# Hello All - Jail Shells / chrooting



## Neoburner (Oct 6, 2014)

Hi all

First off I have already fell in with with FreeBSD, coming from flavours such as Centos, it's nice to come back to full command line! I do have a question regarding jails/chroot, I have been doing quite a bit of reading along the lines of both but need some help on a few issues. What I am wanting to do is allow users to have their own chroot without looking around the whole system. I see that chroot works well in this instance on other flavours, but jails seem to be the preferred way of going about this for some people on BSD. From using a dedicated IP for jails this come in a treat and ezjail just 'works' (if I wanted dedicated IP per jail). Is there anyway to have jails with one IP at all? sers log in and then it just directs them to their own jail?

Thanks all

Neo


----------



## SirDice (Oct 6, 2014)

I think you are misunderstanding what a jail(8) is. A basic chroot(8) is sometimes called a "jail" on Linux but on FreeBSD they are different and have different uses. The best way to think of a jail(8) is as a completely separate machine. It's more or less OS based virtualization.


----------



## Neoburner (Oct 6, 2014)

Thanks

Certainly cleared that up, I think the jails would suit it for me when people need a NAT IP coming in.

As for the chroot, is there a pre-defined way of keeping just users in their home directory, such as using jailkit etc? Or does BSD offer something else.

Thanks

Neo


----------



## SirDice (Oct 6, 2014)

Have a look at sshd_config(5):

```
ChrootDirectory
             Specifies the pathname of a directory to chroot(2) to after
             authentication.  All components of the pathname must be root-
             owned directories that are not writable by any other user or
             group.  After the chroot, sshd(8) changes the working directory
             to the user's home directory.

             The pathname may contain the following tokens that are expanded
             at runtime once the connecting user has been authenticated: %% is
             replaced by a literal '%', %h is replaced by the home directory
             of the user being authenticated, and %u is replaced by the user-
             name of that user.

             The ChrootDirectory must contain the necessary files and directo-
             ries to support the user's session.  For an interactive session
             this requires at least a shell, typically sh(1), and basic /dev
             nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
             arandom(4) and tty(4) devices.  For file transfer sessions using
             ``sftp'', no additional configuration of the environment is nec-
             essary if the in-process sftp server is used, though sessions
             which use logging do require /dev/log inside the chroot directory
             (see sftp-server(8) for details).

             The default is not to chroot(2).
```


----------

