jail.8 (168398) | jail.8 (185435) |
---|---|
1.\" 2.\" Copyright (c) 2000, 2003 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright --- 17 unchanged lines hidden (view full) --- 26.\" 27.\" ---------------------------------------------------------------------------- 28.\" "THE BEER-WARE LICENSE" (Revision 42): 29.\" <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 30.\" can do whatever you want with this stuff. If we meet some day, and you think 31.\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 32.\" ---------------------------------------------------------------------------- 33.\" | 1.\" 2.\" Copyright (c) 2000, 2003 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright --- 17 unchanged lines hidden (view full) --- 26.\" 27.\" ---------------------------------------------------------------------------- 28.\" "THE BEER-WARE LICENSE" (Revision 42): 29.\" <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 30.\" can do whatever you want with this stuff. If we meet some day, and you think 31.\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 32.\" ---------------------------------------------------------------------------- 33.\" |
34.\" $FreeBSD: head/usr.sbin/jail/jail.8 168398 2007-04-05 21:17:52Z pjd $ | 34.\" $FreeBSD: head/usr.sbin/jail/jail.8 185435 2008-11-29 14:32:14Z bz $ |
35.\" | 35.\" |
36.Dd April 5, 2007 | 36.Dd November 29, 2008 |
37.Dt JAIL 8 38.Os 39.Sh NAME 40.Nm jail 41.Nd "imprison process and its descendants" 42.Sh SYNOPSIS 43.Nm | 37.Dt JAIL 8 38.Os 39.Sh NAME 40.Nm jail 41.Nd "imprison process and its descendants" 42.Sh SYNOPSIS 43.Nm |
44.Op Fl i | 44.Op Fl hi 45.Op Fl n Ar jailname |
45.Op Fl J Ar jid_file 46.Op Fl s Ar securelevel 47.Op Fl l u Ar username | Fl U Ar username | 46.Op Fl J Ar jid_file 47.Op Fl s Ar securelevel 48.Op Fl l u Ar username | Fl U Ar username |
48.Ar path hostname ip-number command ... | 49.Ar path hostname [ip[,..]] command ... |
49.Sh DESCRIPTION 50The 51.Nm 52utility imprisons a process and all future descendants. 53.Pp 54The options are as follows: 55.Bl -tag -width ".Fl u Ar username" | 50.Sh DESCRIPTION 51The 52.Nm 53utility imprisons a process and all future descendants. 54.Pp 55The options are as follows: 56.Bl -tag -width ".Fl u Ar username" |
57.It Fl h 58Resolve 59.Va hostname 60and add all IP addresses returned by the resolver 61to the list of 62.Va ip-addresses 63for this prison. 64This may affect default address selection for outgoing IPv4 connections 65of prisons. 66The address first returned by the resolver for the IPv4 address family 67will be used as default. 68For IPv6 source address selection is done by a well defined algorithm. |
|
56.It Fl i 57Output the jail identifier of the newly created jail. | 69.It Fl i 70Output the jail identifier of the newly created jail. |
71.It Fl n Ar jailname 72Assign and administrative name to the jail that can be used for management 73or auditing purposes. 74The system will 75.Sy not enforce 76the name to be unique. |
|
58.It Fl J Ar jid_file 59Write a 60.Ar jid_file 61file, containing jail identifier, path, hostname, IP and 62command used to start the jail. 63.It Fl l 64Run program in the clean environment. 65The environment is discarded except for --- 21 unchanged lines hidden (view full) --- 87.It Fl U Ar username 88The user name from jailed environment as whom the 89.Ar command 90should run. 91.It Ar path 92Directory which is to be the root of the prison. 93.It Ar hostname 94Hostname of the prison. | 77.It Fl J Ar jid_file 78Write a 79.Ar jid_file 80file, containing jail identifier, path, hostname, IP and 81command used to start the jail. 82.It Fl l 83Run program in the clean environment. 84The environment is discarded except for --- 21 unchanged lines hidden (view full) --- 106.It Fl U Ar username 107The user name from jailed environment as whom the 108.Ar command 109should run. 110.It Ar path 111Directory which is to be the root of the prison. 112.It Ar hostname 113Hostname of the prison. |
95.It Ar ip-number 96IP number assigned to the prison. | 114.It Ar ip-addresses 115None, one or more IPv4 and IPv6 addresses assigned to the prison. 116The first address of each address family that was assigned to the jail will 117be used as the source address in case source address selection on unbound 118sockets cannot find a better match. 119It is only possible to start multiple jails with the same IP address, 120if none of the jails has more than this single overlapping IP address 121assigned to itself for the address family in question. |
97.It Ar command 98Pathname of the program which is to be executed. 99.El 100.Pp 101Jails are typically set up using one of two philosophies: either to 102constrain a specific application (possibly running with privilege), or 103to create a 104.Dq "virtual system image" --- 69 unchanged lines hidden (view full) --- 174.Dq "host environment" , 175and to the jailed virtual machine as the 176.Dq "jail environment" . 177Since jail is implemented using IP aliases, one of the first things to do 178is to disable IP services on the host system that listen on all local 179IP addresses for a service. 180If a network service is present in the host environment that binds all 181available IP addresses rather than specific IP addresses, it may service | 122.It Ar command 123Pathname of the program which is to be executed. 124.El 125.Pp 126Jails are typically set up using one of two philosophies: either to 127constrain a specific application (possibly running with privilege), or 128to create a 129.Dq "virtual system image" --- 69 unchanged lines hidden (view full) --- 199.Dq "host environment" , 200and to the jailed virtual machine as the 201.Dq "jail environment" . 202Since jail is implemented using IP aliases, one of the first things to do 203is to disable IP services on the host system that listen on all local 204IP addresses for a service. 205If a network service is present in the host environment that binds all 206available IP addresses rather than specific IP addresses, it may service |
182requests sent to jail IP addresses. | 207requests sent to jail IP addresses if the jail did not bind the port. |
183This means changing 184.Xr inetd 8 185to only listen on the 186appropriate IP address, and so forth. 187Add the following to 188.Pa /etc/rc.conf 189in the host environment: 190.Bd -literal -offset indent --- 359 unchanged lines hidden (view full) --- 550This MIB entry determines if a privileged user inside a jail will be 551able to mount and unmount file system types marked as jail-friendly. 552The 553.Xr lsvfs 1 554command can be used to find file system types available for mount from within 555a jail. 556This functionality is disabled by default, but can be enabled by setting this 557MIB entry to 1. | 208This means changing 209.Xr inetd 8 210to only listen on the 211appropriate IP address, and so forth. 212Add the following to 213.Pa /etc/rc.conf 214in the host environment: 215.Bd -literal -offset indent --- 359 unchanged lines hidden (view full) --- 575This MIB entry determines if a privileged user inside a jail will be 576able to mount and unmount file system types marked as jail-friendly. 577The 578.Xr lsvfs 1 579command can be used to find file system types available for mount from within 580a jail. 581This functionality is disabled by default, but can be enabled by setting this 582MIB entry to 1. |
583.It Va security.jail.jail_max_af_ips 584This MIB entry determines how may address per address family a prison 585may have. The default is 255. |
|
558.El 559.Pp 560The read-only sysctl variable 561.Va security.jail.jailed 562can be used to determine if a process is running inside a jail (value 563is one) or not (value is zero). 564.Pp 565The --- 51 unchanged lines hidden (view full) --- 617for R&D Associates 618.Pa http://www.rndassociates.com/ 619who contributed it to 620.Fx . 621.Pp 622.An Robert Watson 623wrote the extended documentation, found a few bugs, added 624a few new features, and cleaned up the userland jail environment. | 586.El 587.Pp 588The read-only sysctl variable 589.Va security.jail.jailed 590can be used to determine if a process is running inside a jail (value 591is one) or not (value is zero). 592.Pp 593The --- 51 unchanged lines hidden (view full) --- 645for R&D Associates 646.Pa http://www.rndassociates.com/ 647who contributed it to 648.Fx . 649.Pp 650.An Robert Watson 651wrote the extended documentation, found a few bugs, added 652a few new features, and cleaned up the userland jail environment. |
653.Pp 654.An Bjoern A. Zeeb 655added multi-IP jail support for IPv4 and IPv6 based on a patch 656originally done by 657.An Pawel Jakub Dawidek 658for IPv4. |
|
625.Sh BUGS 626Jail currently lacks the ability to allow access to 627specific jail information via 628.Xr ps 1 629as opposed to 630.Xr procfs 5 . 631Similarly, it might be a good idea to add an 632address alias flag such that daemons listening on all IPs 633.Pq Dv INADDR_ANY 634will not bind on that address, which would facilitate building a safe 635host environment such that host daemons do not impose on services offered 636from within jails. 637Currently, the simplest answer is to minimize services 638offered on the host, possibly limiting it to services offered from 639.Xr inetd 8 640which is easily configurable. | 659.Sh BUGS 660Jail currently lacks the ability to allow access to 661specific jail information via 662.Xr ps 1 663as opposed to 664.Xr procfs 5 . 665Similarly, it might be a good idea to add an 666address alias flag such that daemons listening on all IPs 667.Pq Dv INADDR_ANY 668will not bind on that address, which would facilitate building a safe 669host environment such that host daemons do not impose on services offered 670from within jails. 671Currently, the simplest answer is to minimize services 672offered on the host, possibly limiting it to services offered from 673.Xr inetd 8 674which is easily configurable. |