Skip to main content

Jailkit and jails - Jailing a user

(Creating a chroot jail for security purposes)

Running a public-facing computer like suda (on the internet or physical) requires puting the public user in "jail", making it run in "kiosk mode". We are basically whitelisting what a specific user can do, limiting attempts to turn the computer off, put offensive images on the desktop background or worse.

Jailing a user on suda using jailkit

Primary sources:https://olivier.sessink.nl/jailkit/jailkit.8.html

https://askubuntu.com/questions/93411/simple-easy-way-to-jail-users

Secondary sources:

https://www.howtoforge.com/debian-9-jail-jailkit/
http://www.linuxmisc.com/1-linux-setup/9de37a1b1aca86d8.htm
https://linuxize.com/post/how-to-delete-users-in-linux-using-the-userdel-command/https://wiki.archlinux.org/title/Linux_console/Keyboard_configuration

A guide:
https://askubuntu.com/questions/93411/simple-easy-way-to-jail-users

Rundown:

1) Download Jailkit from the website of the maintainer here https://olivier.sessink.nl/jailkit/index.html#download

2) Extract and issue

./configure, make and sudo make install.

3) Create a none privileged user (let's call it guest)

sudo useradd -m guest

4) add password for that user

sudo passwd guest

Before moving the user to jail or running the jailkit scripts its easier to go into the guest account as that user and add in the basic scripts for suda and the ctwmrc configuration for ctwm.

5) Create a jail

sudo mkdir /home/jail

6) Make root the owner of /home/jail (so no one can write to it)

sudo chown root:root /home/jail

Then populate the jail with the basic things the user will use - remembering that a chroot jail is a little like a virtual system so whatever we want the user to be able to use must be accessible within the jail.

7) Use jk_init (one of the scripts provided by jailkit) to transfer basic necessities to the jail

sudo jk_init -v /home/jail netutils basicshell jk_lsh (note no ssh etc)

8) Jail the user

sudo jk_jailuser -m -j /home/jail/ guest

9) copy the bash libraries to the jail -

sudo jk_cp -v -f /home/jail /bin/bash

10) Edit /home/jail/etc/passwd so that this line:

guest:x:1001:1001::/home/guest:/usr/sbin/jk_lsh

Looks like this

guest:x:1001:1001::/home/guest:/bin/bash

The jk_cp script is used to copy over binaries and their dependencies into the jail environment so we don’don’t have to do it manually.

11) Copy additional (suda specific) software to the jail

sudo jk_cp -v -j /home/jail/ /usr/bin/xsetroot xfontsel xdotool xdg-settings xclock vim script ffmpeg ffplay ffprobe xterm lxterminal xloadimage scrot xwininfo xxd

12) To get Xorg to run correctly we need the xdg folder and the X11 folder to the /etc/ of the jail as well.

To copy those over we issue:

sudo jk_cp -v -j /home/jail/ /etc/xdg

sudo jk_cp -v -j /home/jail/ /etc/X11

13) Create a locale configuration (and a keyboard configuration) otherwise it defaults to c locale which can stop certain things running correctly.

touch /home/jail/etc/vconsole.conf

sudo touch /home/jail/etc/locale.conf

sudo nano /home/jail/etc/locale.conf

- add the required locale, in our case

LANG=en_GB.UTF-8

- edit the console keymap (this doesn't affect xorg)

sudo nano /home/jail/etc/vconsole.conf

KEYMAP=uk

Suda-specific notes

Certain scripts needed, like sudacam 1 and 2 and the later mantissacam1 and 2  scripts had to be alteredč. In the case of sudacam1.sh it originally read

lxterminal --geometry=17x18+0+3 -e 'ffplay -f x11grab -follow_mouse centered -framerate 10 -video_size 640x480 -i :0.0'

(which launches an lxterminal within which the command runs and thus the pipe/ffplay window)

To avoid calling an lxterminal or xterm and the script crashing out or not starting due to other dependencies not being present within the jail environment or hitting the 'get_pty:not enough ptys' error (which for reference is talked about here https://www.linuxquestions.org/questions/linux-desktop-74/get_pty-not-enough-ptys-error-4175533684/) changing the script to this

ffplay -f x11grab -follow_mouse centered -framerate 10 -video_size 640x480 -i :0.0

Worked equally well as it did as originally implemented. The manifesto and glitchify scripts did not need any changes.

Back to top