1.\" 2.\" Copyright (c) 2000, 2003 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" 26.\" 27.\" ---------------------------------------------------------------------------- 28.\" "THE BEER-WARE LICENSE" (Revision 42): 29.\" <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 30.\" can do whatever you want with this stuff. If we meet some day, and you think 31.\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 32.\" ---------------------------------------------------------------------------- 33.\" 34.\" $FreeBSD$ 35.\" 36.Dd April 8, 2003 37.Dt JAIL 8 38.Os 39.Sh NAME 40.Nm jail 41.Nd "imprison process and its descendants" 42.Sh SYNOPSIS 43.Nm 44.Op Fl i 45.Op Fl u Ar username 46.Ar path hostname ip-number command ... 47.Sh DESCRIPTION 48The 49.Nm 50utility imprisons a process and all future descendants. 51.Pp 52The options are as follows: 53.Bl -tag -width ".Fl u Ar username" 54.It Fl i 55Output the jail identifier of the newly created jail. 56.It Fl u Ar username 57The user name as whom the 58.Ar command 59should run. 60.It Ar path 61Directory which is to be the root of the prison. 62.It Ar hostname 63Hostname of the prison. 64.It Ar ip-number 65IP number assigned to the prison. 66.It Ar command 67Pathname of the program which is to be executed. 68.El 69.Pp 70Jails are typically set up using one of two philosophies: either to 71constrain a specific application (possibly running with privilege), or 72to create a "virtual system image" running a variety of daemons and 73services. 74In both cases, a fairly complete file system install of FreeBSD is 75required, so as to provide the necessary command line tools, daemons, 76libraries, application configuration files, etc are available. 77However, for a virtual server configuration, a fair amount of 78additional work is required so as to configure the "boot" process. 79This man page documents the configuration steps necessary to support 80either of these steps, although the configuration steps may be 81refined based on local requirements. 82.Pp 83Please see the 84.Xr jail 2 85man page for further details. 86.Sh EXAMPLES 87.Ss "Setting up a Jail Directory Tree" 88This example shows how to setup a jail directory tree 89containing an entire 90.Fx 91distribution: 92.Bd -literal 93D=/here/is/the/jail 94cd /usr/src 95mkdir -p $D 96make world DESTDIR=$D 97cd etc 98make distribution DESTDIR=$D 99mount_devfs devfs $D/dev 100cd $D 101ln -sf dev/null kernel 102.Ed 103.Pp 104NOTE: It is important that only appropriate device nodes in devfs be 105exposed to a jail; access to disk devices in the jail may permit processes 106in the jail to bypass the jail sandboxing by modifying files outside of 107the jail. 108See 109.Xr devfs 8 110for information on how to use devfs rules to limit access to entries 111in the per-jail devfs. 112.Pp 113In many cases this example would put far more stuff in the jail than is needed. 114In the other extreme case a jail might contain only one single file: 115the executable to be run in the jail. 116.Pp 117We recommend experimentation and caution that it is a lot easier to 118start with a 119.Dq fat 120jail and remove things until it stops working, 121than it is to start with a 122.Dq thin 123jail and add things until it works. 124.Ss "Setting Up a Jail" 125Do what was described in 126.Sx "Setting Up a Jail Directory Tree" 127to build the jail directory tree. 128For the sake of this example, we will 129assume you built it in 130.Pa /data/jail/192.168.11.100 , 131named for the jailed IP address. 132Substitute below as needed with your 133own directory, IP address, and hostname. 134.Ss "Setting up the Host Environment" 135First, you will want to set up your real system's environment to be 136.Dq jail-friendly . 137For consistency, we will refer to the parent box as the 138.Dq "host environment" , 139and to the jailed virtual machine as the 140.Dq "jail environment" . 141Because jail is implemented using IP aliases, one of the first things to do 142is to disable IP services on the host system that listen on all local 143IP addresses for a service. 144If a network service is present in the host environment that binds all 145available IP addresses rather than specific IP addresses, it may service 146requests sent to jail IP addresses. 147This means changing 148.Xr inetd 8 149to only listen on the 150appropriate IP address, and so forth. 151Add the following to 152.Pa /etc/rc.conf 153in the host environment: 154.Bd -literal -offset indent 155sendmail_enable="NO" 156inetd_flags="-wW -a 192.168.11.23" 157rpcbind_enable="NO" 158.Ed 159.Pp 160.Li 192.168.11.23 161is the native IP address for the host system, in this example. 162Daemons that run out of 163.Xr inetd 8 164can be easily set to use only the specified host IP address. 165Other daemons 166will need to be manually configured\(emfor some this is possible through 167the 168.Xr rc.conf 5 169flags entries, for others it is necessary to modify per-application 170configuration files, or to recompile the application. 171The following frequently deployed services must have their individual 172configuration files modified to limit the application to listening 173to a specific IP address: 174.Pp 175To configure 176.Xr sshd 8 , 177it is necessary to modify 178.Pa /etc/ssh/sshd_config . 179.Pp 180To configure 181.Xr sendmail 8 , 182it is necessary to modify 183.Pa /etc/mail/sendmail.cf . 184.Pp 185For 186.Xr named 8 , 187it is necessary to modify 188.Pa /etc/namedb/named.conf . 189.Pp 190In addition, a number of services must be recompiled in order to run 191them in the host environment. 192This includes most applications providing services using 193.Xr rpc 3 , 194such as 195.Xr rpcbind 8, 196.Xr nfsd 8 , 197and 198.Xr mountd 8 . 199In general, applications for which it is not possible to specify which 200IP address to bind should not be run in the host environment unless they 201should also service requests sent to jail IP addresses. 202Attempting to serve 203NFS from the host environment may also cause confusion, and cannot be 204easily reconfigured to use only specific IPs, as some NFS services are 205hosted directly from the kernel. 206Any third party network software running 207in the host environment should also be checked and configured so that it 208does not bind all IP addresses, which would result in those services also 209appearing to be offered by the jail environments. 210.Pp 211Once 212these daemons have been disabled or fixed in the host environment, it is 213best to reboot so that all daemons are in a known state, to reduce the 214potential for confusion later (such as finding that when you send mail 215to a jail, and its sendmail is down, the mail is delivered to the host, 216etc.) 217.Ss Configuring the Jail 218.Pp 219Start any jails for the first time without configuring the network 220interface so that you can clean it up a little and set up accounts. 221As 222with any machine (virtual or not) you will need to set a root password, time 223zone, etc. 224Some of these steps apply only if you intend to run a full virtual server 225inside the jail; others apply for both constraining a particular application 226or for a virtual server. 227.Pp 228Start a shell in the jail: 229.Pp 230.Dl "jail /data/jail/192.168.11.100 testhostname 192.168.11.100 /bin/sh" 231.Pp 232You will end up with a shell prompt, assuming no errors, within the jail. 233You can now run 234.Pa /usr/sbin/sysinstall 235and do the post-install configuration to set various configuration options, 236or perform these actions manually by editing 237.Pa /etc/rc.conf , 238etc. 239.Pp 240.Bl -bullet -offset indent -compact 241.It 242Create an empty 243.Pa /etc/fstab 244to quell startup warnings about missing fstab (virtual server only) 245.It 246Disable the port mapper 247.Pa ( /etc/rc.conf : 248.Li rpcbind_enable="NO" ) 249(virtual server only) 250.It 251Run 252.Xr newaliases 1 253to quell 254.Xr sendmail 8 255warnings. 256.It 257Disable interface configuration to quell startup warnings about 258.Xr ifconfig 8 259.Pq Li network_interfaces="" 260(virtual server only) 261.It 262Configure 263.Pa /etc/resolv.conf 264so that name resolution within the jail will work correctly 265.It 266Set a root password, probably different from the real host system 267.It 268Set the timezone 269.It 270Add accounts for users in the jail environment 271.It 272Install any packages the environment requires 273.El 274.Pp 275You may also want to perform any package-specific configuration (web servers, 276SSH servers, etc), patch up 277.Pa /etc/syslog.conf 278so it logs as you would like, etc. 279If you are not using a virtual server, you may wish to modify 280.Xr syslogd 8 281in the host environment to listen on the syslog socket in the jail 282environment; in this example, the syslog socket would be stored in 283.Pa /data/jail/192.168.11.100/var/run/log . 284.Pp 285Exit from the shell, and the jail will be shut down. 286.Ss "Starting the Jail" 287You are now ready to restart the jail and bring up the environment with 288all of its daemons and other programs. 289If you are running a single application in the jail, substitute the 290command used to start the application for 291.Pa /etc/rc 292in the examples below. 293To start a virtual server environment, 294.Pa /etc/rc 295is run to launch various daemons and services. 296To do this, first bring up the 297virtual host interface, and then start the jail's 298.Pa /etc/rc 299script from within the jail. 300.Pp 301NOTE: If you plan to allow untrusted users to have root access inside the 302jail, you may wish to consider setting the 303.Va security.jail.set_hostname_allowed 304sysctl variable to 0. 305Please see the management discussion later in this document as to why this 306is a good idea. 307If you do decide to set this variable, 308it must be set before starting any jails, and once each boot. 309.Bd -literal -offset indent 310ifconfig ed0 inet alias 192.168.11.100/32 311mount -t procfs proc /data/jail/192.168.11.100/proc 312jail /data/jail/192.168.11.100 testhostname 192.168.11.100 \\ 313 /bin/sh /etc/rc 314.Ed 315.Pp 316A few warnings will be produced, because most 317.Xr sysctl 8 318configuration variables cannot be set from within the jail, as they are 319global across all jails and the host environment. 320However, it should all 321work properly. 322You should be able to see 323.Xr inetd 8 , 324.Xr syslogd 8 , 325and other processes running within the jail using 326.Xr ps 1 , 327with the 328.Ql J 329flag appearing beside jailed processes. 330To see an active list of jails, use the 331.Xr jls 8 332utility. 333You should also be able to 334.Xr telnet 1 335to the hostname or IP address of the jailed environment, and log 336in using the accounts you created previously. 337.Ss "Managing the Jail" 338Normal machine shutdown commands, such as 339.Xr halt 8 , 340.Xr reboot 8 , 341and 342.Xr shutdown 8 , 343cannot be used successfully within the jail. 344To kill all processes in a 345jail, you may log into the jail and, as root, use one of the following 346commands, depending on what you want to accomplish: 347.Pp 348.Bd -literal -offset indent 349kill -TERM -1 350kill -KILL -1 351.Ed 352.Pp 353This will send the 354.Dv SIGTERM 355or 356.Dv SIGKILL 357signals to all processes in the jail from within the jail. 358Depending on 359the intended use of the jail, you may also want to run 360.Pa /etc/rc.shutdown 361from within the jail. 362To kill processes from outside the jail, use the 363.Xr jexec 8 364utility in conjuction with the one of the 365.Xr kill 1 366commands above, or use the 367.Xr killall 1 368utility with the 369.Fl j 370option. 371.Pp 372The 373.Pa /proc/ Ns Ar pid Ns Pa /status 374file contains, as its last field, the hostname of the jail in which the 375process runs, or 376.Dq Li - 377to indicate that the process is not running within a jail. 378The 379.Xr ps 1 380command also shows a 381.Ql J 382flag for processes in a jail. 383However, the hostname for a jail may be, by 384default, modified from within the jail, so the 385.Pa /proc 386status entry is unreliable by default. 387To disable the setting of the hostname 388from within a jail, set the 389.Va security.jail.set_hostname_allowed 390sysctl variable in the host environment to 0, which will affect all jails. 391You can have this sysctl set on each boot using 392.Xr sysctl.conf 5 . 393Just add the following line to 394.Pa /etc/sysctl.conf : 395.Pp 396.Dl security.jail.set_hostname_allowed=0 397.Ss "Sysctl MIB Entries" 398Certain aspects of the jail containments environment may be modified from 399the host environment using 400.Xr sysctl 8 401MIB variables. 402Currently, these variables affect all jails on the system, although in 403the future this functionality may be finer grained. 404.Bl -tag -width XXX 405.It Va security.jail.allow_raw_sockets 406This MIB entry determines whether or not prison root is allowed to 407create raw sockets. 408Setting this MIB to 1 allows utilities like 409.Xr ping 8 410and 411.Xr traceroute 8 412to operate inside the prison. 413If this MIB 414is set, the source IP addresses are enforced to comply 415with the IP address bound to the jail, regardless of whether or not 416the 417.Dv IP_HDRINCL 418flag has been set on the socket. 419.It Va security.jail.set_hostname_allowed 420This MIB entry determines whether or not processes within a jail are 421allowed to change their hostname via 422.Xr hostname 1 423or 424.Xr sethostname 3 . 425In the current jail implementation, the ability to set the hostname from 426within the jail can impact management tools relying on the accuracy of jail 427information in 428.Pa /proc . 429As such, this should be disabled in environments where privileged access to 430jails is given out to untrusted parties. 431.It Va security.jail.socket_unixiproute_only 432The jail functionality binds an IPv4 address to each jail, and limits 433access to other network addresses in the IPv4 space that may be available 434in the host environment. 435However, jail is not currently able to limit access to other network 436protocol stacks that have not had jail functionality added to them. 437As such, by default, processes within jails may only access protocols 438in the following domains: 439.Dv PF_LOCAL , PF_INET , 440and 441.Dv PF_ROUTE , 442permitting them access to 443.Ux 444domain sockets, 445IPv4 addresses, and routing sockets. 446To enable access to other domains, this MIB variable may be set to 4470. 448.It Va security.jail.sysvipc_allowed 449This MIB entry determines whether or not processes within a jail have access 450to System V IPC primitives. 451In the current jail implementation, System V primitives share a single 452namespace across the host and jail environments, meaning that processes 453within a jail would be able to communicate with (and potentially interfere 454with) processes outside of the jail, and in other jails. 455As such, this functionality is disabled by default, but can be enabled 456by setting this MIB entry to 1. 457.El 458.Pp 459There are currently two MIB related variables that have per-jail settings. 460Changes to these variables by a jailed process do not effect the host 461environment, only the jail environment. 462The variables are 463.Va kern.securelevel 464and 465.Va kern.hostname . 466.Sh SEE ALSO 467.Xr killall 1 , 468.Xr newaliases 1 , 469.Xr ps 1 , 470.Xr chroot 2 , 471.Xr jail 2 , 472.Xr jail_attach 2 , 473.Xr procfs 5 , 474.Xr rc.conf 5 , 475.Xr sysctl.conf 5 , 476.Xr devfs 8 , 477.Xr halt 8 , 478.Xr inetd 8 , 479.Xr jexec 8 , 480.Xr jls 8 , 481.Xr mount_devfs 8 , 482.Xr named 8 , 483.Xr reboot 8 , 484.Xr rpcbind 8 , 485.Xr sendmail 8 , 486.Xr shutdown 8 , 487.Xr sysctl 8 , 488.Xr syslogd 8 489.Sh HISTORY 490The 491.Nm 492utility appeared in 493.Fx 4.0 . 494.Sh AUTHORS 495.An -nosplit 496The jail feature was written by 497.An Poul-Henning Kamp 498for R&D Associates 499.Pa http://www.rndassociates.com/ 500who contributed it to 501.Fx . 502.Pp 503.An Robert Watson 504wrote the extended documentation, found a few bugs, added 505a few new features, and cleaned up the userland jail environment. 506.Sh BUGS 507Jail currently lacks the ability to allow access to 508specific jail information via 509.Xr ps 1 510as opposed to 511.Xr procfs 5 . 512Similarly, it might be a good idea to add an 513address alias flag such that daemons listening on all IPs 514.Pq Dv INADDR_ANY 515will not bind on that address, which would facilitate building a safe 516host environment such that host daemons do not impose on services offered 517from within jails. 518Currently, the simplist answer is to minimize services 519offered on the host, possibly limiting it to services offered from 520.Xr inetd 8 521which is easily configurable. 522