jk_chrootsh - a shell that will put the user inside a changed root
jk_chrootsh can be used as a shell for a user (e.g. in /etc/passwd or your ldap store). That user will be put into a changed root. The directory where to put the user in is read from the users home directory, the last occurring /./ sequence is used to mark the location of the changed root. An example line in /etc/passwd would look like
In this example the user will be chroot-ed into /home/testchroot
Inside the chroot-ed directory, it will look for /etc/passwd and it will execute the shell for the user from that file. For the above example the /etc/passwd file inside the jail should have an entry like
Notice that the home directory and the shell are local inside the chroot
jk_chrootsh needs certain elevated privileges to make the chroot(2) system call. Therefore it is setuid root. It will drop its root privileges immediately after making the chroot() system call. Since Jailkit 2.8 jk_chrootsh may also use the CAP_SYS_CHROOT capability on systems that support capabilities, and then the setuid bit can be removed.
By default jk_chrootsh does not copy any environment variables. For some functionality, however, environment variables need to be copied (e.g. the TERM variable for a functional terminal emulation, or the DISPLAY variable for X forwarding). In /etc/jailkit/jk_chrootsh.ini the required environment variables can be listed. An example config file is shown below. In the example, user bill will get the DISPLAY variable, and all users in group jail will get the TERM and PATH variables.
By default jk_chrootsh requires a home directory owned by the user with the same group as the primary group from the user, and requires the home directory to be non-writable for group and others. You can relax these requirements in the configfile as shown below.
[bill] env= DISPLAY relax_home_owner=1 relax_home_group_permissions=1 relax_home_other_permissions=1
[group jail] env = TERM, PATH injail_login_shell=1
If user bill is in group jail, however, he will not get the TERM variable in the above example. Neither will any user with primary group jail get relaxed requirements for the ownership and the permissions of the home directory. First the user is checked, and only if no user section is found the primary group section is looked for, and if no group section is found, the DEFAULT section is used.
Normally jk_chrootsh will pass all arguments it is called with to the shell in the jail. You can force jk_chrootsh to call the shell inside the jail with a single argument --login by setting injail_login_shell=1 in the config file.
jk_chrootsh can be configured not to read the final shell from the /etc/passwd file in the jail. An example configfile is shown below.
[group jail2] skip_injail_passwd_check=1 injail_shell=/bin/bash
jk_chrootsh logs everything to syslog, please check the log files. Logging is sent to the LOG_AUTH facility with levels LOG_ERR and LOG_CRIT for critical errors, LOG_NOTICE for non-critical errors, and LOG_INFO for normal events. On most systems the command grep jk_ /var/log/* will give you the information you need.
commonly made mistakes are:
forgetting to add the user to JAIL/etc/passwd or the group to JAIL/etc/group
forgetting to have the correct permissions on all files inside the jail, or forgetting files inside the jail (the shell itself, or any libraries used by the shell)
referring to a file outside the chroot
Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2018 Olivier Sessink
Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved.