Adding or Editing custom mount in jailshell

arbours

arbours

Verified User
Joined
Apr 9, 2006
Messages
41
Location
Québec, Montréal
Hi everyone,

I create a user that has ssh access and that is jailed (RH8/Alma8) through DA.

I log through SSH to that user, that work. I would like to be able to add or configure custom mount point (ie: let say a directory that has 0444, like an internal repo available to all jailshell users)

I read that on CPanel that it is possible to do this, so surely there a way to do this with DA since DA is better :D ?
 
I was able to find out the file /usr/bin/jailshell, when edited, with the proper switch and directory permission, it work fine.

Now if I wanted to make this modification persistant accross directadmin updates, how would I include this custom modified /usr/bin/jailshell in the custombuild/custom folder ?

Because in the Build script, like under doJailshell, it doesn't have an override like exim configuration or system_filter does:

Example:
# Update system_filter.exim
if [ -e ${CWD}/custom/exim/system_filter.exim ]; then
cp -f ${CWD}/custom/exim/system_filter.exim /etc/system_filter.exim
else
curl ${CURL_CONNECT_OPTIONS} -o /etc/system_filter.exim ${WEBPATH}/system_filter.exim
fi
Click to expand...
 
I'm seeing the need to modify the jailshell as well (on Debian 11). I want the jailed user to have an as normal as possible shell, just jailed. In the current (0.7) there are a few things missing.

One example is trying to use man:
Code: 
myuser@myhost:~$ man bash
man: can't open the manpath configuration file /etc/manpath.config

Another thing is that I set up the shell/environment/prompt using /etc/bash.bashrc and /etc/bashrc.d/* which is not included in the 0.7 jailshell script, and I'd also like to include the git prompt and possibly a few other things.

I don't expect there to be a single jailshell script that works for everyone, so a way to add custom options to bwrap would be great. Another option would be to define multiple jailshells, so we can make a jailshell2 script, and have DirectAdmin change the user's shell to that instead, when the user is jailed.

It would also probably make sense to add /usr/bin/jailshell to /etc/shells. :)
 
Specifically for my case, these are the ones I'd like to have added:

Code: 
      --ro-bind-try /etc/bash.bashrc /etc/bash.bashrc \
      --ro-bind-try /etc/bash_completion /etc/bash_completion \
      --ro-bind-try /etc/bash_completion.d /etc/bash_completion.d \
      --ro-bind-try /etc/bashrc.d /etc/bashrc.d \
      --ro-bind-try /etc/manpath.config /etc/manpath.config \
 
Using a custombuild hook script, this can be achieved:

Code: 
# cat /usr/local/directadmin/custombuild/custom/hooks/jailshell/post/jailshell_mount_update.sh
#!/bin/bash

# We will insert our additional /etc related bind mount options after the exec
# line. The order of the options does not matter.
sed -i.orig '/exec -a jailshell bwrap /a \ \ \ \ \ \ --ro-bind-try /etc/bash.bashrc /etc/bash.bashrc \\\n\ \ \ \ \ \ --ro-bind-try /etc/bash_completion /etc/bash_completion \\\n\ \ \ \ \ \ --ro-bind-try /etc/bash_completion.d /etc/bash_completion.d \\\n\ \ \ \ \ \ --ro-bind-try /etc/bashrc.d /etc/bashrc.d \\\n\ \ \ \ \ \ --ro-bind-try /etc/manpath.config /etc/manpath.config \\' /usr/bin/jailshell

# Add /usr/bin/jailshell to /etc/shells if it's not already there
if [ -f "/etc/shells" ]; then
    grep -qxF "/usr/bin/jailshell" /etc/shells || echo "/usr/bin/jailshell" >> /etc/shells
fi
 
With version 0.8 of jailshell, the layout of the file has changed. This hook script should support all versions out so far, assuming your sort command supports the -V option.

Code: 
# cat /usr/local/directadmin/custombuild/custom/hooks/jailshell/post/jailshell_mount_update.sh
#!/bin/bash

# In jailshell 0.8 the layout of the file changed significantly, so we need to
# look up the version before making modifications.
jailshell_version=$(grep -oP "^#VERSION=\K[0-9.]+(?=$)" /usr/bin/jailshell)
check_version=0.8

# We will insert our additional /etc related bind mount options after the exec
# line. The order of the options does not matter.
#
# Make sure your system supports "sort -V"
if [ "$(echo -e "${check_version}\n${jailshell_version}" | sort -V | head -n1)" = "${check_version}" ]; then
    # Version is equal or higher than check_version
    sed -i '/exec bwrap \\/a \ \ \ \ \ \ --ro-bind-try  /etc/bash_completion          /etc/bash_completion \\\n\ \ \ \ \ \ --ro-bind-try  /etc/bash_completion.d        /etc/bash_completion.d \\\n\ \ \ \ \ \ --ro-bind-try  /etc/bashrc.d                 /etc/bashrc.d \\\n\ \ \ \ \ \ --ro-bind-try  /etc/manpath.config           /etc/manpath.config \\' /usr/bin/jailshell
else
    # Version is lower than check_version
    sed -i '/exec -a jailshell bwrap /a \ \ \ \ \ \ --ro-bind-try /etc/bash.bashrc /etc/bash.bashrc \\\n\ \ \ \ \ \ --ro-bind-try /etc/bash_completion /etc/bash_completion \\\n\ \ \ \ \ \ --ro-bind-try /etc/bash_completion.d /etc/bash_completion.d \\\n\ \ \ \ \ \ --ro-bind-try /etc/bashrc.d /etc/bashrc.d \\\n\ \ \ \ \ \ --ro-bind-try /etc/manpath.config /etc/manpath.config \\' /usr/bin/jailshell
fi

# Add /usr/bin/jailshell to /etc/shells if it's not already there.
if [ -f "/etc/shells" ]; then
    grep -qxF "/usr/bin/jailshell" /etc/shells || echo "/usr/bin/jailshell" >> /etc/shells
fi
 
Note that this custombuild hook script does not run during ./build update_versions, so it might not be the best approach after all.
 
The hooks can be used with any action of custombuild, including:

  • update
  • update_script
  • update_da
  • update_versions
  • update_versions_full
  • update_full
  • update_webapps
  • update_data

symlink folders to custom/hooks/${ACTION}/post/

and extend the hook scripts with extra check on whether needed files were already modified or not.
 
You must log in or register to reply here.
Back
Top