Jul's page (Hungarian) : Jul's packages : imprison

The imprison program

imprison imprisons processes to a jail. It can change root dir, capabilities, userid, and groups.

Interface

     imprison
        [--root|-r new rootdir]
        [--caps|-c capability set]
        [--user|-u username]
        [--set-groups|-G]
        [--]
        command [arg [arg...]]

Arguments:

--root rootdir: changes root directory to rootdir. If you do this, you better drop uid 0, and/or at least cap_chroot.
--caps capability set: sets capability set as in cap_from_set(3). Beware that you can keep capabilities after you left uid 0.
--user username: drops uid 0 and sets uid and gid to username's uid/gid.
--set-groups: sets group's additional groups specified in /etc/group if user is set.
--: tells getopt_long(3) not to parse other options. Use this if you want to specify options to command.
command [arg [arg...]]: Command to run in jail. Mandatory.

Example

Imprison `/usr/bin/id` to an user `bin`:

    # imprison -u bin /usr/bin/id
    uid=1(bin) gid=1(bin) groups=1(bin)
    # imprison -u bin -G /usr/bin/id
    uid=1(bin) gid=1(bin) groups=1(bin),2(daemon),3(sys)

Imprison `nc` to a `chroot(2)` jail and bind to local port 50, running `id` with `bin` user and groups on every connection:

This assumes that execve(2) to nc keeps CAP_NET_BIND_SERVICE. This can be done with mandatory access control, or my patch (see kernel patches page).

    # mkdir -p jail/{bin,etc,lib}
    # cp /etc/{group,resolv.conf,ld.so.conf} jail/etc
    # cp /lib/{ld,libc}-*.so jail/lib
    # cp /usr/bin/id /usr/bin/nc jail/bin
    # ldconfig -r jail
    # imprison -u bin -G -r jail -c "cap_net_bind_service=ep" -- /bin/nc -l -p 50 -e /bin/id 127.1

while from another terminal:

    # telnet 0 50
    Trying 0.0.0.0...
    Connected to 0.
    Escape character is '^]'.
    uid=1 gid=1 groups=1,2,3
    Connection closed by foreign host.