HOWTO JailKit
From Gentoo Linux Wiki
| Installation • Kernel & Hardware • Networks • Portage • Software • System • X Server • Gaming • Non-x86 • Emulators • Misc |
Contents |
[edit] About
Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier using these utilities.
Jailkit is often used on CVS servers (in a chroot and limited to cvs), sftp/scp servers (both in a chroot and limited to sftp/scp as well as not in a chroot but only limited to sftp/scp), and also on general servers with accounts where the shell accounts are in a chroot. Jailkit is furthermore used to jail daemon processes, for example apache servers, bzflag servers, squid proxy servers, etc.
The jk_chrootsh tool is similiar to app-misc/jail, but Jailkit has several more tools to build chroot jails, check chroot jails, and deploy chroot jails.
[edit] Step by step howto
[edit] Authors note
I just built an ebuild. Firstly, I wanted to test the program; secondly, I wanted to train my ebuild writing skills. --the_mgt 17:43, 18 September 2005 (GMT)
| Note: I do not maintain this software nor did I test it. I just built an ebuild which is able to install the software. That's all for the moment. |
| Note: The software is confirmed to work well, the ebuild is also confirmed |
[edit] The ebuild
It installed on two systems (pentium-m, c3) flawlessly.
on the 'pentium.m' it compiled with:"-O3 -march=pentium3 -mcpu=i686 -pipe -mmmx -fomit-frame-pointer -ftracer -ffast-math -fno-guess-branch-probability -fcse-skip-blocks -fcaller-saves -fforce-mem -fsched-interblock -mieee-fp -fno-math-errno -funsafe-math-optimizations -fno-trapping-math -ffinite-math-only"
Just for added info, I got it compiled on an AMD Duron with the following flags CHOST="i686-pc-linux-gnu" CFLAGS="-march=athlon-tbird -O2 -pipe -fomit-frame-pointer" CXXFLAGS="${CFLAGS}" --ecosta 09:36, 12 February 2006 (GMT)
It compiles with and without 'procmail' installed.I only took care of the ebuild functionallity, i will test the rest.
This is the ebuild:
| File: /usr/portage/app-misc/jailkit/jailkit-2.0.ebuild |
inherit eutils
DESCRIPTION="This Ebuild will install the Jailkit, which will allow to easily put programs and users in a chrooted environment"
HOMEPAGE="http://olivier.sessink.nl/jailkit/"
SRC_URI="http://olivier.sessink.nl/jailkit/${P}.tar.bz2"
LICENSE="BSD"
SLOT="0"
KEYWORDS="~x86"
IUSE=""
DEPEND=""
RDEPEND="sys-libs/glibc
>=dev-lang/python-2.0"
S=${WORKDIR}/${P}
src_compile() {
### fixing some pathes to fit the sandbox conditions. otherwise it tries to install in /
sed 's:${iniprefix}:${iniprefix}/jailkit/:' < ${S}/Makefile.in > ${S}/Makefile.in_tmp
sed 's:if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then:if ! grep ${prefix}/sbin/jk_chrootsh ${iniprefix}/shells ; then:' < ${S}/Makefile.in_tmp > ${S}/Makefile.in
sed 's:echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;:echo /usr/sbin/jk_chrootsh >> ${iniprefix}/shells ;:' < ${S}/Makefile.in > ${S}/Makefile.in_tmp
cp ${S}/Makefile.in_tmp ${S}/Makefile.in && rm ${S}/Makefile.in_tmp
### fixing issues with wrong python path of the sandbox
sed 's;sed -e "s!LIBDIR='\''\[a-z/]\*'\''!LIBDIR='\''\${PYLIBDIR}'\''!" -e "s:#!/usr/bin/python:#!$(PYTHONPATH):" <;cp;' < ${S}/py/Makefile.in > ${S}/py/Makefile.in_tmp
sed 's;>;;' < ${S}/py/Makefile.in_tmp > ${S}/py/Makefile.in && rm ${S}/py/Makefile.in_tmp && rm ${S}/py/Makefile.in_tmp
#compiling
econf || die "econf failed"
emake || die "make failed"
}
src_install() {
make \
prefix=${D}/usr \
iniprefix=${D}/etc \
mandir=${D}/usr/share/man \
infodir=${D}/usr/share/info \
libdir=${D}/usr/$(get_libdir) \
install || die "Install failed"
}
pkg_postinst() {
einfo
einfo "Use at your own risk, don't file bugreports to gentoo!"
einfo "The author of this ebuild does not maintain this software!"
einfo "contact the user list http://lists.nongnu.org/mailman/listinfo/jailkit-users"
einfo "or the dev list http://lists.nongnu.org/mailman/listinfo/jailkit-dev"
einfo
}
|
[edit] How to install
Add PORTDIR_OVERLAY="/usr/local/portage" to your /etc/make.conf (if you didn't already). Execute mkdir /usr/local/portage/app-misc/jailkit/ -p, and then copy the ebuild text into a file called "jailkit-2.0.ebuild" in the created directory
ebuild /usr/local/portage/app-misc/jailkit/jailkit-2.0.ebuild digest ACCEPT_KEYWORDS="~x86" emerge jailkit
If it works and you want to keep it, add "app-misc/jailkit" to your package.keywords file:
echo "app-misc/jailkit ~x86" >> /etc/portage/package.keywords
[edit] Usage
For usage documentary, look at the programs homepage, it has many examples online. The Jailkit-users mailinglist archives are also a very good source of information.
Update: Infact you can find basic setup here: http://olivier.sessink.nl/jailkit/howtos_chroot_shell.html
I just noticed one bug that I had at least... after I added a user sftp doesn't work for him.. I Found a solution in one of the forums:
At first, ssh worked fine for jailed users, but sftp and scp did not. To get sftp to work, I needed to add /dev/null to the chrooted environment. I edited sftp section in /etc/jailkit/jk_init.ini to look like this:
[sftp] comment = ssh secure ftp executables = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server includesections = netbasics, uidbasics devices = /dev/urandom, /dev/null
Then I ran
jk_init -v /home/jail sftp
And it's works now =)
[edit] Credits
- Thanks to the writer of the tool.
- Author of howto & ebuild: the_mgt
- Update writed by Holms
