GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  JK_CHECK (8)

NAME

jk_check - a utility that will check a jail for security problems

CONTENTS

Synopsis
Description
Example
Options
Files
Copyright

SYNOPSIS

jk_check jail

jk_check -v -c configfile jail

DESCRIPTION

jk_check will run several tests on all files and directories in a jail. The tests are:

-test for setuid (set user id) or setgid (set group id) files

-test for file modifications, using an MD5 checksum on the file in the jail and the same file in the real root

-test for group writable or world writable directories

-test for matching user information in the jail and on the real system

It will test directories based on the config file /etc/jailkit/jk_check.ini but also based on jail patterns (dir/./dir) found in the home directories in /etc/passwd

EXAMPLE

    Minimal configfile

The most minimal configuration looks like:


[/home/testchroot]

This will include all the files and directories in /home/testchroot for testing.

    More extended configfile

Often you want to ignore some tests on some directories, the following configfile shows some examples:


[/home/testchroot] ignorepatheverywhere = ignorepathoncompare = /home/testchroot/home, /home/testchroot/etc ignorewritableforgroup = /home/testchroot/home ignorewritableforothers = /home/testchroot/home/tmp ignoresetuidexecuteforuser = /home/testchroot/usr/bin/smbmnt ignoresetuidexecuteforgroup = /home/testchroot/usr/bin/smbmnt ignoresetuidexecuteforothers =

ignorepatheverywhere

no single test is performed in these directories. You should not use this option unless you what you are doing.
ignorepathoncompare
files in listed directories are not compared with their non-jail counterparts. Useful for directories like /etc/ and /home/ where you know you’ll have different files inside the jail and outside the jail
ignorewritableforgroup
listed directories that are writable for the group are not reported
ignorewritableforothers
listed directories that are writable for others are not reported
ignoresetuidexecuteforuser
ignore the setuid bit on a file that is executable for a user, a file with -rws------ permissions that is. Use with care! Remember that user root can break out of a jail, therefore any program running with root priviledges is theoretically capable of breaking out of the jail!
ignoresetuidexecuteforgroup
ignore the setuid bit for a file that is executable for the group, a file with -rws--x--- permissions that is.
ignoresetuidexecuteforothers
ignore the setuid bit for a file that is executable for others, a file with -rws--x--x permissions that is

OPTIONS

-v Will give verbose output
-c configfile
  Use alternative configfile
-h The help screen

FILES

/etc/jailkit/jk_check.ini

SEE ALSO

jailkit(8) jk_chrootlaunch(8) jk_chrootsh(8) jk_cp(8) jk_init(8) jk_jailuser(8) jk_list(8) jk_lsh(8) jk_procmailwrapper(8) jk_socketd(8) jk_uchroot(8) jk_update(8) chroot(2)

COPYRIGHT

Copyright (C) 2003, 2004, 2005, 2006, 2007, Olivier Sessink

Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved.

Search for    or go to Top of page |  Section 8 |  Main Index


JAILKIT JK_CHECK (8) 07-02-2010

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.