jk_check - a utility that will check a jail for security problems

       Copyright (C) 2003, 2004, 2005, 2006, 2007, Olivier Sessink

       Copying  and distribution of this file, with or without modification, are permitted in any medium without
       royalty provided the copyright notice and this notice are preserved.

JAILKIT                                            07-02-2010                                        jk_check(8)

       jk_check will run several tests on all files and directories in a jail. The tests are:

       -test for setuid (set user id) or setgid (set group id) files

       -test for file modifications, using an MD5 checksum on the file in the jail and the same file in the real
       root

       -test for group writable or world writable directories

       -test for matching user information in the jail and on the real system

       It  will  test  directories  based  on  the  config file /etc/jailkit/jk_check.ini but also based on jail
       patterns (dir/./dir) found in the home directories in /etc/passwd

Minimalconfigfile
       The most minimal configuration looks like:

       [/home/testchroot]

       This will include all the files and directories in /home/testchroot for testing.

   Moreextendedconfigfile
       Often you want to ignore some tests on some directories, the following configfile shows some examples:

       [/home/testchroot]
       ignorepatheverywhere =
       ignorepathoncompare = /home/testchroot/home, /home/testchroot/etc
       ignorewritableforgroup = /home/testchroot/home
       ignorewritableforothers = /home/testchroot/home/tmp
       ignoresetuidexecuteforuser = /home/testchroot/usr/bin/smbmnt
       ignoresetuidexecuteforgroup = /home/testchroot/usr/bin/smbmnt
       ignoresetuidexecuteforothers =

       ignorepatheverywhere
              no single test is performed in these directories. You should not use this option unless  you  what
              you are doing.
       ignorepathoncompare
              files  in  listed  directories  are  not  compared  with  their  non-jail counterparts. Useful for
              directories like /etc/ and /home/ where you know you'll have different files inside the  jail  and
              outside the jail
       ignorewritableforgroup
              listed directories that are writable for the group are not reported
       ignorewritableforothers
              listed directories that are writable for others are not reported
       ignoresetuidexecuteforuser
              ignore  the setuid bit on a file that is executable for a user, a file with -rws------ permissions
              that is. Use with care! Remember that user root can break out of a  jail,  therefore  any  program
              running with root privileges is theoretically capable of breaking out of the jail!
       ignoresetuidexecuteforgroup
              ignore  the  setuid  bit  for  a  file  that  is  executable for the group, a file with -rws--x---
              permissions that is.
       ignoresetuidexecuteforothers
              ignore the setuid bit for a file that is executable for others, a file with -rws--x--x permissions
              that is

/etc/jailkit/jk_check.ini

       jk_check - a utility that will check a jail for security problems

-v     Will give verbose output

       -cconfigfile
              Use alternative configfile

       -h     The help screen

jailkit(8)jk_chrootlaunch(8)jk_chrootsh(8)jk_cp(8)jk_init(8)jk_jailuser(8)jk_list(8)jk_lsh(8)jk_procmailwrapper(8)jk_socketd(8)jk_uchroot(8)jk_update(8)chroot(2)

jk_checkjailjk_check-v-cconfigfilejail