How to login to my jail from host itself (normal user)

Matthew Seaman m.seaman at
Sun Nov 13 09:24:09 UTC 2011

On 13/11/2011 02:54, masayoshi wrote:
> I must adduser Ayumi as normal user.
> After adding her in jail, I add her in host.
> Then I type the following command:
> # ln -s /usr/jails/www/home/ayumi  /home
> When she logins, she is in /usr/jails/www/home/ayumi.
> But if she uses "cd" command, she can move directory.
> I would like to keep her in jail because she is reckless.
> I would like to know how to login to my jail as normal user from host itself when login prompt appear.
> If possible, could you tell me how to do it?
> Thanks in advance.

I assume simply using a restricted shell like rbash is unsuitable?   And
that you cannot simply give your user an unprivileged login account --
without root access, while they may be able to chdir around the system,
there's not much damage they can do accidentally.  (Although users are
endlessly inventive when it comes to breaking things...)

When you say 'login' do you mean at the console?  That's going to be
fairly tricky to enforce.  However if you mean logging in over the net
by eg. ssh then to confine the user to a jail is pretty easy. Enable
sshd in the jail -- usually this means configuring sshd the host to bind
to specific IP numbers rather than '*'.  See jail(8) for more details.
Then you give the user a working login and password in the jail and not
on the host system.  Either delete the account in the host or set the
login shell to /sbin/nologin and lock the password.

Now, if you want to support console based logins direct to a jail.  As
far as I know, this is not possible with the FreeBSD console.  It would
be a really cool thing to be able to do though.  Dedicate one of the
console vty's to the jail...  Unfortunately I don't think that's going
to be impossible without code changes to the OS.  The problem is init(8)
-- the master process on the system, and the process that controls each
of the getty(8) programs that watch for login attempts on the various
terminals -- that program would require modification so that it knew how
to associate a particular vty with a jail, and then manage the login
process to create a new login session within the jail.

About the only way I can think of doing this for a console login is to
use X and set up xdm(8) to enable its remote login capability, in which
case you get a pull-down on the login screen to allow you to choose
which host to log into.  But I've never tried to set up a system like
this, so I can't really say if its possible or not.  My educated guess
is that it should work, but it's quite an ambitious project for a beginner.

It would be nice if you could just force the login process on the host
to run something like 'jexec -U $USER 1 /bin/tcsh' but that's a command
you need root privilege for, so scratch that.  Also, it's pretty dodgy
to assume that the jail you want is always going to be running with JID=1.

If you can rely on your user to follow instructions, then you can just
tell them to 'ssh jailhost' immediately they login to the host, and set
up sshd in the jail as described above.  This means they will have to
have a working login on the host system, but you can make that be an
unprivileged account without root access or access to anything else
sensitive.  Their account in the jail can have root there, no problem.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
JID: matthew at               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list