jk_check(8)jk_checkjk_check(8)NAMEjk_check - a utility that will check a jail for security problems
SYNOPSISjk_check jail
jk_check-v -c configfile jail
DESCRIPTIONjk_check will run several tests on all files and directories in a jail.
The tests are:
-test for setuid (set user id) or setgid (set group id) files
-test for file modifications, using an MD5 checksum on the file in the
jail and the same file in the real root
-test for group writable or world writable directories
-test for matching user information in the jail and on the real system
It will test directories based on the config file
/etc/jailkit/jk_check.ini but also based on jail patterns (dir/./dir)
found in the home directories in /etc/passwd
EXAMPLE
Minimal configfile
The most minimal configuration looks like:
[/home/testchroot]
This will include all the files and directories in /home/testchroot for
testing.
More extended configfile
Often you want to ignore some tests on some directories, the following
configfile shows some examples:
[/home/testchroot]
ignorepatheverywhere =
ignorepathoncompare = /home/testchroot/home, /home/testchroot/etc
ignorewritableforgroup = /home/testchroot/home
ignorewritableforothers = /home/testchroot/home/tmp
ignoresetuidexecuteforuser = /home/testchroot/usr/bin/smbmnt
ignoresetuidexecuteforgroup = /home/testchroot/usr/bin/smbmnt
ignoresetuidexecuteforothers =
ignorepatheverywhere
no single test is performed in these directories. You should not
use this option unless you what you are doing.
ignorepathoncompare
files in listed directories are not compared with their non-jail
counterparts. Useful for directories like /etc/ and /home/ where
you know you'll have different files inside the jail and outside
the jail
ignorewritableforgroup
listed directories that are writable for the group are not
reported
ignorewritableforothers
listed directories that are writable for others are not reported
ignoresetuidexecuteforuser
ignore the setuid bit on a file that is executable for a user, a
file with -rws------ permissions that is. Use with care! Remem‐
ber that user root can break out of a jail, therefore any pro‐
gram running with root priviledges is theoretically capable of
breaking out of the jail!
ignoresetuidexecuteforgroup
ignore the setuid bit for a file that is executable for the
group, a file with -rws--x--- permissions that is.
ignoresetuidexecuteforothers
ignore the setuid bit for a file that is executable for others,
a file with -rws--x--x permissions that is
OPTIONS-v Will give verbose output
-c configfile
Use alternative configfile
-h The help screen
FILES
/etc/jailkit/jk_check.ini
SEE ALSOjailkit(8)jk_chrootlaunch(8)jk_chrootsh(8)jk_cp(8)jk_init(8)jk_jailuser(8)jk_list(8)jk_lsh(8)jk_procmailwrapper(8)jk_socketd(8)jk_uchroot(8)jk_update(8)chroot(2)COPYRIGHT
Copyright (C) 2003, 2004, 2005, 2006, 2007, Olivier Sessink
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved.
JAILKIT 07-02-2010 jk_check(8)
