GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  JK_SOCKETD (8)

NAME

jk_socketd - a daemon to create a rate-limited /dev/log socket inside a chroot

CONTENTS

Synopsis
Description
Options
Files
Diagnostics
Copyright

SYNOPSIS

jk_socketd

jk_socketd -p pidfile -n

jk_socketd --pidfile= pidfile --nodetach

DESCRIPTION

The jailkit socket daemon creates a rate-limited /dev/log socket inside a jail according to /etc/jailkit/jk_socketd.ini and writes all data eventually to syslog using the real /dev/log Programs like jk_lsh and also many daemons need a /dev/log socket to do logging to syslog.

jk_socketd is an alternative for syslog to create /dev/log inside the jail (see your syslog manual how to accomplish this). However, if you are worrying about an attacker disrupting normal system operation by filling your logs you should use jk_socketd. jk_socketd can limit the number of bytes written trough the socket. If the logging is limited by jk_socketd, processes that run inside the jail will be slowed down if they try to use the logging service. If you expect a high logging rate in a jail, it is recommended to use syslog to create the socket in the jail instead of jk_socketd.

On (Open)Solaris /dev/log is not a socket and therefore jk_socketd will not function. On (Open)Solaris you should create the devices /dev/log and /dev/conslog in the jail to enable logging inside the jail.

The rate limiting is done based on three parameters, the base, the peak and the interval. The interval is the number of seconds that jk_socketd will use to count up to the number of bytes. The base and peak are both a number in bytes.

A socket is normally only allowed to have base bytes going trough per interval seconds. Only if in the previous interval the number of bytes has been lower than base, peak number of bytes is allowed. So a peak can only happen if the previous interval has been lower than base.

The config file consists of several entries where each entry looks like this:


[/home/testchroot/dev/log] base = 512 peak = 2048 interval = 5.0

The title of the section is the socket to be created. The directory to create the socket in should exist.

    Security

The jailkit socket daemon will change to user nobody and will chroot() into an empty dir once all sockets are opened. If the /dev/log socket is closed by the syslog daemon (for example during log rotation), jk_socketd needs a restart to open it again.

OPTIONS

-n --nodetach
  do not detach from the terminal and print debugging output
-p pidfile --pidfile=pidfile
  write PID to pidfile
-h --help show help screen
--socket=/path/to/socket
  do not read ini file, create specific socket
--base=integer
  message rate limit (in bytes) per interval for socket specified by --socket
--peak=integer
  message rate limit peak (in bytes) for socket specified by --socket
--interval=float
  message rate limit interval in seconds for socket specified by --socket

FILES

/etc/jailkit/jk_socketd.ini

DIAGNOSTICS

jk_socketd logs errors to syslog, so check your log files

otherwise run jk_socketd -n and it will not detach from the terminal, and it will print some debugging output.

SEE ALSO

jailkit(8) jk_check(8) jk_chrootlaunch(8) jk_chrootsh(8) jk_cp(8) jk_init(8) jk_jailuser(8) jk_list(8) jk_lsh(8) jk_procmailwrapper(8) jk_uchroot(8) jk_update(8) chroot(2) syslogd(8)

COPYRIGHT

Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Olivier Sessink

Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved.

Search for    or go to Top of page |  Section 8 |  Main Index


JAILKIT JK_SOCKETD (8) 02-08-2012

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.