1.\" 2.\" Copyright (c) 2000, 2003 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" 26.\" 27.\" ---------------------------------------------------------------------------- 28.\" "THE BEER-WARE LICENSE" (Revision 42): 29.\" <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 30.\" can do whatever you want with this stuff. If we meet some day, and you think 31.\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 32.\" ---------------------------------------------------------------------------- 33.\" 34.\" $FreeBSD$ 35.\" 36.Dd February 27, 2005 37.Dt JAIL 8 38.Os 39.Sh NAME 40.Nm jail 41.Nd "imprison process and its descendants" 42.Sh SYNOPSIS 43.Nm 44.Op Fl i 45.Op Fl l u Ar username | Fl U Ar username 46.Ar path hostname ip-number command ... 47.Sh DESCRIPTION 48The 49.Nm 50utility imprisons a process and all future descendants. 51.Pp 52The options are as follows: 53.Bl -tag -width ".Fl u Ar username" 54.It Fl i 55Output the jail identifier of the newly created jail. 56.It Fl l 57Run program in the clean environment. 58The environment is discarded except for 59.Ev HOME , SHELL , TERM 60and 61.Ev USER . 62.Ev HOME 63and 64.Ev SHELL 65are set to the target login's default values. 66.Ev USER 67is set to the target login. 68.Ev TERM 69is imported from the current environment. 70The environment variables from the login class capability database for the 71target login are also set. 72.It Fl u Ar username 73The user name from host environment as whom the 74.Ar command 75should run. 76.It Fl U Ar username 77The user name from jailed environment as whom the 78.Ar command 79should run. 80.It Ar path 81Directory which is to be the root of the prison. 82.It Ar hostname 83Hostname of the prison. 84.It Ar ip-number 85IP number assigned to the prison. 86.It Ar command 87Pathname of the program which is to be executed. 88.El 89.Pp 90Jails are typically set up using one of two philosophies: either to 91constrain a specific application (possibly running with privilege), or 92to create a 93.Dq "virtual system image" 94running a variety of daemons and services. 95In both cases, a fairly complete file system install of 96.Fx 97is 98required, so as to provide the necessary command line tools, daemons, 99libraries, application configuration files, etc. 100However, for a virtual server configuration, a fair amount of 101additional work is required so as to configure the 102.Dq boot 103process. 104This manual page documents the configuration steps necessary to support 105either of these steps, although the configuration steps may be 106refined based on local requirements. 107.Pp 108Please see the 109.Xr jail 2 110man page for further details. 111.Sh EXAMPLES 112.Ss "Setting up a Jail Directory Tree" 113This example shows how to set up a jail directory tree 114containing an entire 115.Fx 116distribution: 117.Bd -literal 118D=/here/is/the/jail 119cd /usr/src 120mkdir -p $D 121make world DESTDIR=$D 122make distribution DESTDIR=$D 123mount_devfs devfs $D/dev 124cd $D 125ln -sf dev/null kernel 126.Ed 127.Pp 128NOTE: It is important that only appropriate device nodes in devfs be 129exposed to a jail; access to disk devices in the jail may permit processes 130in the jail to bypass the jail sandboxing by modifying files outside of 131the jail. 132See 133.Xr devfs 8 134for information on how to use devfs rules to limit access to entries 135in the per-jail devfs. 136.Pp 137In many cases this example would put far more in the jail than needed. 138In the other extreme case a jail might contain only one file: 139the executable to be run in the jail. 140.Pp 141We recommend experimentation and caution that it is a lot easier to 142start with a 143.Dq fat 144jail and remove things until it stops working, 145than it is to start with a 146.Dq thin 147jail and add things until it works. 148.Ss "Setting Up a Jail" 149Do what was described in 150.Sx "Setting Up a Jail Directory Tree" 151to build the jail directory tree. 152For the sake of this example, we will 153assume you built it in 154.Pa /data/jail/192.168.11.100 , 155named for the jailed IP address. 156Substitute below as needed with your 157own directory, IP address, and hostname. 158.Ss "Setting up the Host Environment" 159First, you will want to set up your real system's environment to be 160.Dq jail-friendly . 161For consistency, we will refer to the parent box as the 162.Dq "host environment" , 163and to the jailed virtual machine as the 164.Dq "jail environment" . 165Since jail is implemented using IP aliases, one of the first things to do 166is to disable IP services on the host system that listen on all local 167IP addresses for a service. 168If a network service is present in the host environment that binds all 169available IP addresses rather than specific IP addresses, it may service 170requests sent to jail IP addresses. 171This means changing 172.Xr inetd 8 173to only listen on the 174appropriate IP address, and so forth. 175Add the following to 176.Pa /etc/rc.conf 177in the host environment: 178.Bd -literal -offset indent 179sendmail_enable="NO" 180inetd_flags="-wW -a 192.168.11.23" 181rpcbind_enable="NO" 182.Ed 183.Pp 184.Li 192.168.11.23 185is the native IP address for the host system, in this example. 186Daemons that run out of 187.Xr inetd 8 188can be easily set to use only the specified host IP address. 189Other daemons 190will need to be manually configured\(emfor some this is possible through 191the 192.Xr rc.conf 5 193flags entries; for others it is necessary to modify per-application 194configuration files, or to recompile the applications. 195The following frequently deployed services must have their individual 196configuration files modified to limit the application to listening 197to a specific IP address: 198.Pp 199To configure 200.Xr sshd 8 , 201it is necessary to modify 202.Pa /etc/ssh/sshd_config . 203.Pp 204To configure 205.Xr sendmail 8 , 206it is necessary to modify 207.Pa /etc/mail/sendmail.cf . 208.Pp 209For 210.Xr named 8 , 211it is necessary to modify 212.Pa /etc/namedb/named.conf . 213.Pp 214In addition, a number of services must be recompiled in order to run 215them in the host environment. 216This includes most applications providing services using 217.Xr rpc 3 , 218such as 219.Xr rpcbind 8 , 220.Xr nfsd 8 , 221and 222.Xr mountd 8 . 223In general, applications for which it is not possible to specify which 224IP address to bind should not be run in the host environment unless they 225should also service requests sent to jail IP addresses. 226Attempting to serve 227NFS from the host environment may also cause confusion, and cannot be 228easily reconfigured to use only specific IPs, as some NFS services are 229hosted directly from the kernel. 230Any third-party network software running 231in the host environment should also be checked and configured so that it 232does not bind all IP addresses, which would result in those services' also 233appearing to be offered by the jail environments. 234.Pp 235Once 236these daemons have been disabled or fixed in the host environment, it is 237best to reboot so that all daemons are in a known state, to reduce the 238potential for confusion later (such as finding that when you send mail 239to a jail, and its sendmail is down, the mail is delivered to the host, 240etc.). 241.Ss "Configuring the Jail" 242Start any jail for the first time without configuring the network 243interface so that you can clean it up a little and set up accounts. 244As 245with any machine (virtual or not) you will need to set a root password, time 246zone, etc. 247Some of these steps apply only if you intend to run a full virtual server 248inside the jail; others apply both for constraining a particular application 249or for running a virtual server. 250.Pp 251Start a shell in the jail: 252.Pp 253.Dl "jail /data/jail/192.168.11.100 testhostname 192.168.11.100 /bin/sh" 254.Pp 255Assuming no errors, you will end up with a shell prompt within the jail. 256You can now run 257.Pa /usr/sbin/sysinstall 258and do the post-install configuration to set various configuration options, 259or perform these actions manually by editing 260.Pa /etc/rc.conf , 261etc. 262.Pp 263.Bl -bullet -offset indent -compact 264.It 265Create an empty 266.Pa /etc/fstab 267to quell startup warnings about missing fstab (virtual server only) 268.It 269Disable the port mapper 270.Pa ( /etc/rc.conf : 271.Li rpcbind_enable="NO" ) 272(virtual server only) 273.It 274Run 275.Xr newaliases 1 276to quell 277.Xr sendmail 8 278warnings. 279.It 280Disable interface configuration to quell startup warnings about 281.Xr ifconfig 8 282.Pq Li network_interfaces="" 283(virtual server only) 284.It 285Configure 286.Pa /etc/resolv.conf 287so that name resolution within the jail will work correctly 288.It 289Set a root password, probably different from the real host system 290.It 291Set the timezone 292.It 293Add accounts for users in the jail environment 294.It 295Install any packages the environment requires 296.El 297.Pp 298You may also want to perform any package-specific configuration (web servers, 299SSH servers, etc), patch up 300.Pa /etc/syslog.conf 301so it logs as you would like, etc. 302If you are not using a virtual server, you may wish to modify 303.Xr syslogd 8 304in the host environment to listen on the syslog socket in the jail 305environment; in this example, the syslog socket would be stored in 306.Pa /data/jail/192.168.11.100/var/run/log . 307.Pp 308Exit from the shell, and the jail will be shut down. 309.Ss "Starting the Jail" 310You are now ready to restart the jail and bring up the environment with 311all of its daemons and other programs. 312If you are running a single application in the jail, substitute the 313command used to start the application for 314.Pa /etc/rc 315in the examples below. 316To start a virtual server environment, 317.Pa /etc/rc 318is run to launch various daemons and services. 319To do this, first bring up the 320virtual host interface, and then start the jail's 321.Pa /etc/rc 322script from within the jail. 323.Pp 324NOTE: If you plan to allow untrusted users to have root access inside the 325jail, you may wish to consider setting the 326.Va security.jail.set_hostname_allowed 327sysctl variable to 0. 328Please see the management discussion later in this document as to why this 329may be a good idea. 330If you do decide to set this variable, 331it must be set before starting any jails, and once each boot. 332.Bd -literal -offset indent 333ifconfig ed0 inet alias 192.168.11.100/32 334mount -t procfs proc /data/jail/192.168.11.100/proc 335jail /data/jail/192.168.11.100 testhostname 192.168.11.100 \\ 336 /bin/sh /etc/rc 337.Ed 338.Pp 339A few warnings will be produced, because most 340.Xr sysctl 8 341configuration variables cannot be set from within the jail, as they are 342global across all jails and the host environment. 343However, it should all 344work properly. 345You should be able to see 346.Xr inetd 8 , 347.Xr syslogd 8 , 348and other processes running within the jail using 349.Xr ps 1 , 350with the 351.Ql J 352flag appearing beside jailed processes. 353To see an active list of jails, use the 354.Xr jls 8 355utility. 356You should also be able to 357.Xr telnet 1 358to the hostname or IP address of the jailed environment, and log 359in using the accounts you created previously. 360.Ss "Managing the Jail" 361Normal machine shutdown commands, such as 362.Xr halt 8 , 363.Xr reboot 8 , 364and 365.Xr shutdown 8 , 366cannot be used successfully within the jail. 367To kill all processes in a 368jail, you may log into the jail and, as root, use one of the following 369commands, depending on what you want to accomplish: 370.Pp 371.Bd -literal -offset indent 372kill -TERM -1 373kill -KILL -1 374.Ed 375.Pp 376This will send the 377.Dv SIGTERM 378or 379.Dv SIGKILL 380signals to all processes in the jail from within the jail. 381Depending on 382the intended use of the jail, you may also want to run 383.Pa /etc/rc.shutdown 384from within the jail. 385To kill processes from outside the jail, use the 386.Xr jexec 8 387utility in conjuction with the one of the 388.Xr kill 1 389commands above, or use the 390.Xr killall 1 391utility with the 392.Fl j 393option. 394.Pp 395The 396.Pa /proc/ Ns Ar pid Ns Pa /status 397file contains, as its last field, the hostname of the jail in which the 398process runs, or 399.Dq Li - 400to indicate that the process is not running within a jail. 401The 402.Xr ps 1 403command also shows a 404.Ql J 405flag for processes in a jail. 406However, the hostname for a jail may be, by 407default, modified from within the jail, so the 408.Pa /proc 409status entry is unreliable by default. 410To disable the setting of the hostname 411from within a jail, set the 412.Va security.jail.set_hostname_allowed 413sysctl variable in the host environment to 0, which will affect all jails. 414You can have this sysctl set on each boot using 415.Xr sysctl.conf 5 . 416Just add the following line to 417.Pa /etc/sysctl.conf : 418.Pp 419.Dl security.jail.set_hostname_allowed=0 420.Ss "Sysctl MIB Entries" 421Certain aspects of the jail containments environment may be modified from 422the host environment using 423.Xr sysctl 8 424MIB variables. 425Currently, these variables affect all jails on the system, although in 426the future this functionality may be finer grained. 427.Bl -tag -width XXX 428.It Va security.jail.allow_raw_sockets 429This MIB entry determines whether or not prison root is allowed to 430create raw sockets. 431Setting this MIB to 1 allows utilities like 432.Xr ping 8 433and 434.Xr traceroute 8 435to operate inside the prison. 436If this MIB 437is set, the source IP addresses are enforced to comply 438with the IP address bound to the jail, regardless of whether or not 439the 440.Dv IP_HDRINCL 441flag has been set on the socket. 442Since raw sockets can be used to configure 443and interact with various network subsystems, extra caution should be used 444where privileged access to jails is given out to untrusted parties. 445As such, 446by default this option is disabled. 447.It Va security.jail.getfsstatroot_only 448This MIB entry determines whether or not processes within a jail are able 449to see data for all mountpoints. 450When set to 1 (default), the 451.Xr getfsstat 2 452system call returns only (when called by jailed processes) the data for 453the file system on which the jail's root vnode is located. 454Note: this also has the effect of hiding other mounts inside a jail, 455such as 456.Pa /dev , 457.Pa /tmp , 458and 459.Pa /proc , 460but errs on the side of leaking less information. 461.It Va security.jail.set_hostname_allowed 462This MIB entry determines whether or not processes within a jail are 463allowed to change their hostname via 464.Xr hostname 1 465or 466.Xr sethostname 3 . 467In the current jail implementation, the ability to set the hostname from 468within the jail can impact management tools relying on the accuracy of jail 469information in 470.Pa /proc . 471As such, this should be disabled in environments where privileged access to 472jails is given out to untrusted parties. 473.It Va security.jail.socket_unixiproute_only 474The jail functionality binds an IPv4 address to each jail, and limits 475access to other network addresses in the IPv4 space that may be available 476in the host environment. 477However, jail is not currently able to limit access to other network 478protocol stacks that have not had jail functionality added to them. 479As such, by default, processes within jails may only access protocols 480in the following domains: 481.Dv PF_LOCAL , PF_INET , 482and 483.Dv PF_ROUTE , 484permitting them access to 485.Ux 486domain sockets, 487IPv4 addresses, and routing sockets. 488To enable access to other domains, this MIB variable may be set to 4890. 490.It Va security.jail.sysvipc_allowed 491This MIB entry determines whether or not processes within a jail have access 492to System V IPC primitives. 493In the current jail implementation, System V primitives share a single 494namespace across the host and jail environments, meaning that processes 495within a jail would be able to communicate with (and potentially interfere 496with) processes outside of the jail, and in other jails. 497As such, this functionality is disabled by default, but can be enabled 498by setting this MIB entry to 1. 499.It Va security.jail.chflags_allowed 500This MIB entry determines how a privileged user inside a jail will be 501treated by 502.Xr chflags 2 . 503If zero, such users are treated as unprivileged, and are unable to set 504or clear system file flags; if non-zero, such users are treated as 505privileged, and may manipulate system file flags subject to the usual 506constaints on 507.Va kern.securelevel . 508.El 509.Pp 510There are currently two MIB related variables that have per-jail settings. 511Changes to these variables by a jailed process do not effect the host 512environment, only the jail environment. 513The variables are 514.Va kern.securelevel 515and 516.Va kern.hostname . 517.Sh SEE ALSO 518.Xr killall 1 , 519.Xr newaliases 1 , 520.Xr ps 1 , 521.Xr chroot 2 , 522.Xr jail 2 , 523.Xr jail_attach 2 , 524.Xr procfs 5 , 525.Xr rc.conf 5 , 526.Xr sysctl.conf 5 , 527.Xr devfs 8 , 528.Xr halt 8 , 529.Xr inetd 8 , 530.Xr jexec 8 , 531.Xr jls 8 , 532.Xr mount_devfs 8 , 533.Xr named 8 , 534.Xr reboot 8 , 535.Xr rpcbind 8 , 536.Xr sendmail 8 , 537.Xr shutdown 8 , 538.Xr sysctl 8 , 539.Xr syslogd 8 540.Sh HISTORY 541The 542.Nm 543utility appeared in 544.Fx 4.0 . 545.Sh AUTHORS 546.An -nosplit 547The jail feature was written by 548.An Poul-Henning Kamp 549for R&D Associates 550.Pa http://www.rndassociates.com/ 551who contributed it to 552.Fx . 553.Pp 554.An Robert Watson 555wrote the extended documentation, found a few bugs, added 556a few new features, and cleaned up the userland jail environment. 557.Sh BUGS 558Jail currently lacks the ability to allow access to 559specific jail information via 560.Xr ps 1 561as opposed to 562.Xr procfs 5 . 563Similarly, it might be a good idea to add an 564address alias flag such that daemons listening on all IPs 565.Pq Dv INADDR_ANY 566will not bind on that address, which would facilitate building a safe 567host environment such that host daemons do not impose on services offered 568from within jails. 569Currently, the simplest answer is to minimize services 570offered on the host, possibly limiting it to services offered from 571.Xr inetd 8 572which is easily configurable. 573