CHROOT_JAIL.CONF.5

NAME
DESCRIPTION
PARAMETERS
SEE ALSO
AUTHOR
COPYRIGHT

NAME

chroot_jail.conf − chroot_jail(5) configuration file

DESCRIPTION

The chroot_jail suite of utilities uses a single configuration file to define certain parameters about jails, and directories within jails. These parameters include default permissions and ownership, as well as serve as a way to mark a given directory as maleable or a mount point.

The format of the configuration file is as:

  Directive value
  Path /path/to/location
    Directive value
  EndPath
  Jail jailname
    Directive value
    Path /path/to/location
      Directive value
    EndPath
  EndJail

A "Jail" or "Path" directive changes the jail or path for any following directives, and a "EndJail" or "EndPath" revert back to the default ’no value’ case. Note that the "Jail", "EndJail", "Path", and "EndPath" can be intermixed in any way you’d like.

A directive value can be either a number (octal, hex and binary values van be entered as in C: 0644, 0x41, and "0b100"), a boolean value ("yes", "no", "true", and "false" are all supported), a directory (which should be fully qualified, or else the current directory will be assumed whenever a command is run), or a string (such as a user or group name).

Jail and path names are case sensitive, but parameter names are not. By convention, parameter names will be capitalized.

A configuration directive is requested by parameter name, jail name, and path name. The latter two elements are both optional. When a configuration directive is requested, the following process will be used to find a value. The first match condition will return.

1.

Check for a direct match (same parameter, same jail, same path/file)

2.

If a path was provided, check for a match with a parent directory, working one level at a time up the tree. (I.E., "/usr/local/bin/cmd" will check against "/usr/local/bin", then "/usr/local", then "/usr/", then "/". Finally, check for the directive with no path provided.

3.

If a jail was provided, start over without a jail.

4.

Check for a diective with the right name, but no associated jail or path.

5.

Return ’undefined’.

As an example, consider the following configuration file:

  Location /var/jails
  User jailuser
  Group jailgroup

  Jail jailone
    Path /usr/local/bin/customshell
      User oneuser
    Path /lib
      User root
    EndPath
  EndJail

  Path /usr/local/bin
    User bin
  EndPath

With the above, the following requests would return the following values:

  User, jailone, /usr/local/bin/customshell = oneuser
  User, jailtwo, /usr/local/bin/customshell = bin
  User, jailone, /lib/tls = root
  User, jailtwo, /lib = jailuser
  Group, jailone, /usr/local/bin = jailgroup

PARAMETERS

The following parameter names are supported.

"Location"

The location of the jail metadate DB files and lock file. The parameter makes no sense when applied to a jail name or a path.

"User"

The default user to use when generating a file. Can be either the user name or the generic uid. Has no effect if the command is not run by root.

"Group"

The default group to use when generating a file. Can be either the group name or the numeric gid. Has no effect if the command is not run by root or by someone in the specified group.

"Mask"

The default permission mask to use when generating a file. This must be specified numerically, preferably as an octal value. Note that this is a mask applied to the existing permissions of the file, so if the mask is set to 0755 and the file has permissions 0666, the result permissions will be 0444.

"Maleable"

Takes a boolean value. If set to true, file/directory (and its the contents, if applicable) are not checked for existance in the database by jail_check(1).

"Nocheck"

Takes a boolean value. If set to true, the hash value of the file/directory is not checked against the actual file/directory by jail_check(1).

"Mount"

Takes a boolean value. If set to true, the directory is allowed to serve as a mount point. Currently only applies to jail_check(1) checking, but will eventually apply to jail_mount(1) mounting.

SEE ALSO

chroot_jail(7) jail_add(1) jail_rm(1) jail_create(1) jail_destroy(1) jail_show(1) jail_check(1) jail_archive(1) jail_restore(1) jail_syslogd(1) jail_mount(1)

Part of chroot_jail(7), a component of the NCSA Restricted Community Accounts project.

Project website: <http://security.ncsa.uiuc.edu/research/commaccts/>

AUTHOR

Kevin J. Price, <kjprice@ncsa.uiuc.edu>

National Center for Supercomputing Applications ( NCSA ), <http://www.ncsa.uiuc.edu/>

COPYRIGHT

Copyright (c) 2005−2006, The Board of Trustees of the University of Illinois. All rights reserved.