jk_chrootsh(8)                                              jk_chrootsh                                              jk_chrootsh(8)

NAME
       jk_chrootsh - a shell that will put the user inside a changed root

SYNOPSIS
       jk_chrootsh

DESCRIPTION
       jk_chrootsh can be used as a shell for a user (e.g. in /etc/passwd or your ldap store). That user will be put into a changed
       root. The directory where to put the user in is read from the users home directory, the last occurring /./ sequence is  used
       to mark the location of the changed root. An example line in /etc/passwd would look like

       test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh

       In this example the user will be chroot-ed into /home/testchroot

       Inside  the chroot-ed directory, it will look for /etc/passwd and it will execute the shell for the user from that file. For
       the above example the /etc/passwd file inside the jail should have an entry like

       test:x:10000:10000::/home/test:/usr/sbin/jk_lsh

       Notice that the home directory and the shell are local inside the chroot

       jk_chrootsh needs certain elevated privileges to make the chroot(2) system call. Therefore it is setuid root. It  will  drop
       its  root  privileges  immediately  after  making  the  chroot() system call. Since Jailkit 2.8 jk_chrootsh may also use the
       CAP_SYS_CHROOT capability on systems that support capabilities, and then the setuid bit can be removed.

       By default jk_chrootsh does not copy any environment variables. For some functionality, however, environment variables  need
       to  be  copied  (e.g.  the  TERM variable for a functional terminal emulation, or the DISPLAY variable for X forwarding). In
       /etc/jailkit/jk_chrootsh.ini the required environment variables can be listed. An example config file is shown below. In the
       example, user bill will get the DISPLAY variable, and all users in group jail will get the TERM and PATH variables.

       By  default  jk_chrootsh requires a home directory owned by the user with the same group as the primary group from the user,
       and requires the home directory to be non-writable for group and others. You can relax these requirements in the  configfile
       as shown below.

       [DEFAULT]
       relax_home_group=1

       [bill]
       env= DISPLAY
       relax_home_owner=1
       relax_home_group_permissions=1
       relax_home_other_permissions=1

       [group jail]
       env = TERM, PATH
       injail_login_shell=1

       If  user  bill is in group jail, however, he will not get the TERM variable in the above example. Neither will any user with
       primary group jail get relaxed requirements for the ownership and the permissions of the home directory. First the  user  is
       checked, and only if no user section is found the primary group section is looked for, and if no group section is found, the
       DEFAULT section is used.

       Normally jk_chrootsh will pass all arguments it is called with to the shell in the jail. You can force jk_chrootsh  to  call
       the shell inside the jail with a single argument --login by setting injail_login_shell=1 in the config file.

       jk_chrootsh  can  be  configured not to read the final shell from the /etc/passwd file in the jail. An example configfile is
       shown below.

       [group jail2]
       skip_injail_passwd_check=1
       injail_shell=/bin/bash

FILES
       /etc/passwd /etc/jailkit/jk_chrootsh.ini

DIAGNOSTICS
       jk_chrootsh logs everything to syslog, please check the log files. Logging is sent to  the  LOG_AUTH  facility  with  levels
       LOG_ERR  and LOG_CRIT for critical errors, LOG_NOTICE for non-critical errors,  and LOG_INFO for normal events. On most sys‐
       tems the command grep jk_ /var/log/* will give you the information you need.

       commonly made mistakes are:

       forgetting to add the user to JAIL/etc/passwd or the group to JAIL/etc/group

       forgetting to have the correct permissions on all files inside the jail, or forgetting files inside the jail (the shell  it‐
       self, or any libraries used by the shell)

       referring to a file outside the chroot

SEE ALSO
       jailkit(8)  jk_check(8)  jk_chrootlaunch(8)  jk_cp(8)  jk_init(8)  jk_jailuser(8) jk_list(8) jk_lsh(8) jk_procmailwrapper(8)
       jk_socketd(8) jk_uchroot(8) jk_update(8) chroot(2) syslogd(8)

COPYRIGHT
       Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2018 Olivier Sessink

       Copying and distribution of this file, with or without modification, are permitted in any medium  without  royalty  provided
       the copyright notice and this notice are preserved.

JAILKIT                                                      07-02-2010                                              jk_chrootsh(8)