Apache Jail/Chroot for DirectAdmin - 2019

DewlanceVPS

Verified User
Joined
Oct 3, 2016
Messages
86
Hello,

User can access /etc and various directory so how we can use Jail Apache/Chroot Apache.

How to fix this issue?



Thanks.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,901
Location
GMT +7.00
Hello,

Usually PHP open basedir is used here to prevent access.

If you give your users SSH access, then you might consider using ChrootDirectory in /etc/ssh/sshd_config per user.
 

DewlanceVPS

Verified User
Joined
Oct 3, 2016
Messages
86
Hello,

Usually PHP open basedir is used here to prevent access.

If you give your users SSH access, then you might consider using ChrootDirectory in /etc/ssh/sshd_config per user.
Update: Open Basedir is already enabled on all accounts.

I do not provide SSH access to users but found that user can see various files of system from domain/shell-script.
 
Last edited:

DewlanceVPS

Verified User
Joined
Oct 3, 2016
Messages
86
Use CloudLinux then, a commercial OS, it will restrict access.
I am using CL from long time but 7 month ago I found that it was easy to bypass it then I enabled Apache jail. (Different control panel, Not DA)

Anyway, Thank for your response. You are so good person.

I will try to find solution for DA.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,901
Location
GMT +7.00
Does Apache Jail protect against directory browsing in shell scripts?

And are you sure that CageFS in CloudLinux does not protect you against it?
 

DewlanceVPS

Verified User
Joined
Oct 3, 2016
Messages
86
Does Apache Jail protect against directory browsing in shell scripts?

And are you sure that CageFS in CloudLinux does not protect you against it?

Yes, I was tested it with CloudLinux.

After enabling ApacheJail shell scripts was unable to access other's directory especially with 777 permission.


ApacheJail with DirectAdmin will be best for Security.
 

sparek

Verified User
Joined
Jun 27, 2019
Messages
119
Worth noting for this discussion.

php-fpm has the ability to chroot a pool to a certain user directory.

So if you can setup an adequate chroot'd environment for every users, conceivably you could chroot each user's php-fpm pool into that environment.

Of course... you would have to set up the chroot'd environment (i.e. the /home/virtfs/user equivalent if you are coming over from cPanel) for each user. And this limitation would only apply to PHP environments on your server. But still... it would be nice to have (not really suggesting that this is something DirectAdmin should be providing).

chroot'ing will differ slightly from open_basedir protection. Correct me if I'm wrong, but open_basedir won't protect you from - shell_exec("cat /etc/passwd") - open_basedir only have affects the PHP defined file access functions. Of course... why are you allowing shell_exec() to run on PHP on your server is another valid question.
 
Top