1.\" 2.\" Copyright (c) 2000, 2003 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" 26.\" 27.\" ---------------------------------------------------------------------------- 28.\" "THE BEER-WARE LICENSE" (Revision 42): 29.\" <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 30.\" can do whatever you want with this stuff. If we meet some day, and you think 31.\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 32.\" ---------------------------------------------------------------------------- 33.\" 34.\" $FreeBSD$ 35.\" 36.Dd April 8, 2003 37.Dt JAIL 8 38.Os 39.Sh NAME 40.Nm jail 41.Nd "imprison process and its descendants" 42.Sh SYNOPSIS 43.Nm 44.Op Fl i 45.Op Fl l u Ar username | Fl U Ar username 46.Ar path hostname ip-number command ... 47.Sh DESCRIPTION 48The 49.Nm 50utility imprisons a process and all future descendants. 51.Pp 52The options are as follows: 53.Bl -tag -width ".Fl u Ar username" 54.It Fl i 55Output the jail identifier of the newly created jail. 56.It Fl l 57Run program in the clean environment. 58The environment is discarded except for 59.Ev HOME , SHELL , TERM 60and 61.Ev USER . 62.Ev HOME 63and 64.Ev SHELL 65are set to the target login's default values. 66.Ev USER 67is set to the target login. 68.Ev TERM 69is imported from the current environment. 70The environment variables from the login class capability database for the 71target login are also set. 72.It Fl u Ar username 73The user name from host environment as whom the 74.Ar command 75should run. 76.It Fl U Ar username 77The user name from jailed environment as whom the 78.Ar command 79should run. 80.It Ar path 81Directory which is to be the root of the prison. 82.It Ar hostname 83Hostname of the prison. 84.It Ar ip-number 85IP number assigned to the prison. 86.It Ar command 87Pathname of the program which is to be executed. 88.El 89.Pp 90Jails are typically set up using one of two philosophies: either to 91constrain a specific application (possibly running with privilege), or 92to create a 93.Dq "virtual system image" 94running a variety of daemons and services. 95In both cases, a fairly complete file system install of 96.Fx 97is 98required, so as to provide the necessary command line tools, daemons, 99libraries, application configuration files, etc. 100However, for a virtual server configuration, a fair amount of 101additional work is required so as to configure the 102.Dq boot 103process. 104This manual page documents the configuration steps necessary to support 105either of these steps, although the configuration steps may be 106refined based on local requirements. 107.Pp 108Please see the 109.Xr jail 2 110man page for further details. 111.Sh EXAMPLES 112.Ss "Setting up a Jail Directory Tree" 113This example shows how to set up a jail directory tree 114containing an entire 115.Fx 116distribution: 117.Bd -literal 118D=/here/is/the/jail 119cd /usr/src 120mkdir -p $D 121make world DESTDIR=$D 122cd etc 123make distribution DESTDIR=$D 124mount_devfs devfs $D/dev 125cd $D 126ln -sf dev/null kernel 127.Ed 128.Pp 129NOTE: It is important that only appropriate device nodes in devfs be 130exposed to a jail; access to disk devices in the jail may permit processes 131in the jail to bypass the jail sandboxing by modifying files outside of 132the jail. 133See 134.Xr devfs 8 135for information on how to use devfs rules to limit access to entries 136in the per-jail devfs. 137.Pp 138In many cases this example would put far more in the jail than needed. 139In the other extreme case a jail might contain only one file: 140the executable to be run in the jail. 141.Pp 142We recommend experimentation and caution that it is a lot easier to 143start with a 144.Dq fat 145jail and remove things until it stops working, 146than it is to start with a 147.Dq thin 148jail and add things until it works. 149.Ss "Setting Up a Jail" 150Do what was described in 151.Sx "Setting Up a Jail Directory Tree" 152to build the jail directory tree. 153For the sake of this example, we will 154assume you built it in 155.Pa /data/jail/192.168.11.100 , 156named for the jailed IP address. 157Substitute below as needed with your 158own directory, IP address, and hostname. 159.Ss "Setting up the Host Environment" 160First, you will want to set up your real system's environment to be 161.Dq jail-friendly . 162For consistency, we will refer to the parent box as the 163.Dq "host environment" , 164and to the jailed virtual machine as the 165.Dq "jail environment" . 166Since jail is implemented using IP aliases, one of the first things to do 167is to disable IP services on the host system that listen on all local 168IP addresses for a service. 169If a network service is present in the host environment that binds all 170available IP addresses rather than specific IP addresses, it may service 171requests sent to jail IP addresses. 172This means changing 173.Xr inetd 8 174to only listen on the 175appropriate IP address, and so forth. 176Add the following to 177.Pa /etc/rc.conf 178in the host environment: 179.Bd -literal -offset indent 180sendmail_enable="NO" 181inetd_flags="-wW -a 192.168.11.23" 182rpcbind_enable="NO" 183.Ed 184.Pp 185.Li 192.168.11.23 186is the native IP address for the host system, in this example. 187Daemons that run out of 188.Xr inetd 8 189can be easily set to use only the specified host IP address. 190Other daemons 191will need to be manually configured\(emfor some this is possible through 192the 193.Xr rc.conf 5 194flags entries; for others it is necessary to modify per-application 195configuration files, or to recompile the applications. 196The following frequently deployed services must have their individual 197configuration files modified to limit the application to listening 198to a specific IP address: 199.Pp 200To configure 201.Xr sshd 8 , 202it is necessary to modify 203.Pa /etc/ssh/sshd_config . 204.Pp 205To configure 206.Xr sendmail 8 , 207it is necessary to modify 208.Pa /etc/mail/sendmail.cf . 209.Pp 210For 211.Xr named 8 , 212it is necessary to modify 213.Pa /etc/namedb/named.conf . 214.Pp 215In addition, a number of services must be recompiled in order to run 216them in the host environment. 217This includes most applications providing services using 218.Xr rpc 3 , 219such as 220.Xr rpcbind 8 , 221.Xr nfsd 8 , 222and 223.Xr mountd 8 . 224In general, applications for which it is not possible to specify which 225IP address to bind should not be run in the host environment unless they 226should also service requests sent to jail IP addresses. 227Attempting to serve 228NFS from the host environment may also cause confusion, and cannot be 229easily reconfigured to use only specific IPs, as some NFS services are 230hosted directly from the kernel. 231Any third-party network software running 232in the host environment should also be checked and configured so that it 233does not bind all IP addresses, which would result in those services' also 234appearing to be offered by the jail environments. 235.Pp 236Once 237these daemons have been disabled or fixed in the host environment, it is 238best to reboot so that all daemons are in a known state, to reduce the 239potential for confusion later (such as finding that when you send mail 240to a jail, and its sendmail is down, the mail is delivered to the host, 241etc.). 242.Ss "Configuring the Jail" 243Start any jail for the first time without configuring the network 244interface so that you can clean it up a little and set up accounts. 245As 246with any machine (virtual or not) you will need to set a root password, time 247zone, etc. 248Some of these steps apply only if you intend to run a full virtual server 249inside the jail; others apply both for constraining a particular application 250or for running a virtual server. 251.Pp 252Start a shell in the jail: 253.Pp 254.Dl "jail /data/jail/192.168.11.100 testhostname 192.168.11.100 /bin/sh" 255.Pp 256Assuming no errors, you will end up with a shell prompt within the jail. 257You can now run 258.Pa /usr/sbin/sysinstall 259and do the post-install configuration to set various configuration options, 260or perform these actions manually by editing 261.Pa /etc/rc.conf , 262etc. 263.Pp 264.Bl -bullet -offset indent -compact 265.It 266Create an empty 267.Pa /etc/fstab 268to quell startup warnings about missing fstab (virtual server only) 269.It 270Disable the port mapper 271.Pa ( /etc/rc.conf : 272.Li rpcbind_enable="NO" ) 273(virtual server only) 274.It 275Run 276.Xr newaliases 1 277to quell 278.Xr sendmail 8 279warnings. 280.It 281Disable interface configuration to quell startup warnings about 282.Xr ifconfig 8 283.Pq Li network_interfaces="" 284(virtual server only) 285.It 286Configure 287.Pa /etc/resolv.conf 288so that name resolution within the jail will work correctly 289.It 290Set a root password, probably different from the real host system 291.It 292Set the timezone 293.It 294Add accounts for users in the jail environment 295.It 296Install any packages the environment requires 297.El 298.Pp 299You may also want to perform any package-specific configuration (web servers, 300SSH servers, etc), patch up 301.Pa /etc/syslog.conf 302so it logs as you would like, etc. 303If you are not using a virtual server, you may wish to modify 304.Xr syslogd 8 305in the host environment to listen on the syslog socket in the jail 306environment; in this example, the syslog socket would be stored in 307.Pa /data/jail/192.168.11.100/var/run/log . 308.Pp 309Exit from the shell, and the jail will be shut down. 310.Ss "Starting the Jail" 311You are now ready to restart the jail and bring up the environment with 312all of its daemons and other programs. 313If you are running a single application in the jail, substitute the 314command used to start the application for 315.Pa /etc/rc 316in the examples below. 317To start a virtual server environment, 318.Pa /etc/rc 319is run to launch various daemons and services. 320To do this, first bring up the 321virtual host interface, and then start the jail's 322.Pa /etc/rc 323script from within the jail. 324.Pp 325NOTE: If you plan to allow untrusted users to have root access inside the 326jail, you may wish to consider setting the 327.Va security.jail.set_hostname_allowed 328sysctl variable to 0. 329Please see the management discussion later in this document as to why this 330may be a good idea. 331If you do decide to set this variable, 332it must be set before starting any jails, and once each boot. 333.Bd -literal -offset indent 334ifconfig ed0 inet alias 192.168.11.100/32 335mount -t procfs proc /data/jail/192.168.11.100/proc 336jail /data/jail/192.168.11.100 testhostname 192.168.11.100 \\ 337 /bin/sh /etc/rc 338.Ed 339.Pp 340A few warnings will be produced, because most 341.Xr sysctl 8 342configuration variables cannot be set from within the jail, as they are 343global across all jails and the host environment. 344However, it should all 345work properly. 346You should be able to see 347.Xr inetd 8 , 348.Xr syslogd 8 , 349and other processes running within the jail using 350.Xr ps 1 , 351with the 352.Ql J 353flag appearing beside jailed processes. 354To see an active list of jails, use the 355.Xr jls 8 356utility. 357You should also be able to 358.Xr telnet 1 359to the hostname or IP address of the jailed environment, and log 360in using the accounts you created previously. 361.Ss "Managing the Jail" 362Normal machine shutdown commands, such as 363.Xr halt 8 , 364.Xr reboot 8 , 365and 366.Xr shutdown 8 , 367cannot be used successfully within the jail. 368To kill all processes in a 369jail, you may log into the jail and, as root, use one of the following 370commands, depending on what you want to accomplish: 371.Pp 372.Bd -literal -offset indent 373kill -TERM -1 374kill -KILL -1 375.Ed 376.Pp 377This will send the 378.Dv SIGTERM 379or 380.Dv SIGKILL 381signals to all processes in the jail from within the jail. 382Depending on 383the intended use of the jail, you may also want to run 384.Pa /etc/rc.shutdown 385from within the jail. 386To kill processes from outside the jail, use the 387.Xr jexec 8 388utility in conjuction with the one of the 389.Xr kill 1 390commands above, or use the 391.Xr killall 1 392utility with the 393.Fl j 394option. 395.Pp 396The 397.Pa /proc/ Ns Ar pid Ns Pa /status 398file contains, as its last field, the hostname of the jail in which the 399process runs, or 400.Dq Li - 401to indicate that the process is not running within a jail. 402The 403.Xr ps 1 404command also shows a 405.Ql J 406flag for processes in a jail. 407However, the hostname for a jail may be, by 408default, modified from within the jail, so the 409.Pa /proc 410status entry is unreliable by default. 411To disable the setting of the hostname 412from within a jail, set the 413.Va security.jail.set_hostname_allowed 414sysctl variable in the host environment to 0, which will affect all jails. 415You can have this sysctl set on each boot using 416.Xr sysctl.conf 5 . 417Just add the following line to 418.Pa /etc/sysctl.conf : 419.Pp 420.Dl security.jail.set_hostname_allowed=0 421.Ss "Sysctl MIB Entries" 422Certain aspects of the jail containments environment may be modified from 423the host environment using 424.Xr sysctl 8 425MIB variables. 426Currently, these variables affect all jails on the system, although in 427the future this functionality may be finer grained. 428.Bl -tag -width XXX 429.It Va security.jail.allow_raw_sockets 430This MIB entry determines whether or not prison root is allowed to 431create raw sockets. 432Setting this MIB to 1 allows utilities like 433.Xr ping 8 434and 435.Xr traceroute 8 436to operate inside the prison. 437If this MIB 438is set, the source IP addresses are enforced to comply 439with the IP address bound to the jail, regardless of whether or not 440the 441.Dv IP_HDRINCL 442flag has been set on the socket. 443Since raw sockets can be used to configure 444and interact with various network subsystems, extra caution should be used 445where privileged access to jails is given out to untrusted parties. 446As such, 447by default this option is disabled. 448.It Va security.jail.getfsstatroot_only 449This MIB entry determines whether or not processes within a jail are able 450to see data for all mountpoints. 451When set to 1 (default), the 452.Xr getfsstat 2 453system call returns only (when called by jailed processes) the data for 454the file system on which the jail's root vnode is located. 455Note: this also has the effect of hiding other mounts inside a jail, 456such as 457.Pa /dev , 458.Pa /tmp , 459and 460.Pa /proc , 461but errs on the side of leaking less information. 462.It Va security.jail.set_hostname_allowed 463This MIB entry determines whether or not processes within a jail are 464allowed to change their hostname via 465.Xr hostname 1 466or 467.Xr sethostname 3 . 468In the current jail implementation, the ability to set the hostname from 469within the jail can impact management tools relying on the accuracy of jail 470information in 471.Pa /proc . 472As such, this should be disabled in environments where privileged access to 473jails is given out to untrusted parties. 474.It Va security.jail.socket_unixiproute_only 475The jail functionality binds an IPv4 address to each jail, and limits 476access to other network addresses in the IPv4 space that may be available 477in the host environment. 478However, jail is not currently able to limit access to other network 479protocol stacks that have not had jail functionality added to them. 480As such, by default, processes within jails may only access protocols 481in the following domains: 482.Dv PF_LOCAL , PF_INET , 483and 484.Dv PF_ROUTE , 485permitting them access to 486.Ux 487domain sockets, 488IPv4 addresses, and routing sockets. 489To enable access to other domains, this MIB variable may be set to 4900. 491.It Va security.jail.sysvipc_allowed 492This MIB entry determines whether or not processes within a jail have access 493to System V IPC primitives. 494In the current jail implementation, System V primitives share a single 495namespace across the host and jail environments, meaning that processes 496within a jail would be able to communicate with (and potentially interfere 497with) processes outside of the jail, and in other jails. 498As such, this functionality is disabled by default, but can be enabled 499by setting this MIB entry to 1. 500.It Va security.jail.chflags_allowed 501This MIB entry determines how a privileged user inside a jail will be 502treated by 503.Xr chflags 2 . 504If zero, such users are treated as unprivileged, and are unable to set 505or clear system file flags; if non-zero, such users are treated as 506privileged, and may manipulate system file flags subject to the usual 507constaints on 508.Va kern.securelevel . 509.El 510.Pp 511There are currently two MIB related variables that have per-jail settings. 512Changes to these variables by a jailed process do not effect the host 513environment, only the jail environment. 514The variables are 515.Va kern.securelevel 516and 517.Va kern.hostname . 518.Sh SEE ALSO 519.Xr killall 1 , 520.Xr newaliases 1 , 521.Xr ps 1 , 522.Xr chroot 2 , 523.Xr jail 2 , 524.Xr jail_attach 2 , 525.Xr procfs 5 , 526.Xr rc.conf 5 , 527.Xr sysctl.conf 5 , 528.Xr devfs 8 , 529.Xr halt 8 , 530.Xr inetd 8 , 531.Xr jexec 8 , 532.Xr jls 8 , 533.Xr mount_devfs 8 , 534.Xr named 8 , 535.Xr reboot 8 , 536.Xr rpcbind 8 , 537.Xr sendmail 8 , 538.Xr shutdown 8 , 539.Xr sysctl 8 , 540.Xr syslogd 8 541.Sh HISTORY 542The 543.Nm 544utility appeared in 545.Fx 4.0 . 546.Sh AUTHORS 547.An -nosplit 548The jail feature was written by 549.An Poul-Henning Kamp 550for R&D Associates 551.Pa http://www.rndassociates.com/ 552who contributed it to 553.Fx . 554.Pp 555.An Robert Watson 556wrote the extended documentation, found a few bugs, added 557a few new features, and cleaned up the userland jail environment. 558.Sh BUGS 559Jail currently lacks the ability to allow access to 560specific jail information via 561.Xr ps 1 562as opposed to 563.Xr procfs 5 . 564Similarly, it might be a good idea to add an 565address alias flag such that daemons listening on all IPs 566.Pq Dv INADDR_ANY 567will not bind on that address, which would facilitate building a safe 568host environment such that host daemons do not impose on services offered 569from within jails. 570Currently, the simplest answer is to minimize services 571offered on the host, possibly limiting it to services offered from 572.Xr inetd 8 573which is easily configurable. 574