1.\" 2.\" Copyright (c) 2000, 2003 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" 26.\" 27.\" ---------------------------------------------------------------------------- 28.\" "THE BEER-WARE LICENSE" (Revision 42): 29.\" <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 30.\" can do whatever you want with this stuff. If we meet some day, and you think 31.\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 32.\" ---------------------------------------------------------------------------- 33.\" 34.\" $FreeBSD$ 35.\" 36.Dd August 7, 2005 37.Dt JAIL 8 38.Os 39.Sh NAME 40.Nm jail 41.Nd "imprison process and its descendants" 42.Sh SYNOPSIS 43.Nm 44.Op Fl i 45.Op Fl l u Ar username | Fl U Ar username 46.Ar path hostname ip-number command ... 47.Sh DESCRIPTION 48The 49.Nm 50utility imprisons a process and all future descendants. 51.Pp 52The options are as follows: 53.Bl -tag -width ".Fl u Ar username" 54.It Fl i 55Output the jail identifier of the newly created jail. 56.It Fl l 57Run program in the clean environment. 58The environment is discarded except for 59.Ev HOME , SHELL , TERM 60and 61.Ev USER . 62.Ev HOME 63and 64.Ev SHELL 65are set to the target login's default values. 66.Ev USER 67is set to the target login. 68.Ev TERM 69is imported from the current environment. 70The environment variables from the login class capability database for the 71target login are also set. 72.It Fl u Ar username 73The user name from host environment as whom the 74.Ar command 75should run. 76.It Fl U Ar username 77The user name from jailed environment as whom the 78.Ar command 79should run. 80.It Ar path 81Directory which is to be the root of the prison. 82.It Ar hostname 83Hostname of the prison. 84.It Ar ip-number 85IP number assigned to the prison. 86.It Ar command 87Pathname of the program which is to be executed. 88.El 89.Pp 90Jails are typically set up using one of two philosophies: either to 91constrain a specific application (possibly running with privilege), or 92to create a 93.Dq "virtual system image" 94running a variety of daemons and services. 95In both cases, a fairly complete file system install of 96.Fx 97is 98required, so as to provide the necessary command line tools, daemons, 99libraries, application configuration files, etc. 100However, for a virtual server configuration, a fair amount of 101additional work is required so as to configure the 102.Dq boot 103process. 104This manual page documents the configuration steps necessary to support 105either of these steps, although the configuration steps may be 106refined based on local requirements. 107.Pp 108Please see the 109.Xr jail 2 110man page for further details. 111.Sh EXAMPLES 112.Ss "Setting up a Jail Directory Tree" 113This example shows how to set up a jail directory tree 114containing an entire 115.Fx 116distribution: 117.Bd -literal 118D=/here/is/the/jail 119cd /usr/src 120mkdir -p $D 121make world DESTDIR=$D 122make distribution DESTDIR=$D 123mount_devfs devfs $D/dev 124.Ed 125.Pp 126NOTE: It is important that only appropriate device nodes in devfs be 127exposed to a jail; access to disk devices in the jail may permit processes 128in the jail to bypass the jail sandboxing by modifying files outside of 129the jail. 130See 131.Xr devfs 8 132for information on how to use devfs rules to limit access to entries 133in the per-jail devfs. 134.Pp 135In many cases this example would put far more in the jail than needed. 136In the other extreme case a jail might contain only one file: 137the executable to be run in the jail. 138.Pp 139We recommend experimentation and caution that it is a lot easier to 140start with a 141.Dq fat 142jail and remove things until it stops working, 143than it is to start with a 144.Dq thin 145jail and add things until it works. 146.Ss "Setting Up a Jail" 147Do what was described in 148.Sx "Setting Up a Jail Directory Tree" 149to build the jail directory tree. 150For the sake of this example, we will 151assume you built it in 152.Pa /data/jail/192.168.11.100 , 153named for the jailed IP address. 154Substitute below as needed with your 155own directory, IP address, and hostname. 156.Ss "Setting up the Host Environment" 157First, you will want to set up your real system's environment to be 158.Dq jail-friendly . 159For consistency, we will refer to the parent box as the 160.Dq "host environment" , 161and to the jailed virtual machine as the 162.Dq "jail environment" . 163Since jail is implemented using IP aliases, one of the first things to do 164is to disable IP services on the host system that listen on all local 165IP addresses for a service. 166If a network service is present in the host environment that binds all 167available IP addresses rather than specific IP addresses, it may service 168requests sent to jail IP addresses. 169This means changing 170.Xr inetd 8 171to only listen on the 172appropriate IP address, and so forth. 173Add the following to 174.Pa /etc/rc.conf 175in the host environment: 176.Bd -literal -offset indent 177sendmail_enable="NO" 178inetd_flags="-wW -a 192.168.11.23" 179rpcbind_enable="NO" 180.Ed 181.Pp 182.Li 192.168.11.23 183is the native IP address for the host system, in this example. 184Daemons that run out of 185.Xr inetd 8 186can be easily set to use only the specified host IP address. 187Other daemons 188will need to be manually configured\(emfor some this is possible through 189the 190.Xr rc.conf 5 191flags entries; for others it is necessary to modify per-application 192configuration files, or to recompile the applications. 193The following frequently deployed services must have their individual 194configuration files modified to limit the application to listening 195to a specific IP address: 196.Pp 197To configure 198.Xr sshd 8 , 199it is necessary to modify 200.Pa /etc/ssh/sshd_config . 201.Pp 202To configure 203.Xr sendmail 8 , 204it is necessary to modify 205.Pa /etc/mail/sendmail.cf . 206.Pp 207For 208.Xr named 8 , 209it is necessary to modify 210.Pa /etc/namedb/named.conf . 211.Pp 212In addition, a number of services must be recompiled in order to run 213them in the host environment. 214This includes most applications providing services using 215.Xr rpc 3 , 216such as 217.Xr rpcbind 8 , 218.Xr nfsd 8 , 219and 220.Xr mountd 8 . 221In general, applications for which it is not possible to specify which 222IP address to bind should not be run in the host environment unless they 223should also service requests sent to jail IP addresses. 224Attempting to serve 225NFS from the host environment may also cause confusion, and cannot be 226easily reconfigured to use only specific IPs, as some NFS services are 227hosted directly from the kernel. 228Any third-party network software running 229in the host environment should also be checked and configured so that it 230does not bind all IP addresses, which would result in those services' also 231appearing to be offered by the jail environments. 232.Pp 233Once 234these daemons have been disabled or fixed in the host environment, it is 235best to reboot so that all daemons are in a known state, to reduce the 236potential for confusion later (such as finding that when you send mail 237to a jail, and its sendmail is down, the mail is delivered to the host, 238etc.). 239.Ss "Configuring the Jail" 240Start any jail for the first time without configuring the network 241interface so that you can clean it up a little and set up accounts. 242As 243with any machine (virtual or not) you will need to set a root password, time 244zone, etc. 245Some of these steps apply only if you intend to run a full virtual server 246inside the jail; others apply both for constraining a particular application 247or for running a virtual server. 248.Pp 249Start a shell in the jail: 250.Pp 251.Dl "jail /data/jail/192.168.11.100 testhostname 192.168.11.100 /bin/sh" 252.Pp 253Assuming no errors, you will end up with a shell prompt within the jail. 254You can now run 255.Pa /usr/sbin/sysinstall 256and do the post-install configuration to set various configuration options, 257or perform these actions manually by editing 258.Pa /etc/rc.conf , 259etc. 260.Pp 261.Bl -bullet -offset indent -compact 262.It 263Create an empty 264.Pa /etc/fstab 265to quell startup warnings about missing fstab (virtual server only) 266.It 267Disable the port mapper 268.Pa ( /etc/rc.conf : 269.Li rpcbind_enable="NO" ) 270(virtual server only) 271.It 272Configure 273.Pa /etc/resolv.conf 274so that name resolution within the jail will work correctly 275.It 276Run 277.Xr newaliases 1 278to quell 279.Xr sendmail 8 280warnings. 281.It 282Disable interface configuration to quell startup warnings about 283.Xr ifconfig 8 284.Pq Li network_interfaces="" 285(virtual server only) 286.It 287Set a root password, probably different from the real host system 288.It 289Set the timezone 290.It 291Add accounts for users in the jail environment 292.It 293Install any packages the environment requires 294.El 295.Pp 296You may also want to perform any package-specific configuration (web servers, 297SSH servers, etc), patch up 298.Pa /etc/syslog.conf 299so it logs as you would like, etc. 300If you are not using a virtual server, you may wish to modify 301.Xr syslogd 8 302in the host environment to listen on the syslog socket in the jail 303environment; in this example, the syslog socket would be stored in 304.Pa /data/jail/192.168.11.100/var/run/log . 305.Pp 306Exit from the shell, and the jail will be shut down. 307.Ss "Starting the Jail" 308You are now ready to restart the jail and bring up the environment with 309all of its daemons and other programs. 310If you are running a single application in the jail, substitute the 311command used to start the application for 312.Pa /etc/rc 313in the examples below. 314To start a virtual server environment, 315.Pa /etc/rc 316is run to launch various daemons and services. 317To do this, first bring up the 318virtual host interface, and then start the jail's 319.Pa /etc/rc 320script from within the jail. 321.Pp 322NOTE: If you plan to allow untrusted users to have root access inside the 323jail, you may wish to consider setting the 324.Va security.jail.set_hostname_allowed 325sysctl variable to 0. 326Please see the management discussion later in this document as to why this 327may be a good idea. 328If you do decide to set this variable, 329it must be set before starting any jails, and once each boot. 330.Bd -literal -offset indent 331ifconfig ed0 inet alias 192.168.11.100/32 332mount -t procfs proc /data/jail/192.168.11.100/proc 333jail /data/jail/192.168.11.100 testhostname 192.168.11.100 \\ 334 /bin/sh /etc/rc 335.Ed 336.Pp 337A few warnings will be produced, because most 338.Xr sysctl 8 339configuration variables cannot be set from within the jail, as they are 340global across all jails and the host environment. 341However, it should all 342work properly. 343You should be able to see 344.Xr inetd 8 , 345.Xr syslogd 8 , 346and other processes running within the jail using 347.Xr ps 1 , 348with the 349.Ql J 350flag appearing beside jailed processes. 351To see an active list of jails, use the 352.Xr jls 8 353utility. 354You should also be able to 355.Xr telnet 1 356to the hostname or IP address of the jailed environment, and log 357in using the accounts you created previously. 358.Pp 359It is possible to have jails started at boot time. 360Please refer to the 361.Dq jail_* 362variables in 363.Xr rc.conf 5 364for more information. 365The 366.Xr rc 8 367jail script provides a flexible system to start/stop jails: 368.Bd -literal 369/etc/rc.d/jail start 370/etc/rc.d/jail stop 371/etc/rc.d/jail start myjail 372/etc/rc.d/jail stop myjail 373.Ed 374.Ss "Managing the Jail" 375Normal machine shutdown commands, such as 376.Xr halt 8 , 377.Xr reboot 8 , 378and 379.Xr shutdown 8 , 380cannot be used successfully within the jail. 381To kill all processes in a 382jail, you may log into the jail and, as root, use one of the following 383commands, depending on what you want to accomplish: 384.Pp 385.Bd -literal -offset indent 386kill -TERM -1 387kill -KILL -1 388.Ed 389.Pp 390This will send the 391.Dv SIGTERM 392or 393.Dv SIGKILL 394signals to all processes in the jail from within the jail. 395Depending on 396the intended use of the jail, you may also want to run 397.Pa /etc/rc.shutdown 398from within the jail. 399To kill processes from outside the jail, use the 400.Xr jexec 8 401utility in conjunction with the one of the 402.Xr kill 1 403commands above. 404.Pp 405The 406.Pa /proc/ Ns Ar pid Ns Pa /status 407file contains, as its last field, the hostname of the jail in which the 408process runs, or 409.Dq Li - 410to indicate that the process is not running within a jail. 411The 412.Xr ps 1 413command also shows a 414.Ql J 415flag for processes in a jail. 416However, the hostname for a jail may be, by 417default, modified from within the jail, so the 418.Pa /proc 419status entry is unreliable by default. 420To disable the setting of the hostname 421from within a jail, set the 422.Va security.jail.set_hostname_allowed 423sysctl variable in the host environment to 0, which will affect all jails. 424You can have this sysctl set on each boot using 425.Xr sysctl.conf 5 . 426Just add the following line to 427.Pa /etc/sysctl.conf : 428.Pp 429.Dl security.jail.set_hostname_allowed=0 430.Pp 431You can also list/kill processes based on their jail ID. 432To show processes and their jail ID, use the following command: 433.Pp 434.Dl "ps ax -o pid,jid,args" 435.Pp 436To show and then kill processes in jail number 3 use the following commands: 437.Bd -literal -offset indent 438pgrep -lfj 3 439pkill -j 3 440.Ed 441or: 442.Pp 443.Dl "killall -j 3" 444.Ss "Sysctl MIB Entries" 445Certain aspects of the jail containments environment may be modified from 446the host environment using 447.Xr sysctl 8 448MIB variables. 449Currently, these variables affect all jails on the system, although in 450the future this functionality may be finer grained. 451.Bl -tag -width XXX 452.It Va security.jail.allow_raw_sockets 453This MIB entry determines whether or not prison root is allowed to 454create raw sockets. 455Setting this MIB to 1 allows utilities like 456.Xr ping 8 457and 458.Xr traceroute 8 459to operate inside the prison. 460If this MIB 461is set, the source IP addresses are enforced to comply 462with the IP address bound to the jail, regardless of whether or not 463the 464.Dv IP_HDRINCL 465flag has been set on the socket. 466Since raw sockets can be used to configure 467and interact with various network subsystems, extra caution should be used 468where privileged access to jails is given out to untrusted parties. 469As such, 470by default this option is disabled. 471.It Va security.jail.enforce_statfs 472This MIB entry determines which information processes in a jail are 473able to get about mount-points. 474It affects the behaviour of the following syscalls: 475.Xr statfs 2 , 476.Xr fstatfs 2 , 477.Xr getfsstat 2 478and 479.Xr fhstatfs 2 480(as well as similar compatibility syscalls). 481When set to 0, all mount-points are available without any restrictions. 482When set to 1, only mount-points below the jail's chroot directory are 483visible. 484In addition to that, the path to the jail's chroot directory is removed 485from the front of their pathnames. 486When set to 2 (default), above syscalls can operate only on a mount-point 487where the jail's chroot directory is located. 488.It Va security.jail.set_hostname_allowed 489This MIB entry determines whether or not processes within a jail are 490allowed to change their hostname via 491.Xr hostname 1 492or 493.Xr sethostname 3 . 494In the current jail implementation, the ability to set the hostname from 495within the jail can impact management tools relying on the accuracy of jail 496information in 497.Pa /proc . 498As such, this should be disabled in environments where privileged access to 499jails is given out to untrusted parties. 500.It Va security.jail.socket_unixiproute_only 501The jail functionality binds an IPv4 address to each jail, and limits 502access to other network addresses in the IPv4 space that may be available 503in the host environment. 504However, jail is not currently able to limit access to other network 505protocol stacks that have not had jail functionality added to them. 506As such, by default, processes within jails may only access protocols 507in the following domains: 508.Dv PF_LOCAL , PF_INET , 509and 510.Dv PF_ROUTE , 511permitting them access to 512.Ux 513domain sockets, 514IPv4 addresses, and routing sockets. 515To enable access to other domains, this MIB variable may be set to 5160. 517.It Va security.jail.sysvipc_allowed 518This MIB entry determines whether or not processes within a jail have access 519to System V IPC primitives. 520In the current jail implementation, System V primitives share a single 521namespace across the host and jail environments, meaning that processes 522within a jail would be able to communicate with (and potentially interfere 523with) processes outside of the jail, and in other jails. 524As such, this functionality is disabled by default, but can be enabled 525by setting this MIB entry to 1. 526.It Va security.jail.chflags_allowed 527This MIB entry determines how a privileged user inside a jail will be 528treated by 529.Xr chflags 2 . 530If zero, such users are treated as unprivileged, and are unable to set 531or clear system file flags; if non-zero, such users are treated as 532privileged, and may manipulate system file flags subject to the usual 533constraints on 534.Va kern.securelevel . 535.El 536.Pp 537There are currently two MIB related variables that have per-jail settings. 538Changes to these variables by a jailed process do not effect the host 539environment, only the jail environment. 540The variables are 541.Va kern.securelevel 542and 543.Va kern.hostname . 544.Sh SEE ALSO 545.Xr killall 1 , 546.Xr newaliases 1 , 547.Xr pgrep 1 , 548.Xr pkill 1 , 549.Xr ps 1 , 550.Xr chroot 2 , 551.Xr jail 2 , 552.Xr jail_attach 2 , 553.Xr procfs 5 , 554.Xr rc.conf 5 , 555.Xr sysctl.conf 5 , 556.Xr devfs 8 , 557.Xr halt 8 , 558.Xr inetd 8 , 559.Xr jexec 8 , 560.Xr jls 8 , 561.Xr mount_devfs 8 , 562.Xr named 8 , 563.Xr reboot 8 , 564.Xr rpcbind 8 , 565.Xr sendmail 8 , 566.Xr shutdown 8 , 567.Xr sysctl 8 , 568.Xr syslogd 8 569.Sh HISTORY 570The 571.Nm 572utility appeared in 573.Fx 4.0 . 574.Sh AUTHORS 575.An -nosplit 576The jail feature was written by 577.An Poul-Henning Kamp 578for R&D Associates 579.Pa http://www.rndassociates.com/ 580who contributed it to 581.Fx . 582.Pp 583.An Robert Watson 584wrote the extended documentation, found a few bugs, added 585a few new features, and cleaned up the userland jail environment. 586.Sh BUGS 587Jail currently lacks the ability to allow access to 588specific jail information via 589.Xr ps 1 590as opposed to 591.Xr procfs 5 . 592Similarly, it might be a good idea to add an 593address alias flag such that daemons listening on all IPs 594.Pq Dv INADDR_ANY 595will not bind on that address, which would facilitate building a safe 596host environment such that host daemons do not impose on services offered 597from within jails. 598Currently, the simplest answer is to minimize services 599offered on the host, possibly limiting it to services offered from 600.Xr inetd 8 601which is easily configurable. 602