jailed 1.0.0 review
Downloadjailed implements a nonprivileged jailroot
|
|
jailed implements a nonprivileged jailroot. It allows an environment to be specified, does std(in/out/err) redirection, and can restart a failed child.
Usage
jailed user [-g] [-r] [-c] [-p] [-n] [-e=] [-d] [program [arguments]]
* 'user' is used to specify the user to run as after the chroot has been done, but before the 'program' is started. Note that jailed itself keeps running as root in order to be able to restart the program if it fails, or when the HUP signal is received.
* '-g' is used to set the group. If omitted, whatever group is associated with the given user is used.
* If '-r' is given, the program is restarted if it dies when at least that many seconds have elapsed. Use '-r0' to disable automatic restart. If omitted, '-r5' is assumed.
* '-c' is used to set the root point. If omitted, the users home directory is used.
* '-p' is used to set the filename to where jailed will write jailed's PID. If omitted, /var/run/jailed_.pid is used, where 'programname' is whatever being used. If you use '-p' with no argument, no pid file is written.
* '-n' can be used to set the name that the child will be referred to as in the syslog. It also sets the name used in the default pidfile name, and the prefix on the stdout/stderr logs. The default is to use the executable programs name, without the path.
* '-e=' sets an environment variable in the new jail. By default, the jail will have HOME=/, PATH=/bin and USER=. You may set new variables or replace these.
* Use '-d' to print debugging output. This will show all the parameters used when starting the child program on stderr before starting the child.
* 'program' is the program to start. Note that the programs path must be relative to the chroot! If omitted, the users shell is used. Anything that appears after the program is considered parameters to pass to the program.
This is set up such that you can use /etc/passwd as a configuration file, if you want. Or, you can specify everything on the command line.
If the jailroot root directory is writable by the jailroot user, then two files are created containing the stdout and stderr output of the program. The files are named '/_stdout' and '/_stderr'. They are created with 0600 permissions.
In addition, if the mkfifo() call is available and the HAVE_MKFIO define is nonzero in the code (by default it is), then the fifo '/_stdin' is created. You can send the program stdin by simply echo'ing to the fifo.
jailed 1.0.0 search tags