jk_socketd

NAME

jk_socketd - a daemon to create a rate-limited /dev/log socket inside a chroot

SYNOPSIS

jk_socketd

jk_socketd -p pidfile -n

jk_socketd --pidfile= pidfile --nodetach

DESCRIPTION

The jailkit socket daemon creates a rate-limited /dev/log socket inside a jail according to /etc/jailkit/jk_socketd.ini and writes all data eventually to syslog using the real /dev/log Programs like jk_lsh and also many daemons need a /dev/log socket to do logging to syslog..

jk_socketd is an alternative for syslog to create /dev/log inside the jail (see your syslog manual how to accomplish this). However, if you are worrying about an attacker disrupting normal system operation by filling your logs you should use jk_socketd. jk_socketd can limit the number of bytes written trough the socket. If the logging is limited by jk_socketd, processes that run inside the jail will be slowed down if they try to use the logging service. If you expect a high logging rate in a jail, it is recommended to use syslog to create the socket in the jail instead of jk_socketd.

On (Open)Solaris /dev/log is not a socket and therefore jk_socketd will not function. On (Open)Solaris you should create the devices /dev/log and /dev/conslog in the jail to enable logging inside the jail..

The rate limiting is done based on three parameters, the base, the peak and the interval. The interval is the number of seconds that jk_socketd will use to count up to the number of bytes. The base and peak are both a number in bytes.

A socket is normally only allowed to have base bytes going trough per interval seconds. Only if in the previous interval the number of bytes has been lower than base, peak number of bytes is allowed. So a peak can only happen if the previous interval has been lower than base..

The config file consists of several entries where each entry looks like this:

[/home/testchroot/dev/log]
base = 512
peak = 2048
interval = 5.0

The title of the section is the socket to be created. The directory to create the socket in should exist..

"Security" The jailkit socket daemon will change to user nobody and will chroot() into an empty dir once all sockets are opened..

OPTIONS

-n --nodetach do not detach from the terminal and print debugging output

-p pidfile --pidfile=pidfile write PID to pidfile

-h --help show help screen

--socket=/path/to/socket do not read ini file, create specific socket

--base=integer message rate limit (in bytes) per interval for socket specified by --socket

--peak=integer message rate limit peak (in bytes) for socket specified by --socket

--interval=float message rate limit interval in seconds for socket specified by --socket

FILES

/etc/jailkit/jk_socketd.ini

DIAGNOSTICS

jk_socketd logs errors to syslog, so check your log files

otherwise run jk_socketd -n and it will not detach from the terminal, and it will print some debugging output.

SEE ALSO

jailkit(8) jk_check(8) jk_chrootlaunch(8) jk_chrootsh(8) jk_cp(8) jk_init(8) jk_jailuser(8) jk_list(8) jk_lsh(8) jk_procmailwrapper(8) jk_uchroot(8) jk_update(8) chroot(2) syslogd(8)

COPYRIGHT

Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Olivier Sessink

Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved..