SSH / chroot / user jail - vaporware?

[DirectAdmin Sales]

We definitely have backup plans. We do have other coders available locally if some emergency did come up.

Hired help would also take the form of local employees, as there are security issues of course (not only protecting our source code, but making sure nobody harms our customers' systems either).

Mark

 

[DirectAdmin Support]

Hi Guys,

Ok, here we go

I'll classify this as pre-beta.. alpha even.. I have tested it somewhat, but there are so many areas that this script will touch that we can only assume it won't be perfect straight out of the gates.

I'll also ask that all "issues" with it get posted back here and not emailed to us so that we don't get duplicate support requests piled up in our inbox

Also note that there is no jailing interface for DA as this time, and all jailed users will need to be done manually by running a script for each one (you could actually add it to the user_create_post.sh script, but i'll let you guys figure that out)

Installation of the jailing scripts and patches:

cd /usr/local/directadmin/customapache
mkdir jail
cd jail
wget http://files.directadmin.com/services/customapache/jail/build
chmod 755 build
./build update
./build all

That should get the new files, patch apache and build a few programs.

Once that's all good and ready, I recommend you backup /etc/passwd, /etc/shadow, /etc/group, and /etc/master.passwd (if you have it), just for safety measures

To jail a particular user, first create him through DA, and make sure he has SSH enabled. This will add all required lines to the sshd_config file. Once created and ssh is enabled, you can then setup the jailing environment:

cd /usr/local/directadmin/customapache/jail
./jail_user.sh [b]username[/b]

That should setup the environment and also setup the jailed shell.

If you want them to have Jailed CGI, then you need to add some code to their httpd.conf. Go to Admin Panel -> Admin Settings -> Custom httpd configurations -> domain.com (for each of their domains) and add:

SetEnv JAIL_DIR |HOME|

Php (when run as apache) isn't jailed like cgi is, but with the open_basedir function, it should help tighten things up.

I've included nbsmtp as a replacement for sendmail inside the jail which basically just connects to port 25 to send email through the regular exim.

I expect it not to be perfect at this point, but it should be functional at least.

John

 

[blueice]

Hi Guys,

Ok, here we go

I'll classify this as pre-beta.. alpha even.. I have tested it somewhat, but there are so many areas that this script will touch that we can only assume it won't be perfect straight out of the gates.

I'll also ask that all "issues" with it get posted back here and not emailed to us so that we don't get duplicate support requests piled up in our inbox

Also note that there is no jailing interface for DA as this time, and all jailed users will need to be done manually by running a script for each one (you could actually add it to the user_create_post.sh script, but i'll let you guys figure that out)

Installation of the jailing scripts and patches:

cd /usr/local/directadmin/customapache
mkdir jail
cd jail
wget [url]http://files.directadmin.com/services/customapache/jail/build[/url]
chmod 755 build
./build update
./build all

That should get the new files, patch apache and build a few programs.

Once that's all good and ready, I recommend you backup /etc/passwd, /etc/shadow, /etc/group, and /etc/master.passwd (if you have it), just for safety measures

To jail a particular user, first create him through DA, and make sure he has SSH enabled. This will add all required lines to the sshd_config file. Once created and ssh is enabled, you can then setup the jailing environment:

cd /usr/local/directadmin/customapache/jail
./jail_user.sh [b]username[/b]

That should setup the environment and also setup the jailed shell.

If you want them to have Jailed CGI, then you need to add some code to their httpd.conf. Go to Admin Panel -> Admin Settings -> Custom httpd configurations -> domain.com (for each of their domains) and add:

SetEnv JAIL_DIR |HOME|

Php (when run as apache) isn't jailed like cgi is, but with the open_basedir function, it should help tighten things up.

I've included nbsmtp as a replacement for sendmail inside the jail which basically just connects to port 25 to send email through the regular exim.

I expect it not to be perfect at this point, but it should be functional at least.

John

this is very good
this working and in freebsd? (both versions) or only in redhat?

 

[DirectAdmin Support]

FreeBSD and RedHat
testing is required for both.

John

 

[thoroughfare]

Php (when run as apache) isn't jailed like cgi is, but with the open_basedir function, it should help tighten things up.

I thought if each user was chrooted to their home directory and jailed in there, it would mean that anything they use (such as Apache/PHP) would also be limited to their jail?

Thanks,
Matt

 

[Dixiesys]

The user doesn't run apache - the server does so apache itself isn't chrooted.

Using open_base_dir or safe mode helps, you can also use phpsu and then php does run much like CGI perl will (or should be).

I'm hoping to try this jail out soon and report back.

 

[thoroughfare]

Oh, I thought Apache would be sort of chrooted into the user dir too... I guess that's not possible though?

So the jail is mainly for giving more secure SSH access to users?

Thanks,
Matt

 

[thoroughfare]

*bump*

PS Has anyone starting testing the jail yet?

Matt

 

[thuskey]

First time I've seen this thread. I'll volunteer to test.

 

[thuskey]

Install went very clean, jailed first user and logged in ok, it is definatly jailed. Still testing further.

 

[thuskey]

Directory stucture is a bit screwy, such as domains, mail and public_html rightfully belong under the jailed home/huskey12 directory and not under jail root. Of course I'm sure that was intentional due docroot being defined as "DocumentRoot /home/huskey12/domains/huskeyenterprises.com/public_html", which won't change until an interface is added to DirectAdmin to jail a user.


[root@taz huskey12]# pwd
/home/huskey12
[root@taz huskey12]# ls -al
total 60
drwx--x--x 9 huskey12 huskey12 4096 Jul 15 16:00 .
drwxr-xr-x 35 root root 4096 Jul 13 15:16 ..
-rw-r--r-- 1 huskey12 huskey12 24 Apr 19 08:31 .bash_logout
-rw-r--r-- 1 huskey12 huskey12 191 Apr 19 08:31 .bash_profile
-rw-r--r-- 1 huskey12 huskey12 124 Apr 19 08:31 .bashrc
drwxr-xr-x 2 root root 4096 Jul 15 16:07 bin
drwx--x--x 6 huskey12 huskey12 4096 Apr 19 08:31 domains
-rw-r--r-- 1 huskey12 huskey12 847 Apr 19 08:31 .emacs
drwxr-xr-x 3 root root 4096 Jul 15 16:07 etc
-rw-r--r-- 1 huskey12 huskey12 120 Apr 19 08:31 .gtkrc
drwxr-xr-x 3 root root 4096 Jul 15 16:00 home
drwxr-xr-x 3 root root 4096 Jul 15 16:00 lib
drwx------ 2 huskey12 huskey12 4096 Apr 19 08:31 mail
lrwxrwxrwx 1 huskey12 huskey12 43 Apr 19 08:31 public_html -> ./domains/huskeyenterprises.c
om/public_html
-rw-r----- 1 huskey12 mail 13 Jul 15 16:00 .shadow
drwxr-xr-x 9 root root 4096 Jul 15 16:00 usr

 

[Icheb]

If anyone would like to login, test their cgi's for jail compliance, try to break out of jail or whatever please do.

Server: testbox.my1host.com
Service/Port: SSH/22
Login: huskey12
Password: abc123

note, php open_basedir is currently commented out in the users apache config. Let me know if your testing requires turning it on.

I think someone got it; can't connect to the server...
I was hoping to do some tests with compiling and running applications (while no longer logged in).

 

[thuskey]

if necessary, try the ip address: 66.246.169.144. I run portsentry on all my servers so don't screw up and try to telnet in first because iptables will block you out. If this happens, drop me your IP address via PM and I'll remove it from the block list.

 

[Icheb]

if necessary, try the ip address: 66.246.169.144. I run portsentry on all my servers so don't screw up and try to telnet in first because iptables will block you out. If this happens, drop me your IP address via PM and I'll remove it from the block list.

Thanks

Uhhm, this is a really limited shell...
Compiler can't be found, dig doesn't work, ping doesn't work, all i could find without a problem is a php executable.
Didn't even try to get programs to run with the shell. It's really limited
I only forgat to try mysql client and wget.
(and tar)...

But i presume they aren't working.
It's almost perfect so far, just need a few more permissions until it's good enough to use in a production environment.
Oh by the way: did anyone try to gain root from the crooted environment ?


Semi edit:

-/bin/bash-2.05b$ uname -a
-/bin/bash: uname: command not found
-/bin/bash-2.05b$ mysql -v
ERROR 2002: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
-/bin/bash-2.05b$ wget --help
-/bin/bash: wget: command not found
-/bin/bash-2.05b$

This way users can't do anything, just like we want it

Is it me, or is the Vi installation acting up a bit ?
Command's don't seem to work the way they should...

 

[Peter Verrill]

Not sure if this is a problem but got this when creating a user:

cp: cannot create regular file `/home/voiceofuk/usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE/libperl.so': No such file or directory

Also, The users are being jailed to /home/USER/home/USER
Shouldn't it be /home/UESR ?

 

[thuskey]

Not sure if this is a problem but got this when creating a user:

cp: cannot create regular file `/home/voiceofuk/usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE/libperl.so': No such file or directory

does /usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE/libperl.so exist on your server?

 

[Peter Verrill]

Yea, its there.

Hmm, It looks like the file was created though. I never looked before...

 

[thuskey]

Also, The users are being jailed to /home/USER/home/USER
Shouldn't it be /home/UESR ?

Only root sees /home/user/home/user/, the user actually sees /home/user/ only, which is similar to the way most all jail setups work.

The only major change I would make, would probably be to put them in directories like:

/home/reseller/home/reseller/domains/
/home/reseller/home/reseller/mail/
/home/reseller/home/reseller/public_html/
/home/reseller/home/user1/domains/
/home/reseller/home/user1/mail/
/home/reseller/home/user1/public_html/

with all file and directory permissions looking something like this draft model, from the root users point of view:

drwx------ reseller:reseller /home/reseller
drwxr-xr-x reseller:reseller /home/reseller/home
drwxrwx--- reseller:reseller /home/reseller/home/reseller/
drwxrwx--- user1:user1 /home/reseller/home/user1
drwxrwx--- user2:user2 /home/reseller/home/user2
drwxrwx--- user3:user3 /home/reseller/home/user3

Then the reseller would be a member of the groups: reseller user1 user2 user3, giving them power to assist their users when needed.

 

[Peter Verrill]

Yea, that makes sense.

When I first loged in with a test account I created the full system path was:
/home/user/home/user (/home/user to the jailed user)
and I had to use cd / to get to /home/user (/ to jailed user).

I guess what i'm trying to say is why isn't the main path /home/user (opposed to /home/user/home/user), just makes more sense to me.

 

[thuskey]

Yea, that makes sense.

When I first loged in with a test account I created the full system path was:
/home/user/home/user (/home/user to the jailed user)
and I had to use cd / to get to /home/user (/ to jailed user).

I guess what i'm trying to say is why isn't the main path /home/user (opposed to /home/user/home/user), just makes more sense to me.

Your right, it makes a whole lot of sense, since public_html, domains, and mail all reside at /home/user and not at /home/user/home/user. But would it make more since to you if it looked more like this to the root user:

/home/user/
/home/user/bin/
/home/user/etc/
/home/user/lib/
/home/user/usr/
/home/user/home/user/domains/
/home/user/home/user/mail/
/home/user/home/user/public_html/

and this to the jailed user:

/
/bin/
/etc/
/lib/
/usr/
/home/user/domains/
/home/user/mail/
/home/user/public_html/

... hey, I just logged in and confused my self. /home/huskey12 was empty, forgot all those files currently exist in jailroot