jailed
This program is used to run other programs in a non-privileged
rootjail. Setting up a root jail is nontrivial for many programs, and
beyond the scope of this webpage.
Usage:
jailed user [-g<group>] [-r<secs>] [-c<chroot>] [-p<pidfile>] [-n<programname>] [-e<var>=<val>] [-d] [program [arguments]]
- 'user' is used to specify
the user to run as after the chroot has
been done, but before the 'program' is started. Note that jailed itself
keeps running as root in order to be able to restart the program if it
fails, or when the HUP signal is received.
- '-g<group>' is used
to set the group. If omitted, whatever
group is associated with the given user is used.
- If '-r<secs>' is
given, the program is restarted if it dies
when at least that many seconds have elapsed. Use '-r0' to disable
automatic restart. If omitted, '-r5' is assumed.
- '-c<chroot>' is
used to set the root point. If omitted, the
users home directory is used.
- '-p<pidfile>' is
used to set the filename to where jailed
will write jailed's PID. If omitted,
/var/run/jailed_<programname>.pid is used, where 'programname' is
whatever being used. If you use '-p' with no argument, no pid file is
written.
- '-n<programname>'
can be used to set the name that the
child will be referred to as in the syslog. It also sets the name used
in the default pidfile name, and the prefix on the stdout/stderr logs.
The default is to use the executable programs name, without the path.
- '-e<var>=<val>'
sets an environment variable in the
new jail. By default, the jail will have HOME=/, PATH=/bin and
USER=<user>. You may set new variables or replace these.
- Use '-d' to print
debugging output. This will show all the
parameters used when starting the child program on stderr before
starting the child.
- 'program' is the program
to start. Note that the programs path
must be relative to the chroot! If omitted, the users shell is used.
Anything that appears after the program is considered parameters to
pass to the program.
This is set up such that you can use /etc/passwd as a configuration
file, if you want. Or, you can specify everything on the command line.
If the jailroot root directory is writable by the jailroot user, then
two files are created containing the stdout and stderr output of the
program.
The files are named '/<programname>_stdout' and
'/<programname>_stderr'. They are created with 0600 permissions.
In addition, if the mkfifo() call is available and the HAVE_MKFIO
define is nonzero in the code (by default it is), then the fifo
'/<programname>_stdin' is created. You can send the program stdin
by simply echo'ing to the fifo.
Examples:
jailed www
(Start a chroot environment with user www at www's home directory, and
run whatever program www has as it's shell).
jailed games -c/opt/bfv /bfv_linded.static
(chroot to /opt/bfv, change the user to 'games', and run the program
/bfv_linded.static)
Download: HERE
Author: johan (at)
linkdata (dot) se
