Because I wanted to jail some users .. for the fun of it .. they don't need to be able to move everywhere they want but basicaly .. I wanted to give some access to run a screen proccess in a chrooted environment .. so .. here it goes
Step 1: Getting, compiling, installing.
wget http://wiki.d3xt3r01.tk/images/2/27/Jailkit-2.5.tar.gz tar -xzf jailkit-2.5.tar.gz cd jailkit-2.5 ./configure make sudo make install # be sure to do this part as root..
Step 2: Configuring
Be sure to edit /etc/jailkit/jk_init.ini , some libs might be in different directories for other distros than Fedora ( which is what I'm using on the devel box ). I'll want to put user bling in a jail in /mnt/dex/jail/bling .. If you run into a thingy saying it can't find /etc/ld.so.conf .. see /etc/jailkit/jk_init.ini and add a ',' before it ..
You'll see that bash wants /usr/bin/id so add it to /etc/jailkit/jk_init.ini in the [basicshell] section.
cd /mnt/dex # Be sure to chown root:root /mnt/dex too ! .. jk_init will tell you it's not safe anyway .. mkdir -p jail/bling jk_init -v -j /mnt/dex/jail/bling basicshell # initialize his dir with the needed utilities adduser bling # add the regular user passwd bling # set the password for him .. ... jk_jailuser -m -s /bin/bash -j /mnt/dex/jail/bling bling # modify his regular home to the new chroot mkdir jail/bling/tmp chmod a+rwx jail/bling/tmp
Adding another user
Adding more users is as easy as redoing the step 2.
Adding other binaries
Check out jk_init -l if you want your chrooted user to be able to access other stuff ..
Also .. if you find something that's not there .. simply do a 'whereis binary' ; 'jk_cp -v -j /path/to/jailroot /path/to/binary' and it'll copy all the needed libraries with the right permissions and stuff .. Unfortunately jk_cp won't manage to do everything .. at least not all the time .. so .. installing strace for the user and strace-ing what you want to use in his home would be a good idea .. it should show you what it tries to open so you can copy it to him from the real world :)
jk_cp -v -j /mnt/dex/jail/bling /usr/bin/screen # to enable screen use .. don't forget to mount dev and devpts
If you want that user to be able to use the internet .. you'd better copy your /etc/resolv.conf to the jailed root/etc dir .. or add netbasics to the jk_init line..
Also .. if some programs complain about not knowing the terminal .. in fedora you should just copy usr/share/terminfo/ to the jail ( or add midnightcommander and xterm to the jk_init line ). Also edit /etc/jailkit/jk_chrootsh.ini and add this
[bling] # replace with the username .. env= DISPLAY, XAUTHORITY, TERM, PATH
Screen might complain about not having PTYs .. so after some research ..
mkdir /mnt/dex/jail/bling/dev mount --bind /dev /mnt/dex/jail/bling/dev mount --bind /dev/pts /mnt/dex/jail/bling/dev/pts # mounting proc would be nice but do it only if you need it! mount --bind /proc /mnt/dex/jail/bling/proc
Some programs need /var/run .. so
mkdir -p /mnt/dex/jail/bling/var/run/screen chmod 777 /mnt/dex/jail/bling/var/run/screen
finch ( the pidgin cli client .. ) wants /var/lib/dbus/machine-id so ..
mkdir -p /mnt/dex/jail/bling/var/lib/dbus cp /var/lib/dbus/machine-id /mnt/dex/jail/bling/var/lib/dbus
jk_init --help jk_jailuser --help jk_cp --help