GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
APPJAIL-USER(1) FreeBSD General Commands Manual APPJAIL-USER(1)

appjail-userHints and parameters for trusted users

appjail(1) is designed to be run by the root user, but this doesn't mean you can't run it as an unprivileged user. appjail(1) wraps an external tool to run itself with the appropriate privileges.

The idea is to create the illusion that appjail(1) runs the same for both an unprivileged user and a privileged user, but in reality it runs as a privileged user, i.e. the root user. Of course, to create this illusion the external tool must be installed and configured properly.

We recommend security/doas because it is lightweight, simple and secure. has not yet been widely tested, but the same process can be achieved with it.

This only makes sense if you want to allow multiple users to run appjail(1) as root because you can configure your external tool to have a single user run it.

# pw groupadd -n appjail -M $USER

security/doas is used in this example, so doas.conf(5) is the file we need to edit, that is, we need to put some options to allow appjail(1) and appjail-config(1) to run using the group we configured earlier in Trusted User Group or a single user.

# appjail(1)
permit nopass :appjail as root cmd appjail
# Some applications, specifically x11 applications, require 'keepenv'
# to be set.
#permit nopass keepenv :appjail as root cmd appjail
# appjail-config(1)
permit nopass :appjail as root cmd appjail-config

After configuring the external tool as specified in External Tool Configuration we should call and appjail-config-user without problems.

In the case of appjail-config(1), we must explicitly call it appjail-config-user instead of simply . This is a design decision since the version with the suffix introduces a bit of overhead.

$ appjail jail list
STATUS  NAME   TYPE  VERSION       PORTS  NETWORK_IP4
UP      jtest  thin  14.0-RELEASE  -      -
$ appjail-config-user set -j jtest devfs_ruleset=15

appjail(1) doas(1) appjail.conf(5) doas.conf(5)

Jesús Daniel Colmenares Oviedo <DtxdF@disroot.org>

There is a legacy and deprecated tool on your system called . This is for backward-compatibility and should no be used.

Some Makejail's instructions operate with a file and those instructions don't perform any modification, so if you create a file as an unprivileged user and the Makejail file calls some instruction such as , the file is copied as is and this may not make sense for the application running inside the jail.

This document assumes that the reader has the appropriate privileges to be root, so granting unprivileged users to run appjail(1) effectively grants those users the privilege to become root. If you only want to run certain appjail(1) subcommands, configure your external tool to do so.

March 24, 2024 FreeBSD 14.3-RELEASE
Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.