Bubblewrap chroot

sparek

Verified User
Joined
Jun 27, 2019
Messages
465
I know there's a negativity on these forums any time you mention cPanel - but that's the one control panel I'm familiar with.

With cPanel - it's jailshell creates a fully functioning chroot'd environment in the directory structure /home/virtfs/%user% then it chroots to that directory.

DirectAdmin's Bubblewrap doesn't appear to do that. From the best I can tell, it creates the chroot'd environment in-line with the invocation of /usr/bin/jailshell

Now I realize that cPanel and DirectAdmin aren't the same thing. I'm not trying to ruffle anyone's feathers with this. My first question is, am I right? Or is there a /home/virtfs/%user% equivalent path within the DirectAdmin bubblewrap chroot?

The reason that /home/virtfs/%user% is nice, is because if you are using php-fpm, like I am, then php-fpm has a neat configuration variable that can be set within the user's php-fpm pool file called chroot which can then be set to this jailshell or bubblewrap chroot.

On cPanel - you can set this chroot variable to /home/virtfs/%user% - and then all execution of PHP by that user is chroot'd to it's respective jailshell - meaning that PHP can't read anything outside of the user's chroot'd environment. Effectively it's CageFS for PHP without the CloudLinux license.

There's a small issue with this on cPanel - in that it doesn't fully populate /home/virtfs/%user% unless you login to that user with jailshell. But that's remedied by looping through /var/cpanel/users for a list of users and executing a su -s /usr/local/cpanel/bin/jailshell -c exit %user% for each user.

I simply bring this up because I thought this would be a nice feature for DirectAdmin to have - being able to prevent a user from escaping out of their chroot environment when executing PHP.
 
If you use litespeed (added in 6 RC) or open litespeed (current) they also have their bublewarp for PHP and CGI for wich DA


LSWS 6.0 RC1

MAJOR NEW FEATURE Bubblewrap isolated CGI/PHP execution environments.

https://www.litespeedtech.com/products/litespeed-web-server/release-log

OLS did that2 months ago

https://openlitespeed.org/release-log/version-1-6-x/

V1.6.15 Stable
2020-08-05

and

DA Version 1.61.4 is out it has

BubbleWrap for LiteSpeed (TEMPLATES)

https://www.directadmin.com/features.php?id=2866
 
Unfortunately, I'm using Apache and I'm not really ready to make the leap to Litespeed.

Although... this did provide some insights. I thought Bubblewrap was just the name of this system that DirectAdmin developed that was akin to cPanel's jailshell. But in fact, Bubblewrap is a 3rd party developed system that DirectAdmin is just incorporating. I did not realize that.
 
I simply bring this up because I thought this would be a nice feature for DirectAdmin to have - being able to prevent a user from escaping out of their chroot environment when executing PHP.
Why do you think they're able to escape it now? (with the PHP modes supported by bubblewrap at this time - lsphp in OpenLiteSpeed and LiteSpeed, FastCGI and PHP from CLI/Cron)
 
There's not a facility for incorporating this with php-fpm. Or am I missing something?

FastCGI is not the same as FPM.

You can still <?php print(shell_exec("/etc/yum.conf")); ?> and read /etc/yum.conf (or other files). Of course... this can be stopped by now allowing shell_exec()
 
There's not a facility for incorporating this with php-fpm. Or am I missing something?

FastCGI is not the same as FPM.

You can still <?php print(shell_exec("/etc/yum.conf")); ?> and read /etc/yum.conf (or other files). Of course... this can be stopped by now allowing shell_exec()
You cannot, if you’re in bubblewrap. No support for php-fpm at this time. So, things like that can be done in php-fpm. Php-fpm supports a native chroot though, and it may be integrated in DA sometime in the future.
 
Yea, the native chroot in php-fpm is what I was referring to.

I suppose the easily solution might be to just create a directory structure for every user (i.e. /opt/phpchroot/%user%) with bind mounts of all of the relevant system directories within each of those directory structures. Then set the chroot php-fpm variable to /opt/phpchroot/%user% for each respective user pool. But figuring out which system directories need to be mounted would be the hard part.

I honestly thought Bubblewrap was something you all invented and that was just the name you used. And I thought maybe you all had a way to translate the Bubblewrap chroot into a directory structure which could then be used by php-fpm. But now I know you're just using the Bubblewrap software developed by Flatpak
 
It needs no directory structure, as it simply uses linux namespaces. I'm really not a fan of a copy-of-everything + bind mounts :) It was needed when linux namespaces did not exist, but.. CentOS6 times are almost over. Regarding PHP-FPM - I think isolation is definitely coming in the future to it. Please note linux permissions are still in effect, yum.conf is world-readable, but you cannot simply read your webserver log of files of another user (this doesn't mean jailing isn't needed)
 
I agree. If more people understood proper Linux permission settings and setting permissions to least-needed-level, then that would solve a lot of things.

But sadly a lot of people don't understand least privileges and leave files open that could potentially expose sensitive information. CageFS I suppose provides this with CloudLinux, but there's also a directive setting right there for php-fpm to use, so why waste the money on CloudLinux just for CageFS?

I did find:


With a bit of description:


(I'm really just posting these links to act as a bookmark for myself, so I can find them later)

But as you say, this depends on bind mounts and not namespaces, so may not be directly applicable to your endeavors.
 
Here something i do not have time to test with php fpm

 
Why do you think they're able to escape it now? (with the PHP modes supported by bubblewrap at this time - lsphp in OpenLiteSpeed and LiteSpeed, FastCGI and PHP from CLI/Cron)
is bublewarp works in CLI/Cron with lsphp and litesspeed as this is not 100% clear, asking to be sure I understand it correctly :)
 
is bublewarp works in CLI/Cron with lsphp and litesspeed as this is not 100% clear, asking to be sure I understand it correctly :)
OLS 1.7.5, LiteSpeed 6.0 (RC1 already there) and Apache+PHP-FastCGI for now :) (+ CLI/Cron with any mode, of course).
 
OLS 1.7.5, LiteSpeed 6.0 (RC1 already there) and Apache+PHP-FastCGI for now :) (+ CLI/Cron with any mode, of course).

Thank you docs do not says Apache + FCGI , I'll sleep better tonight knowing that I have full alternative of CL if they decide to went crazy with the price :)
 
Back
Top