DragonFly On-Line Manual Pages

Search: Section:  

jk_check(8)                        jk_check                        jk_check(8)


NAME

       jk_check - a utility that will check a jail for security problems


SYNOPSIS

       jk_check jail

       jk_check -v -c configfile jail


DESCRIPTION

       jk_check will run several tests on all files and directories in a jail.
       The tests are:

       -test for setuid (set user id) or setgid (set group id) files

       -test for file modifications, using an MD5 checksum on the file in the
       jail and the same file in the real root

       -test for group writable or world writable directories

       -test for matching user information in the jail and on the real system

       It will test directories based on the config file
       /etc/jailkit/jk_check.ini but also based on jail patterns (dir/./dir)
       found in the home directories in /etc/passwd


EXAMPLE

   Minimal configfile
       The most minimal configuration looks like:

       [/home/testchroot]

       This will include all the files and directories in /home/testchroot for
       testing.

   More extended configfile
       Often you want to ignore some tests on some directories, the following
       configfile shows some examples:

       [/home/testchroot]
       ignorepatheverywhere =
       ignorepathoncompare = /home/testchroot/home, /home/testchroot/etc
       ignorewritableforgroup = /home/testchroot/home
       ignorewritableforothers = /home/testchroot/home/tmp
       ignoresetuidexecuteforuser = /home/testchroot/usr/bin/smbmnt
       ignoresetuidexecuteforgroup = /home/testchroot/usr/bin/smbmnt
       ignoresetuidexecuteforothers =

       ignorepatheverywhere
              no single test is performed in these directories. You should not
              use this option unless you what you are doing.
       ignorepathoncompare
              files in listed directories are not compared with their non-jail
              counterparts. Useful for directories like /etc/ and /home/ where
              you know you'll have different files inside the jail and outside
              the jail
       ignorewritableforgroup
              listed directories that are writable for the group are not
              reported
       ignorewritableforothers
              listed directories that are writable for others are not reported
       ignoresetuidexecuteforuser
              ignore the setuid bit on a file that is executable for a user, a
              file with -rws------ permissions that is. Use with care!
              Remember that user root can break out of a jail, therefore any
              program running with root priviledges is theoretically capable
              of breaking out of the jail!
       ignoresetuidexecuteforgroup
              ignore the setuid bit for a file that is executable for the
              group, a file with -rws--x--- permissions that is.
       ignoresetuidexecuteforothers
              ignore the setuid bit for a file that is executable for others,
              a file with -rws--x--x permissions that is


OPTIONS

       -v     Will give verbose output

       -c configfile
              Use alternative configfile

       -h     The help screen


FILES

       /etc/jailkit/jk_check.ini


SEE ALSO

       jailkit(8) jk_chrootlaunch(8) jk_chrootsh(8) jk_cp(8) jk_init(8)
       jk_jailuser(8) jk_list(8) jk_lsh(8) jk_procmailwrapper(8) jk_socketd(8)
       jk_uchroot(8) jk_update(8) chroot(2)


COPYRIGHT

       Copyright (C) 2003, 2004, 2005, 2006, 2007, Olivier Sessink

       Copying and distribution of this file, with or without modification,
       are permitted in any medium without royalty provided the copyright
       notice and this notice are preserved.

JAILKIT                           07-02-2010                       jk_check(8)

Search: Section: