Apache Jail/Chroot for DirectAdmin - 2019

[DewlanceVPS]

Hello,

User can access /etc and various directory so how we can use Jail Apache/Chroot Apache.

How to fix this issue?



Thanks.

 

[zEitEr]

Hello,

Usually PHP open basedir is used here to prevent access.

If you give your users SSH access, then you might consider using ChrootDirectory in /etc/ssh/sshd_config per user.

 

[DewlanceVPS]

Hello,

Usually PHP open basedir is used here to prevent access.

If you give your users SSH access, then you might consider using ChrootDirectory in /etc/ssh/sshd_config per user.

Update: Open Basedir is already enabled on all accounts.

I do not provide SSH access to users but found that user can see various files of system from domain/shell-script.

 

[zEitEr]

Use CloudLinux then, a commercial OS, it will restrict access.

 

[DewlanceVPS]

Use CloudLinux then, a commercial OS, it will restrict access.

I am using CL from long time but 7 month ago I found that it was easy to bypass it then I enabled Apache jail. (Different control panel, Not DA)

Anyway, Thank for your response. You are so good person.

I will try to find solution for DA.

 

[zEitEr]

Does Apache Jail protect against directory browsing in shell scripts?

And are you sure that CageFS in CloudLinux does not protect you against it?

 

[DewlanceVPS]

Does Apache Jail protect against directory browsing in shell scripts?

And are you sure that CageFS in CloudLinux does not protect you against it?

Yes, I was tested it with CloudLinux.

After enabling ApacheJail shell scripts was unable to access other's directory especially with 777 permission.


ApacheJail with DirectAdmin will be best for Security.

 

[zEitEr]

Do I understand it correct that ApacheJail restricts access for users working over SSH without CageFS from CloudLinux? Are you referring to the solution described here http://www.zedwood.com/article/centos7-apache-chroot-jail ?

 

[sparek]

Worth noting for this discussion.

php-fpm has the ability to chroot a pool to a certain user directory.

So if you can setup an adequate chroot'd environment for every users, conceivably you could chroot each user's php-fpm pool into that environment.

Of course... you would have to set up the chroot'd environment (i.e. the /home/virtfs/user equivalent if you are coming over from cPanel) for each user. And this limitation would only apply to PHP environments on your server. But still... it would be nice to have (not really suggesting that this is something DirectAdmin should be providing).

chroot'ing will differ slightly from open_basedir protection. Correct me if I'm wrong, but open_basedir won't protect you from - shell_exec("cat /etc/passwd") - open_basedir only have affects the PHP defined file access functions. Of course... why are you allowing shell_exec() to run on PHP on your server is another valid question.

 

[smtalk]

Please check https://www.directadmin.com/features.php?id=2740. PHP-FastCGI is the only mode supporting it at this time though

 

[sparek]

See... this is part of the issue I have with the documentation with DirectAdmin. Now, granted, this is not a fully implemented feature (it says Unfinished... I assume that's some type of beta?). And I haven't even tried to implement this, maybe it's more self-explanatory when you go to build and turn this on. But just from reading that link... I'm not able to get a lot of information.

DirectAdmin can make use of this with a new value (set to 0 by default)
/usr/local/directadmin/directadmin set jail 1
service directadmin restart

OK, I get that. But then there's:

Alternatively, you can set:
/usr/local/directadmin/directadmin set jail 2
service directadmin restart

OK, what does that do? How is 2 different from 1?

GLOBAL TOKENS
HAVE_JAIL=0|1|2

Note that this is entirely based on the directadmin.conf.
CustomBuild will need to set jail=1 upon ./build jailshell and restart DA.
Admins can bump this up to level 2 if desired.

OK, what does bumping this up to 2 do?

Am I missing something?

 

[smtalk]

OK, what does that do? How is 2 different from 1?

I'm sorry for this I haven't modified anything, from the same page:

so that regardless of any package/reseller/user.conf settings, jail is ALWAYS enabled, and will always be set for ssh/cron when saved.

So, 2 - enabled for everyone. 1 - enabled for selected users.

As it's named in the article - yes, it's BETA. And available in pre-release only.

OK, what does bumping this up to 2 do?

That's for global tokens in SKIN (section for any skin developers). It's about the same - "2" can be set by admins only (server owners).

Please let us know if there are any questions/issues with it.

Thank you.

 

[DanielP]

Is it time to get bubble wrap for PHP-FPM ?