| jail.8 (f855cc4f362fd964cdb2a26502837d65cf07d88f) | jail.8 (bc84aa4ba392b392f15d988ddf09682340668672) |
|---|---|
| 1.\" 2.\" Copyright (c) 2000, 2003 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright --- 42 unchanged lines hidden (view full) --- 51.Nm 52utility imprisons a process and all future descendants. 53.Pp 54The options are as follows: 55.Bl -tag -width ".Fl u Ar username" 56.It Fl i 57Output the jail identifier of the newly created jail. 58.It Fl J Ar jid_file | 1.\" 2.\" Copyright (c) 2000, 2003 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright --- 42 unchanged lines hidden (view full) --- 51.Nm 52utility imprisons a process and all future descendants. 53.Pp 54The options are as follows: 55.Bl -tag -width ".Fl u Ar username" 56.It Fl i 57Output the jail identifier of the newly created jail. 58.It Fl J Ar jid_file |
| 59Write a JidFile, like a PidFile, containing jailid, path, hostname, ip and | 59Write a 60.Ar jid_file 61file, containing jail identifier, path, hostname, IP and |
| 60command used to start the jail. 61.It Fl l 62Run program in the clean environment. 63The environment is discarded except for 64.Ev HOME , SHELL , TERM 65and 66.Ev USER . 67.Ev HOME 68and 69.Ev SHELL 70are set to the target login's default values. 71.Ev USER 72is set to the target login. 73.Ev TERM 74is imported from the current environment. 75The environment variables from the login class capability database for the 76target login are also set. 77.It Fl s Ar securelevel | 62command used to start the jail. 63.It Fl l 64Run program in the clean environment. 65The environment is discarded except for 66.Ev HOME , SHELL , TERM 67and 68.Ev USER . 69.Ev HOME 70and 71.Ev SHELL 72are set to the target login's default values. 73.Ev USER 74is set to the target login. 75.Ev TERM 76is imported from the current environment. 77The environment variables from the login class capability database for the 78target login are also set. 79.It Fl s Ar securelevel |
| 78Sets 79.Va kern.securelevel 80to the specified value inside the newly created jail. | 80Sets the 81.Va kern.securelevel 82sysctl variable to the specified value inside the newly created jail. |
| 81.It Fl u Ar username 82The user name from host environment as whom the 83.Ar command 84should run. 85.It Fl U Ar username 86The user name from jailed environment as whom the 87.Ar command 88should run. --- 47 unchanged lines hidden (view full) --- 136NOTE: It is important that only appropriate device nodes in devfs be 137exposed to a jail; access to disk devices in the jail may permit processes 138in the jail to bypass the jail sandboxing by modifying files outside of 139the jail. 140See 141.Xr devfs 8 142for information on how to use devfs rules to limit access to entries 143in the per-jail devfs. | 83.It Fl u Ar username 84The user name from host environment as whom the 85.Ar command 86should run. 87.It Fl U Ar username 88The user name from jailed environment as whom the 89.Ar command 90should run. --- 47 unchanged lines hidden (view full) --- 138NOTE: It is important that only appropriate device nodes in devfs be 139exposed to a jail; access to disk devices in the jail may permit processes 140in the jail to bypass the jail sandboxing by modifying files outside of 141the jail. 142See 143.Xr devfs 8 144for information on how to use devfs rules to limit access to entries 145in the per-jail devfs. |
| 144A simple devfs ruleset for jails is available as ruleset #4 in | 146A simple devfs ruleset for jails is available as ruleset #4 in |
| 145.Pa /etc/defaults/devfs.rules . 146.Pp 147In many cases this example would put far more in the jail than needed. 148In the other extreme case a jail might contain only one file: 149the executable to be run in the jail. 150.Pp 151We recommend experimentation and caution that it is a lot easier to 152start with a --- 388 unchanged lines hidden (view full) --- 541.Xr chflags 2 . 542If zero, such users are treated as unprivileged, and are unable to set 543or clear system file flags; if non-zero, such users are treated as 544privileged, and may manipulate system file flags subject to the usual 545constraints on 546.Va kern.securelevel . 547.El 548.Pp | 147.Pa /etc/defaults/devfs.rules . 148.Pp 149In many cases this example would put far more in the jail than needed. 150In the other extreme case a jail might contain only one file: 151the executable to be run in the jail. 152.Pp 153We recommend experimentation and caution that it is a lot easier to 154start with a --- 388 unchanged lines hidden (view full) --- 543.Xr chflags 2 . 544If zero, such users are treated as unprivileged, and are unable to set 545or clear system file flags; if non-zero, such users are treated as 546privileged, and may manipulate system file flags subject to the usual 547constraints on 548.Va kern.securelevel . 549.El 550.Pp |
| 549The read-only | 551The read-only sysctl variable |
| 550.Va security.jail.jailed | 552.Va security.jail.jailed |
| 551variable can be used to determine if a process is running inside a jail (value | 553can be used to determine if a process is running inside a jail (value |
| 552is one) or not (value is zero). 553.Pp 554The | 554is one) or not (value is zero). 555.Pp 556The |
| 555.Va security.jail.list 556MIB entry is read-only and it returns an array of | 557.Va security.jail.list 558MIB entry is read-only and it returns an array of |
| 557.Vt "struct xprison" 558defined in 559.In sys/jail.h . 560It is recommended to use the 561.Xr jls 8 562utility to see current active list of jails. 563.Pp 564There are currently two MIB related variables that have per-jail settings. --- 64 unchanged lines hidden --- | 559.Vt "struct xprison" 560defined in 561.In sys/jail.h . 562It is recommended to use the 563.Xr jls 8 564utility to see current active list of jails. 565.Pp 566There are currently two MIB related variables that have per-jail settings. --- 64 unchanged lines hidden --- |