Hello programmers, I have recently installed Jailkit on my Debian wheezy (7.9) server. After some configuration I got most of the things working, however I had to add alot of things inside the jk_init.ini to get some commands working. It is all just testing so not a big issue and not sure if its a security risk but this is my current config: Code: [uidbasics] # this section probably needs adjustment on 64bit systems # or non-Linux systems comment = common files for all jails that need user/group information paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, /lib/x86_64-linux-gnu/libnss*.so.2, /etc/nsswitch.conf, /etc/ld.so.conf # Solaris needs # paths = /etc/default/nss, /lib/libnsl.so.1, /usr/lib/nss_*.so.1, /etc/nsswitch.conf [screen] comment = files and devices for screen groups = tty executables = /usr/bin/screen, /usr/bin/dircolors paths_w_owner = /usr/share/terminfo, /dev/pts, /var/run/screen devices = /dev/ptypa, /dev/ttypa, /dev/ptmx, /dev/null [java_libraries] comment = necessary file to execute java program paths = /usr/lib/jvm/java-6-openjdk-amd64/bin/java, /lib/libpthread.so.0, /lib/libdl.so.2, /lib/libc.so.6, /usr/lib/jvm/java-6-openjdk-amd64/jre/lib, /lib/libm.so.6, /lib/libm-2.5.so, /proc/meminfo [jk_lsh] comment = Jailkit limited shell paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini users = root groups = root includesections = uidbasics, logbasics [limitedshell] comment = alias for jk_lsh includesections = jk_lsh [scp] comment = ssh secure copy paths = scp includesections = netbasics, uidbasics devices = /dev/urandom [sftp] comment = ssh secure ftp paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server, /usr/lib/openssh/sftp-server includesections = netbasics, uidbasics devices = /dev/urandom, /dev/null # on solaris #paths = /usr/lib/ssh/sftp-server [ssh] comment = ssh secure shell paths = ssh includesections = netbasics, uidbasics devices = /dev/urandom, /dev/tty, /dev/null [services] comment = all needed services paths = /etc/init.d/mynewservice [basicshell] comment = bash based shell with several basic utilities paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv, pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8, /usr/sbin, /usr/bin, /bin/readlink users = root groups = root includesections = uidbasics [extendedshell] comment = bash shell including things like awk, bzip, tail, less paths = awk, bzip2, bunzip2, ldd, less, clear, cut, du, find, head, less, md5sum, nice, sort, tac, tail, tr, sort, wc, watch, whoami includesections = basicshell, midnightcommander, editors [editors] comment = vim, joe and nano includesections = terminfo paths = joe, nano, vi, vim, /etc/vimrc, /etc/joe, /usr/share/vim [netutils] comment = several internet utilities like wget, ftp, rsync, scp, ssh paths = wget, lynx, ftp, host, rsync, smbclient includesections = netbasics, ssh, sftp, scp I left some sections out of it, because I am not using them. The command I used first of all with the default init.ini: Code: jk_init -v /home/jail netutils basicshell jk_lsh ssh sftp As you can see I've added some items myself because I couldnt get multiple commands working like 'service', 'screen', 'java'. Inside the basicshell I added: "/usr/sbin, /usr/bin, /bin/readlink" And I also added the sections [screen], [java_libraries] and [services]. Before this I couldn't get the commands service, java and readlink working, afterwards it did. However I added the full directories instead of the files I only need. Can somebody tell me what I need to get the service command working? The default init.ini didn't do the job for me. I also would like to get screen working, I followed a workaround that should enable screen: LINK However it doesnt matter what I do, it keeps saying that '/var/run/screen' must have mode 777 Anybody knows a configuration that would work and get screen working on the jailed users? Thanks for reading
