{"id":13509891,"url":"https://github.com/cblichmann/jailtime","last_synced_at":"2026-03-16T15:03:58.870Z","repository":{"id":31798608,"uuid":"35365151","full_name":"cblichmann/jailtime","owner":"cblichmann","description":"Create and manage chroot/jail environments","archived":false,"fork":false,"pushed_at":"2023-05-21T14:28:27.000Z","size":273,"stargazers_count":52,"open_issues_count":4,"forks_count":5,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-02-02T08:42:07.492Z","etag":null,"topics":["chroot","golang-application","jail","jail-environments","jail-specifications","linux-app"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cblichmann.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-05-10T09:36:19.000Z","updated_at":"2025-01-18T19:22:48.000Z","dependencies_parsed_at":"2024-06-19T00:26:34.072Z","dependency_job_id":null,"html_url":"https://github.com/cblichmann/jailtime","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cblichmann%2Fjailtime","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cblichmann%2Fjailtime/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cblichmann%2Fjailtime/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cblichmann%2Fjailtime/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cblichmann","download_url":"https://codeload.github.com/cblichmann/jailtime/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238968440,"owners_count":19560586,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chroot","golang-application","jail","jail-environments","jail-specifications","linux-app"],"created_at":"2024-08-01T02:01:16.156Z","updated_at":"2025-10-30T12:31:42.729Z","avatar_url":"https://github.com/cblichmann.png","language":"Go","funding_links":[],"categories":["Go","others"],"sub_categories":[],"readme":"jailtime [![Build Status](https://github.com/cblichmann/jailtime/workflows/build/badge.svg)](https://github.com/cblichmann/jailtime/actions?query=workflow%3Abuild)\n========\n\njailtime is a command-line utility to create and manage chroot/jail\nenvironments.\nWhy is this useful? jailtime helps to\n  - create restricted SSH logins that only allow scp or git, etc.\n  - build a Docker image without all the clutter of a fat base image based on\n    a full Linux distribution.\n  - restrict daemons into a filesystem sub-tree to enhance security.\n\n\nTable of Contents\n-----------------\n\n  * [jailtime](README.md#jailtime-)\n     * [Requirements](README.md#requirements)\n     * [How to Build](README.md#how-to-build)\n        * [Build using Make](README.md#build-using-make)\n     * [How to Use](README.md#how-to-use)\n        * [Writing Jail Specifications](README.md#writing-jail-specifications)\n        * [Entering a chroot](README.md#entering-a-chroot)\n     * [Bugs](README.md#bugs)\n     * [Similar Tools](README.md#similar-tools)\n     * [Copyright/License](README.md#copyrightlicense)\n\n\nRequirements\n------------\n\n  - Go version 1.9 or later\n  - Git version 1.7 or later\n  - Optional: CDBS (to build the Debian packages)\n  - Optional: GNU Make\n  - Currently only runs on 32-bit or 64-bit x86 Linux and macOS\n\n\nHow to Build\n------------\n\nGeneral way to build from source via `go get`:\n```\ngo get blichmann.eu/code/jailtime\n```\n\n### Build using Make\n\nTo build from a specific revision/branch/tag, not using `go get`:\n```bash\nmkdir -p jailtime \u0026\u0026 cd jailtime\ngit clone https://github.com/cblichmann/jailtime.git .\n# Optional: checkout a specific rev./branch/tag using i.e. git checkout\nmake\n```\n\nYou may want to create a symlink to the binary somewhere in your path.\n\n\nHow to Use\n----------\n\njailtime creates/updates a target chroot directory from an existing jail\nspecification (see next section). The general invocation syntax is:\n```\njailtime \u003cone or more jailspec files\u003e \u003ctarget dir\u003e\n```\nMultiple jailspec files will be merged and their statements applied in order.\n\nTo get started with a rather basic chroot that allows to run Bash\ninteractively, see the files in the examples/ directory. For the basic shell\nexample:\n```\njailtime examples/basic_shell.jailspec chroot_dir\n```\nThis will copy (among other files) your local `/bin/bash` to\n`chroot_dir/bin/bash` and copy its library dependencies as well. On a Debian\nJessie system, the resulting tree looks like this:\n```\nchroot_dir/\n+- bin/\n|  +- bash  cat  chgrp  chmod  chown  cp  cpio  date  dd  df  dir  ...\n+- lib/x86_64-linux-gnu/\n|  +- libacl.so.1      libattr.so.1     libc.so.6    libdl.so.2\n|     libm.so.6        libncurses.so.5  libnsl.so.1  libpcre.so.3\n|     libprocps.so.3   libpthread.so.0  librt.so.1   libselinux.so.1\n|     libtinfo.so.5\n+- lib64/\n|  +- ld-linux-x86-64.so.2\n+- usr/bin/\n   +- arch  awk  base64  basename  cksum  csplit  cut  dircolors  ...\n```\n\n### Writing Jail Specifications\n\nJail specification files such as `examples/basic_shell.jailspec` follow a text\nformat with a few special directives. To start with a simple example:\n```\n# This is a single line comment. Blank lines and additional whitespace will be\n# ignored.\n\n# This copies the host file /bin/bash into the chroot. It also copies all\n# library dependencies.\n/bin/bash\n```\n\nWhen copying files, you can also specify the target:\n```\n# Copies /bin/bash to \u003cchroot\u003e/bin/sh.\n/bin/bash /bin/sh\n```\nInstead of creating a copy, you can also create a (sym-)link:\n```\n# Copy bash to \u003cchroot\u003e/bin/bash and create a symlink from \u003cchroot\u003e/bin/sh to\n# \u003cchroot\u003e/bin/bash\n/bin/bash\n/bin/sh -\u003e /bin/bash\n\n# Hardlinks are created with a fat arrow `=\u003e':\n/bin/bash_again =\u003e /bin/bash\n```\n\nTo change file permissions inside the chroot, just append the file mode:\n```\n/home/myuser/ 600\n/home/myuser/myfile 600\n```\n\nSome programs will likely need a few special device files in order to function.\nThey are created similar to normal files:\n```\n# Creates the two devices /dev/null and /dev/zero.\n# For Linux device numbers see Documentation/admin-guide/devices.txt in the\n# kernel source tree.\n/dev/null c 1 3\n/dev/zero c 1 5\n```\nNote: Device creation will most likely require jailtime to be run as root.\n\nUse a 'run' directive for advanced customizations of the chroot:\n```\n# Add a nice saying, careful not to omit the leading \"./\"\nrun fortune \u003e ./etc/motd\n```\nThe run directive will execute the text following the `run` keyword in a shell\nwith the chroot directory set as its current directory.\n\nEmpty directories are created when the path name ends with a slash ('/'). There\nis also a shorthand to create multiple directories, similar to Bash syntax:\n```\n# Creates /srv and /srv/nfs\n/srv/nfs/\n# Expands to /srv/nfs/alice/.ssh/ and /srv/nfs/bob/.ssh/ and creates these\n# directories.\n/srv/nfs/{alice,bob}/.ssh/\n```\n\nJail specifications can also include other jail specifications:\n```\ninclude python27.jailspec\n```\nThe include will be relative to the current specification file and file\ninclusion may be nested up to 8 levels deep. Run statements are executed in\norder and later specifications override earlier ones.\n\n\n### Entering a chroot\n\nOn most systems, entering a chroot environment requires root or at least\nadministrative privileges. If `sudo` is installed, you can create and enter a\nchroot with a basic shell like this:\n```bash\njailtime examples/basic_shell.jailspec chroot_dir\nsudo chroot chroot_dir\n```\nIf you are on a system with [systemd](\nhttp://freedesktop.org/wiki/Software/systemd/) (most Linux systems nowadays),\nyou can also easily create a lightweight container:\n```bash\nsudo systemd-nspawn -D chroot_dir/ /bin/bash\n```\nThis uses the same underlying technique as [Docker](https://www.docker.com/),\nLinux Containers (LXC), and allows for greater isolation.\n\nAnother good option is to use [nsjail](https://google.github.io/nsjail/),\nwhich uses a similar technique but also allows to restrict the chroot even\nfurther by using a seccomp-bpf based sandbox. Here is an example that changes\nboth the current user and group to 99999:\n```bash\nsudo nsjail -Mo --chroot chroot_dir/ --user 999999 --group 99999 -- /bin/bash\n```\n\nFreeBSD derived systems also have the [jail](\nhttps://www.freebsd.org/cgi/man.cgi?query=jail\u0026format=html) utility, which\nserves a similar purpose.\n\n\nBugs\n----\n\n  - Error messages could be more specific\n\n\nSimilar Tools\n-------------\n\nThese tools serve a similar purpose or are somewhat related:\n  - [Jailkit](http://olivier.sessink.nl/jailkit/), this also supports\n    checking chroots for security problems and launching daemons inside a\n    chroot. In its current form, jailtime corresponds mostly to `jk_cp`, the\n    utility to copy files and their dependencies to a chroot directory.\n  - [copy_exec from initramfs-tools](\n    http://anonscm.debian.org/cgit/kernel/initramfs-tools.git/tree/hook-functions),\n    this also copies files and their library dependencies.\n  - [schroot](http://anonscm.debian.org/cgit/buildd-tools/schroot.git), used\n    to execute commands or interactive shells in different chroot\n    environments. It also supports BTRFS and LVM snapshots as well as\n    on-the-fly chroots unpacked from tar files.\n  - [debootstrap](http://anonscm.debian.org/cgit/d-i/debootstrap.git), this can\n    install Debian-based distributions into a filesystem directory which then\n    can be used as a chroot.\n\n\nCopyright/License\n-----------------\n\njailtime version 0.8\nCopyright (c)2015-2023 Christian Blichmann \u003cjailtime@blichmann.eu\u003e\n\njailtime is licensed under a two-clause BSD license, see the LICENSE file\nfor details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcblichmann%2Fjailtime","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcblichmann%2Fjailtime","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcblichmann%2Fjailtime/lists"}