jk_uchroot(8)jk_uchrootjk_uchroot(8)NAMEjk_uchroot - grant regular users the right to change root into certain
directories
SYNOPSISjk_uchroot-j <jail> -x <executable>
DESCRIPTIONjk_uchroot can be used to give regular users access to the chroot()
system call in a safe way. jk_uchroot will only grant chroot into a
jail if the configuration file lists this user and jail combination.
jk_uchroot will furthermore only grant access if the chroot jail is
safe. Safe means that it is owned by uid 0 gid 0 and not writable for
others, including the system directories such as /bin, /lib, /dev/,
/sbin, and /usr.
jk_uchroot needs certain elevated privileges to make the chroot(2) sys‐
tem call. Therefore it is setuid root. It will drop its root priveleges
immediately after making the chroot() system call. Since Jailkit 2.8
jk_uchroot may also use the CAP_SYS_CHROOT capability on systems that
support capabilities, and then the setuid bit can be removed.
[john]
allowed_jails = /srv/johnjail, /srv/commonjail
skip_injail_passwd_check = 1
[group users]
allowed_jails = /srv/commonjail
skip_injail_passwd_check = 1
In the above example jk_uchroot is configured not to check if the user
exists in the /etc/passwd file in the jails.
FILES
/etc/jailkit/jk_uchroot.ini
DIAGNOSTICSjk_uchroot logs everything to syslog, please check the log files. Log‐
ging is sent to the LOG_AUTH facility with levels LOG_ERR and LOG_CRIT
for critical errors, LOG_NOTICE for non-critical errors, and LOG_INFO
for normal events.
SEE ALSOjailkit(8)jk_check(8)jk_chrootlaunch(8)jk_chrootsh(8)jk_cp(8)jk_init(8)jk_jailuser(8)jk_list(8)jk_lsh(8)jk_procmailwrapper(8)jk_socketd(8)jk_update(8)chroot(2)syslogd(8)COPYRIGHT
Copyright (C) 2003, 2004, 2005, 2006, 2007, Olivier Sessink
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved.
JAILKIT 07-02-2010 jk_uchroot(8)