What does the "jailed home" option do exactly?

[Richard G]

I've just seen a "jailed home" option in user packages. Probably only for modern licenses, not sure.
I know about jail shell for SSH, is that the same option? Or does the "jailed home" do something different?
Does the "jailed home" prevent users to go outside their home directory with for example php scripts to read other users directory's? Because I thought the "open basedir" protection took care of that.

 

[zEitEr]

Rebranded new old feature)

 

[Richard G]

So it's the old "jail shell for SSH?" feature then I presume? Or another old rebranded new ... well.... LoL

 

[zEitEr]

Whatever you like more. Anyway it is just jail=yes|no in user.conf.

 

[Richard G]

Whatever you like more.

I don't mind which one. I just would like to know if this is only for SSH or also for scripts.
And if it's also for scripts, then I wonder what the difference is between jailed home and "open basedir" protection.
That's what confuses me a little.

 

[zEitEr]

PHP-FPM does honour open basedir restrictions: https://www.php.net/manual/en/ini.core.php#ini.open-basedir
It will be tricky to put PHP-FPM into a jail on a shared hosting server. But PHP CLI will be jailed if a user is configured to use a jailed shell.

 

[Ohm J]

Jailshell have the background script protection.


Example cli: "php -q 1.php"

#1.php

exec("php 2.php &");

#2.php

sleep(999999999);

If no jailshell, "2.php" will run forever. If jailshell enable, 2.php and any child process will terminate after "1.php" done.

To let jailshell working with background. you need to (sleep forever at 1.php too).


This will make it easy tracking the script if one of the user have malware executing via cli / cron.

 

[Richard G]

Thanks for the explanation both but it's even more confusing for me now. Let me ask another way.

So Alex says it's tricky to use jailshell when using php-fpm if I understand correctly.
None of my users will have SSH acces anyway.

Open basedir restrictions are in effect.

So if no users have SSH access, and Open Basedir protection is in effect, is it wise to also enable jailshell too, or if it's more safe to -not- do that in a php-fpm environment? Or not required in php-fpm environment?

 

[Ohm J]

@Richard G
Not required and conflic with jailshell mechanism, because there have it own process management and secure enought.

 

[Richard G]

Ok so best is to leave it disabled in php-fpm and no users with SSH situation. Thank you!

Is there an easy way to remove it in case other admin sets it active by accident? Except disabling it from package? Or no removing required?

 

[Ohm J]

@Richard G
Don't worry, jailshell still not implemented in php-fpm process. Even ssh disable, it's still working for cronjob or other service that have integration from DA Dev.

 

[zEitEr]

So Alex says it's tricky to use jailshell when using php-fpm if I understand correctly.

A little bit different. You can use jailshell even with PHP-FPM. I was referring to the fact, that directadmin does not put PHP-FPM into a jail. Otherwise it would need to create separate instances for PHP-FPM per user, instead of using pools. Correct me if I'm wrong here)

 

[SEO Guru]

Version 1.690 | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

Nice development

 

[Richard G]

Yes indeed. I'm wondering how this will work but it looks good!

 

[zEitEr]

Yes indeed. I'm wondering how this will work but it looks good!

Most likely this way: https://forum.directadmin.com/threads/create-php-fpm-process-for-selected-users.73170/post-386126

 

[Richard G]

Most likely this way:

I see I was unclear. I ment how it will work as in, how the experiences are from people using it and if it works as they expect or has downsides and such.
So how it will work experience like.

But thank you for the answer.

 

[DrWizzle]

I see I was unclear. I ment how it will work as in, how the experiences are from people using it and if it works as they expect or has downsides and such.
So how it will work experience like.

But thank you for the answer.

Do you mean as in, how will it perform with separate processes running for each user now, as I'd be interested to know what the performance tradeoffs/benefits are for this. It's an epic piece of coding though, very god what they've done

And to fully understand this as I think I do, now, with the jailed / bubblewrapped accounts now, and separates fpm processes for each user, it will be virtually (but not quite) a full containerised environment for each user, making it much safer for everyone as less PHP attacks can happen as it's not shared php-fpm processes now for certain items??

 

[zEitEr]

I see I was unclear.

Sorry, I don't get your point. If you mean how much effect will it have on the current installations, I guess no degradation rather than possible RAM/CPU increase. If I get the new feature correct, they indent to increase security level, that's an isolation of processes is used for)

 

[Richard G]

Sorry, I don't get your point. If you mean how much effect will it have on the current installations,

I ment if people will like it and if it works as expected. It's a security level increase but also ram usage increase. So I'm just curious for people using it as how it affects their ram/cpu usage indeed and if it works as desired.

Als this confused me a bit. In the docs it says:

Same environment users get when using jailshell.

That is giving the impression that it will be the same environmont when they would use jailshell. So in fact not needing jailshell.

But then in the note it says this:

Note: The isolated FPM is activated only for the user accounts that use jailshell (the Jailed check box in the user configuration page).

So if I understand correctly jailshell is required to be installed anyway for the users otherwise it will not work.

 

[zEitEr]

So if I understand correctly jailshell is required to be installed anyway for the users otherwise it will not work.

When you start any process or a command in CLI as a regular user (not root), the process inherits your environment independently on whether or not you have a jailshell.