.20 is a minor maintenance release. It fixes jk_procmailwrapper functionality for users with a regular dot in their home directory, and improves jk_update and jk_cp for some corner cases.
Download & requirements
The daemons and shells only need libc and posix threads (libpthreads), available on most Unix like systems. The install and check utilities are written in python, and therefore you need to have python installed. Older versions of jailkit required gnu libc, but from version 1.0 jailkit should not require a specific libc anymore. Jailkit is confirmed to work on Solaris, many Linux distributions, OpenBSD, FreeBSD and MacOSX.
The old (<2.20) releases are signed with PGP key DAC576E6. I had some issues with my gpg key, 2.20 is signed with a different key. Releases 2.21 and further are signed with key 64979277BAFF2D4CB637AC3B291C63A6B78DFBA1.
- jailkit-2.22.tar.bz2 with PGP signature (signed apr 28 2021)
- jailkit-2.22.tar.gz with PGP signature (signed apr 28 2021)
sha256 sums for the stable releases:
985564721366eaf5c6482dd17e91647d21e70b4c9803c74847d649d8c8c2bbcf jailkit-2.22.tar.bz2 a7c979617206710b56bbbe0ddcdfb1e14b2bfc440030b0283713f4a43f284a71 jailkit-2.22.tar.gz
md5 sums for the stable releases:
bd7fabb6af7122d7464ca1d46186174f jailkit-2.22.tar.bz2 066ceca51a2e3e3e1405c857dcbf608b jailkit-2.22.tar.gz
The latest development snapshot can always be downloaded from savannah.nongnu.org.
The jailkit man page provides a general overview of all utilities, the other man pages are specific for the executable.
Online man pages (the package may contain a more recent version):
- jailkit - general overview
- jk_chrootsh - chroot shell (similar to chrsh)
- jk_lsh - limited shell
- jk_socketd - secure logging
- jk_init - initialise a jail
- jk_cp - copy files and dependencies into a jail
- jk_update - update a jail
- jk_check - security test for a jail
- jk_list - list all jailed processes
- jk_chrootlaunch - chroot another daemon in a jail
- jk_procmailwrapper - jailed and non-jailed mail delivery
Contact & Support
Bugs reports can be sent to the mailinglist, or can be posted to the bug-tracker at savannah.