This project is fork of jailtime. This fork aims to develop cleaner CLI and expose internal API to allow other projects to use jailor functionality.
Jailor is a cli utility to create, manager and run chroot/jail environments. Jailor also exposes underlying API and hence can be used by other go projects.
Why is this useful? Jailor helps to:
- create restricted SSH logins that only allow scp or git, etc.
- build a Docker image without all the clutter of a fat base image based on a full Linux distribution.
- restrict daemons into a filesystem sub-tree to enhance security.
- run commands in isolated filesystem
General way to build from source via go get
:
go get github.com/dhillondeep/jailor
To build from a specific revision/branch/tag, not using go get
:
mkdir -p jailor && cd jailor
git clone https://github.com/dhillondeep/jailor.git .
make
You may want to create a symlink to the binary somewhere in your path.
Jailor provides cli tool to manage and run jail but, it also exposes it's API. This allows other go projects to use it's functionality:
import "github.com/dhillondeep/jailor/pkg/jailor"
jailor create
creates/updates a target chroot directory from an existing jail
specification (see next section). The general invocation syntax is:
jailor create <jailspec files> <target dir>
To get started with a rather basic chroot that allows to run Bash interactively, see the files in the examples/ directory. For the basic shell example:
jailor examples/basic_shell.jailspec chroot_dir
This will copy (among other files) your local /bin/bash
to
chroot_dir/bin/bash
and copy its library dependencies as well. On a Debian
Jessie system, the resulting tree looks like this:
chroot_dir/
+- bin/
| +- bash cat chgrp chmod chown cp cpio date dd df dir ...
+- lib/x86_64-linux-gnu/
| +- libacl.so.1 libattr.so.1 libc.so.6 libdl.so.2
| libm.so.6 libncurses.so.5 libnsl.so.1 libpcre.so.3
| libprocps.so.3 libpthread.so.0 librt.so.1 libselinux.so.1
| libtinfo.so.5
+- lib64/
| +- ld-linux-x86-64.so.2
+- usr/bin/
+- arch awk base64 basename cksum csplit cut dircolors ...
Jail specification files such as examples/basic_shell.jailspec
follow a text
format with a few special directives. To start with a simple example:
# This is a single line comment. Blank lines and additional whitespace will be
# ignored.
# This copies the host file /bin/bash into the chroot. It also copies all
# library dependencies.
/bin/bash
When copying files, you can also specify the target:
# Copies /bin/bash to <chroot>/bin/sh.
/bin/bash /bin/sh
Instead of creating a copy, you can also create a (sym-)link:
# Copy bash to <chroot>/bin/bash and create a symlink from <chroot>/bin/sh to
# <chroot>/bin/bash
/bin/bash
/bin/sh -> /bin/bash
# Hardlinks are created with a fat arrow `=>':
/bin/bash_again => /bin/bash
To change file permissions inside the chroot, just append the file mode:
/home/myuser/ 600
/home/myuser/myfile 600
Some programs will likely need a few special device files in order to function. They are created similar to normal files:
# Creates the two devices /dev/null and /dev/zero.
# For Linux device numbers see Documentation/admin-guide/devices.txt in the
# kernel source tree.
/dev/null c 1 3
/dev/zero c 1 5
Note: Device creation will most likely require jailor to be run as root.
Use a 'run' directive for advanced customizations of the chroot:
# Add a nice saying, careful not to omit the leading "./"
run fortune > ./etc/motd
The run directive will execute the text following the run
keyword in a shell
with the chroot directory set as its current directory.
Empty directories are created when the path name ends with a slash ('/'). There is also a shorthand to create multiple directories, similar to Bash syntax:
# Creates /srv and /srv/nfs
/srv/nfs/
# Expands to /srv/nfs/alice/.ssh/ and /srv/nfs/bob/.ssh/ and creates these
# directories.
/srv/nfs/{alice,bob}/.ssh/
Jail specifications can also include other jail specifications:
include python27.jailspec
The include will be relative to the current specification file and file inclusion may be nested up to 8 levels deep. Run statements are executed in order and later specifications override earlier ones.
These tools serve a similar purpose or are somewhat related:
- Jailkit, this also supports
checking chroots for security problems and launching daemons inside a
chroot. In its current form, jailtime corresponds mostly to
jk_cp
, the utility to copy files and their dependencies to a chroot directory. - copy_exec from initramfs-tools, this also copies files and their library dependencies.
- schroot, used to execute commands or interactive shells in different chroot environments. It also supports BTRFS and LVM snapshots as well as on-the-fly chroots unpacked from tar files.
- debootstrap, this can install Debian-based distributions into a filesystem directory which then can be used as a chroot.
- Copyright (c)2015-2020 Christian Blichmann [email protected]
- Copyright (c)2020 Deep Dhillon [email protected]
jailor is licensed under a two-clause BSD license, see the LICENSE file for details.