Copyright (C) 2001, Luciano Rocha RootJail is a small program designed to safely run dangerous or unreliable services. It works like init(8) in that it spawns processes and watches for them. If any dies, it respawns it. If the child is misbehaving, in that it's dieing repeatedly, it is then disabled. Besides doing that, before doing anything related to the service, it changes the current directory to that of the service, does a chroot(2) to that directory, changes it's uid and gid to the one's the service will run as, and only if none of the steps fails is the service then executed. So, in effect, the service runs under a "root jail", in that it can't access any file outside it's directory. To compile: make make install To run: rootjail [[[:]:]: ] The user name or uid is mandatory, all other arguments, if not specified, are taken from the information of that user: the "program" is taken from the user's shell, but if it's empty or it's a standard shell (*sh), then it defaults to "/go"; the directory is the user's home directory the group is the primary group for that user. It is also possible to specify a default argument by leaving it blank, eg: rootjail moo:/home/moo/test: -> will do a chdir("/home/moo/test"); chroot("."); setgid(moo's gid); setuid(moo); exec("/go"); Here are some examples: rootjail apache:bin/httpd talker:nobody:: talker:nobody::talker2 etc... As a note: don't forget that almost all executables use one or another shared library, so make sure to include the ones it needs in the root jail. Signals: When the daemon receives the SIGHUP signal, it reactivates all services that were deactivated for respawning too fast. When the signal SIGTERM is received the daemon, before exiting, sends also a SIGTERM signal to all of it's childs (the services). It sends it two times, at the third time, it sends a SIGKILL signal, then exits. Any sugestions/comments, please send them to the address above. The rootjail homepage is located at: http://strange.nsk.yi.org/rj/ Cryptographic signatures and checksums may be provided by the developers at the URL(s) above. Wiretapped recommends that users check these before use of the software/information.