Apache Jail/Chroot for DirectAdmin - 2019

DewlanceVPS · Jul 9, 2019

Hello,

User can access /etc and various directory so how we can use Jail Apache/Chroot Apache.

How to fix this issue?

Thanks.

zEitEr · Jul 10, 2019

Hello,

Usually PHP open basedir is used here to prevent access.

If you give your users SSH access, then you might consider using ChrootDirectory in /etc/ssh/sshd_config per user.

DewlanceVPS · Jul 10, 2019

zEitEr said:
Hello,

Usually PHP open basedir is used here to prevent access.

If you give your users SSH access, then you might consider using ChrootDirectory in /etc/ssh/sshd_config per user.

Update: Open Basedir is already enabled on all accounts.

I do not provide SSH access to users but found that user can see various files of system from domain/shell-script.

zEitEr · Jul 10, 2019

Use CloudLinux then, a commercial OS, it will restrict access.

DewlanceVPS · Jul 10, 2019

zEitEr said:
Use CloudLinux then, a commercial OS, it will restrict access.

I am using CL from long time but 7 month ago I found that it was easy to bypass it then I enabled Apache jail. (Different control panel, Not DA)

Anyway, Thank for your response. You are so good person.

I will try to find solution for DA.

zEitEr · Jul 10, 2019

Does Apache Jail protect against directory browsing in shell scripts?

And are you sure that CageFS in CloudLinux does not protect you against it?

DewlanceVPS · Sep 12, 2019

zEitEr said:
Does Apache Jail protect against directory browsing in shell scripts?

And are you sure that CageFS in CloudLinux does not protect you against it?

Yes, I was tested it with CloudLinux.

After enabling ApacheJail shell scripts was unable to access other's directory especially with 777 permission.

ApacheJail with DirectAdmin will be best for Security.

zEitEr · Sep 12, 2019

Do I understand it correct that ApacheJail restricts access for users working over SSH without CageFS from CloudLinux? Are you referring to the solution described here http://www.zedwood.com/article/centos7-apache-chroot-jail ?

sparek · Sep 12, 2019

Worth noting for this discussion.

php-fpm has the ability to chroot a pool to a certain user directory.

So if you can setup an adequate chroot'd environment for every users, conceivably you could chroot each user's php-fpm pool into that environment.

Of course... you would have to set up the chroot'd environment (i.e. the /home/virtfs/user equivalent if you are coming over from cPanel) for each user. And this limitation would only apply to PHP environments on your server. But still... it would be nice to have (not really suggesting that this is something DirectAdmin should be providing).

chroot'ing will differ slightly from open_basedir protection. Correct me if I'm wrong, but open_basedir won't protect you from - shell_exec("cat /etc/passwd") - open_basedir only have affects the PHP defined file access functions. Of course... why are you allowing shell_exec() to run on PHP on your server is another valid question.

smtalk · Apr 7, 2020

Please check https://www.directadmin.com/features.php?id=2740. PHP-FastCGI is the only mode supporting it at this time though

sparek · Apr 7, 2020

See... this is part of the issue I have with the documentation with DirectAdmin. Now, granted, this is not a fully implemented feature (it says Unfinished... I assume that's some type of beta?). And I haven't even tried to implement this, maybe it's more self-explanatory when you go to build and turn this on. But just from reading that link... I'm not able to get a lot of information.

DirectAdmin can make use of this with a new value (set to 0 by default)
/usr/local/directadmin/directadmin set jail 1
service directadmin restart

OK, I get that. But then there's:

Alternatively, you can set:
/usr/local/directadmin/directadmin set jail 2
service directadmin restart

OK, what does that do? How is 2 different from 1?

GLOBAL TOKENS
HAVE_JAIL=0|1|2

Note that this is entirely based on the directadmin.conf.
CustomBuild will need to set jail=1 upon ./build jailshell and restart DA.
Admins can bump this up to level 2 if desired.

OK, what does bumping this up to 2 do?

Am I missing something?

smtalk · Apr 7, 2020

sparek said:
OK, what does that do? How is 2 different from 1?

I'm sorry for this

I haven't modified anything, from the same page:

so that regardless of any package/reseller/user.conf settings, jail is ALWAYS enabled, and will always be set for ssh/cron when saved.

So, 2 - enabled for everyone. 1 - enabled for selected users.

As it's named in the article - yes, it's BETA. And available in pre-release only.

sparek said:
OK, what does bumping this up to 2 do?

That's for global tokens in SKIN (section for any skin developers). It's about the same - "2" can be set by admins only (server owners).

Please let us know if there are any questions/issues with it.

Thank you.

DanielP · Oct 14, 2021

Is it time to get bubble wrap for PHP-FPM ?

Apache Jail/Chroot for DirectAdmin - 2019

DewlanceVPS

Verified User

zEitEr

Super Moderator

DewlanceVPS

Verified User

zEitEr

Super Moderator

DewlanceVPS

Verified User

zEitEr

Super Moderator

DewlanceVPS

Verified User

zEitEr

Super Moderator

sparek

Verified User

smtalk

Administrator

sparek

Verified User

smtalk

Administrator

DanielP

Verified User