jk_chrootlaunch

Manual page and help for the jk_chrootlaunch Linux command Linux portal

Content

Data
Man page output
Help output
Related Content

Data

license:
Version number: Jailkit 2.21 (in Debian 10)
Developer / owner:

Short description:

Manual page and help for the jk_chrootlaunch Linux command. The jk_chrootlaunch command is a startup program that can launch a daemon in a jail with the specified UID and GID.

jk_chrootlaunch - A launcher that can launch a daemon in a prison with a specified uid and gid

Man page output

man jk_chrootlaunch

jk_chrootlaunch(8)                                        jk_chrootlaunch                                        jk_chrootlaunch(8)

NAME
       jk_chrootlaunch - a launcher that can start a daemon in a jail, with a specified uid and gid

SYNOPSIS
       jk_chrootlaunch [-h] [-p pidfile ] [-u user] [-g group] -j jaildir -x executable -- [executable options]

       jk_chrootlaunch [--help] [--pidfile= pidfile ] [--user user] [--group group] --jail jaildir --exec executable -- [executable
       options]

DESCRIPTION
       This launcher can be used to start some other process inside a jail. That process is typically a daemon that cannot  do  ch‐
       root(2)  itself. The process can optionally be started with a certain user ID or group ID. Optionally this utility can write
       a pidfile to some location.

       This utility needs to make the chroot(2) call to jail the process, therefore it can only be started in a useful way by  user
       root.  Because you can break out of a jail with root privileges it is recommended to start the daemon as some other user and
       group using the --user and --group options. If this is not possible because that daemon needs root privileges as  well  (for
       example to open a port below 1024) the jail can perhaps delay a hacker, but it cannot prevent it.

       There are several daemons that should not be started by jk_chrootlaunch. All daemons that do a chroot(2) themselves (for ex‐
       ample jk_socketd, postfix and openvpn) can do it themselves much better. Daemons that need access to files on the real  sys‐
       tem (for example the samba smbd daemon) can also not be jailed, unless you can move all those files into the jail and do not
       need them on the real system.

OPTIONS
       -j --jail
              the directory to jail the process in

       -u --user
              the name or uid of the user to start the process as

       -g --group
              the name or gid of the group to start the process as

       -x --exec
              the executable to start

       --     any options after the -- are passed to the executable

EXAMPLE
       Suppose you want to start Apache inside a jail. Apache needs root privileges because it needs to open TCP port 80. But after
       opening  port 80 it will start subprocesses as a regular user (for example user www-data). Therefore the subprocesses cannot
       break out of the jail. Apache can also write it's own pidfile, so we also don't need that option.

       First we create the jail  using  jk_init(8).   The  apachectl  program  is  a  shell  script,  it  also  needs  /bin/sh  and
       /usr/bin/kill. We also have to copy these into the jail using jk_cp(8).  Apache also needs its modules from /usr/lib/apache,
       copy those as well. Then we can start Apache:

       jk_chrootlaunch -j /home/webjail -x /home/webjail/usr/sbin/apachectl -- start

       There are some smarter ways to do this. You can remove the /bin/sh and /bin/kill executables from the jail if you  edit  the
       apachectl script, and add jk_chrootlaunch to the script itself.

DIAGNOSTICS
       jk_chrootlaunch  logs  errors  to syslog, so check your log files. On most systems the command grep jk_ /var/log/* will give
       you the information you need.

SEE ALSO
       jailkit(8) jk_check(8) jk_chrootlaunch(8) jk_chrootsh(8) jk_cp(8) jk_init(8) jk_jailuser(8)  jk_list(8)  jk_lsh(8)  jk_proc‐
       mailwrapper(8) jk_socketd(8) jk_uchroot(8) jk_update(8) chroot(2)

COPYRIGHT
       Copyright (C) 2003, 2004, 2005, 2006, 2007, 2018 Olivier Sessink

       Copying  and  distribution  of this file, with or without modification, are permitted in any medium without royalty provided
       the copyright notice and this notice are preserved.

JAILKIT                                                      07-02-2010                                          jk_chrootlaunch(8)

Help output

sudo jk_chrootlaunch --help

jailkit 2.21
Usage: jk_chrootlaunch -j jaildir [-u user] [-g group] [-p pidfile] -x executable -- [executable options]
        -p|--pidfile pidfile
        -j|--jail jaildir
        -x|--exec executable
        -u|--user username|uid
        -g|--group group|gid
        -h|--help
jk_chrootlaunch logs all errors to syslog, for diagnostics check your logfiles

Related Content

Tags

jk_chrootlaunch

21 views

Partners

Freeberischeaper

Popular content

Address	Viewed
Make bootable flash drives with Rufus 3.3	13,855
How to Build a Bootable Drive with Rufus	8,878
How to share directories between Linux and Windows	7,251
How can we achieve…	6,911
How to reset a forgotten root password in Linux...	5,814

Today's popular content

Address	Viewed
How to Convert m4a Music Files to MP3	3
cat (linux command)	2
VirtualBox	2
How to configure VirtualBox for basic systems	2
Install Debian 9 (Stretch) Minimum Server	2

Frequent tags

Label	occurrences
manual	655
help	609
encyclopedia	82
installation	76
Debian	55
setting	54
configuration	54
article	50
Apache	38
PHP	37

Monthly archive