I know there's a negativity on these forums any time you mention cPanel - but that's the one control panel I'm familiar with.
With cPanel - it's jailshell creates a fully functioning chroot'd environment in the directory structure /home/virtfs/%user% then it chroots to that directory.
DirectAdmin's Bubblewrap doesn't appear to do that. From the best I can tell, it creates the chroot'd environment in-line with the invocation of /usr/bin/jailshell
Now I realize that cPanel and DirectAdmin aren't the same thing. I'm not trying to ruffle anyone's feathers with this. My first question is, am I right? Or is there a /home/virtfs/%user% equivalent path within the DirectAdmin bubblewrap chroot?
The reason that /home/virtfs/%user% is nice, is because if you are using php-fpm, like I am, then php-fpm has a neat configuration variable that can be set within the user's php-fpm pool file called chroot which can then be set to this jailshell or bubblewrap chroot.
On cPanel - you can set this chroot variable to /home/virtfs/%user% - and then all execution of PHP by that user is chroot'd to it's respective jailshell - meaning that PHP can't read anything outside of the user's chroot'd environment. Effectively it's CageFS for PHP without the CloudLinux license.
There's a small issue with this on cPanel - in that it doesn't fully populate /home/virtfs/%user% unless you login to that user with jailshell. But that's remedied by looping through /var/cpanel/users for a list of users and executing a su -s /usr/local/cpanel/bin/jailshell -c exit %user% for each user.
I simply bring this up because I thought this would be a nice feature for DirectAdmin to have - being able to prevent a user from escaping out of their chroot environment when executing PHP.
With cPanel - it's jailshell creates a fully functioning chroot'd environment in the directory structure /home/virtfs/%user% then it chroots to that directory.
DirectAdmin's Bubblewrap doesn't appear to do that. From the best I can tell, it creates the chroot'd environment in-line with the invocation of /usr/bin/jailshell
Now I realize that cPanel and DirectAdmin aren't the same thing. I'm not trying to ruffle anyone's feathers with this. My first question is, am I right? Or is there a /home/virtfs/%user% equivalent path within the DirectAdmin bubblewrap chroot?
The reason that /home/virtfs/%user% is nice, is because if you are using php-fpm, like I am, then php-fpm has a neat configuration variable that can be set within the user's php-fpm pool file called chroot which can then be set to this jailshell or bubblewrap chroot.
On cPanel - you can set this chroot variable to /home/virtfs/%user% - and then all execution of PHP by that user is chroot'd to it's respective jailshell - meaning that PHP can't read anything outside of the user's chroot'd environment. Effectively it's CageFS for PHP without the CloudLinux license.
There's a small issue with this on cPanel - in that it doesn't fully populate /home/virtfs/%user% unless you login to that user with jailshell. But that's remedied by looping through /var/cpanel/users for a list of users and executing a su -s /usr/local/cpanel/bin/jailshell -c exit %user% for each user.
I simply bring this up because I thought this would be a nice feature for DirectAdmin to have - being able to prevent a user from escaping out of their chroot environment when executing PHP.