SSH / chroot / user jail - vaporware?

[DirectAdmin Sales]

Hi guys,

To put it plain and simple we can't move forward without any feedback. There seem to be lots of people interested in the feature but very little testing involved. Everything looks good on our systems but that doesn't mean it will operate perfectly in the real world. The number of testers so far can be counted on one hand, so it wouldn't be wise to release the feature to everyone at the moment.

If nobody watching this thread is interesting in testing, perhaps we can make an announcement, or even better include testing information with new license purchase e-mails to get the ball rolling a bit faster.

Mark

 

[Chrysalis]

I will test for you on my testing DA box, get back to me if you want my help.

 

[nobaloney]

My testbed is currently quite busy but I'll be able to test it in about two weeks, after I return from ISP.CON, if you still need testers then.

Jeff

 

[Dixiesys]

Hi guys,

To put it plain and simple we can't move forward without any feedback. There seem to be lots of people interested in the feature but very little testing involved. Everything looks good on our systems but that doesn't mean it will operate perfectly in the real world. The number of testers so far can be counted on one hand, so it wouldn't be wise to release the feature to everyone at the moment.

If nobody watching this thread is interesting in testing, perhaps we can make an announcement, or even better include testing information with new license purchase e-mails to get the ball rolling a bit faster.

Mark

Where do you want the feedback sent to? I'll put up a test box I guess and ask for volunteers to test it out from my own user forums.

 

[DirectAdmin Sales]

Hi Gary,

You can send any errors to [email protected] , and please provide as much information as possible. We just want to know what problems, if any, are encountered during day-to-day operations.

We will support these test systems, so if there is an error affecting the functionality of the box then we will treat it as a normal support request. Hopefully this will help.

Mark

 

[113345]

Hi,

I did some testing with the jail.
I use FreeBSD 4.9 so things are probably a bit different for me.
What I found that a number of programs does not work because the files have a different path in FreeBSD.
Findings:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
vi
does not work, because of
1) wrong path
solution: change vi path in files.list to "/usr/bin/vi".
2) No terminal database found
solution:
add "mkdir -p $USER_HOME/usr/share" to jail_user.sh
add "mkdir -p $USER_HOME/usr/share/misc" to jail_user.sh
add /usr/share/misc/termcap.db to files.list
3) ex/vi: Error: Unable to create temporary file: No such file or directory
solution:
add "mkdir -p $USER_HOME/tmp" to jail_user.sh
add "mkdir -p $USER_HOME/var/tmp" to jail_user.sh
add "chmod 777 $USER_HOME/tmp" to jail_user.sh
add "chmod 777 $USER_HOME/var/tmp" to jail_user.sh
4) vi strange behaviour: messed up screen, invisible text, etc.
solution: add "mysetenv("TERM", "vt100");" to chrootshell.c and ./build shell
alternate solution: TERM=vt100;export TERM
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
sh
the .profile is not read
solution: none yet
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
bash
the .bash_profile is not read
solution: none yet
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ping
does not work because of:
1) wrong path
solution:
add "mkdir -p $USER_HOME/sbin" to jail_user.sh
add "/sbin/ping" to files.list
add /sbin to $PATH
after this, ping seems to work, but:
$ ping trends.org
ping: socket: Operation not permitted
(probably permission problem for socket)
solution:
omit ping from jail
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
man is not working
solution: none yet
I have spent a couple of hours on man, but was unable to solve all the problems.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
tar is not there
solution:
add "/usr/bin/tar" to files.list
I am not sure, but I think I have also added "/usr/bin/gzip" to files.list
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
find is not there: add "/usr/bin/find"
more is not there: add "/usr/bin/more"
unzip is not there: add "/usr/local/bin/unzip" + the PATH to unzip
zcat is not there: add "/usr/bin/zcat"
uname is not there: add "/usr/bin/uname"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

There are probable more problems than the above, but it is getting usable.
One of the important things to fix is the execution of .profile or .bash_profile because of the PATH settings.

 

[l0rdphi1]

Has anyone tried using Installatron in a jailed environment? Installatron is currently storing user data in /usr/local/directadmin/plugins/iTron/data/ (which his chmod 777), and each user owns a file in that directory for his or her data. I don't think this is going to work given a jail, but I'm not too experienced with jailing and therefore can't answer this question for myself.

Phi1.

 

[Peter Verrill]

I dont have installatron though I dont think a jail would have any difference.

The installatron scripts would be executed by DirectAdmin which would be able to write to that directory...

 

[113345]

Hi Phi1,

I use Installatron.
I have just installed an application with a jailed user, and it works.

You mean this directory:
/usr/local/directadmin/plugins/iTron/data/installs:
total 8
drwxrwxrwx 2 admin admin 512 Oct 30 00:52 .
drwxr-xr-x 4 admin admin 512 Oct 15 17:07 ..
... etc
-rw-r--r-- 1 multidns admin 166 Oct 30 00:52 multidns
... etc
Normal permissions, same as users that are not jailed.

 

[l0rdphi1]

Thank you Theo. That settles that issue.

Phi1.

 

[Dixiesys]

Has anyone tried using Installatron in a jailed environment? Installatron is currently storing user data in /usr/local/directadmin/plugins/iTron/data/ (which his chmod 777), and each user owns a file in that directory for his or her data. I don't think this is going to work given a jail, but I'm not too experienced with jailing and therefore can't answer this question for myself.

Phi1.

If the installatron uses CGI instead of perl - then yes that could impact it.

One thing Ensim does is uses hardlinks to files it needs in its shell. However I've had a theory that all those darned hardlinks is maybe why Ensim always had screwed up quotas.

 

[Chrysalis]

hey 113345 thanks, glad someone tested it on FreeBSD, I havent had time yet been busy.

 

[hostpc.com]

Straight poop:

We've been quiet about it, but I will say that programming is complete for jailing at all levels. It's a major system change so it's something we refuse to rush into.
It's coming!

Mark [/B]

9 months ago, programming was "complete" - now we moved into "testing" phase, feedback is being provided about what's in there, etc ... is any progress being made on getting another "completed" message?

I hate to pound on this subject, but there's a LOT of users that want/need/require shell access to perform tasks. We're constantly answering questions about when this is going to be available, as it's been "announced" several times.

 

[Andrax]

Any update on the status of the "testing" or what not... we've been hearing about and talking about jailed environments for SSH etc for a year or so...

Be nice to be able to offer this feature....

 

[sullise]

I doubt you will ever see it. It's been almost a YEAR since this thread started and it's still vaporware. I guess DA is now managed by Ensim.

Notice it's DirectAdmin Sales, not DirectAdmin Programmer. Sales ppl will promise you anything whether it's real or not...don't you ever read Dilbert? LOL.

 

[nobaloney]

I doubt you will ever see it. It's been almost a YEAR since this thread started and it's still vaporware. I guess DA is now managed by Ensim.

Since people can't always tell if you're being facetious in a post it's probably not a good idea to say things like this which aren't true; these statements may not be obvious to all readers, especially those not familiar with english.

DirectAdmin is owned by JBMC software, though I usually just call them "DA" in these forums. They have no connection with Ensim.

Notice it's DirectAdmin Sales, not DirectAdmin Programmer. Sales ppl will promise you anything whether it's real or not...don't you ever read Dilbert? LOL.

Whereas DA staff wear different hats, the sales department and the other departments work together to continue to make DA the best possible Server Control Panel under the limitations of staff size and budget.

Jeff

 

[rushost]

We asked DA's support:

What about this?
http://www.directadmin.com/forum/showthread.php?s=&postid=39428#post39428
It is real actual features


They answered:

Hello,
we need people to test it, but nobody is. The jailing itself seems to work fine.. all that's left is to integrate it into DA .. but we can't release it as stable without any testing (I believe we've had maybe 3 people test it).
Thank you,
John

So, we should find people to test it and cooperate with DA support.
Is anybody? (who know English good, I cannot, my English not so good)

 

[sullise]

Ok..in future when I throw out some sarcasim, I'll be sure to include the <sarcasim> tags.

As for the other comment, you have to admit, put yourself in the clients shoes....I think you'd feel the same way.

Whereas DA staff wear different hats, the sales department and the other departments work together to continue to make DA the best possible Server Control Panel under the limitations of staff size and budget.

I guess humor is not DA's forte.

 

[nobaloney]

Ok..in future when I throw out some sarcasim, I'll be sure to include the <sarcasim> tags.

Actually not a bad idea; many people who don't speak english have problem picking out sarcasm.

I guess humor is not DA's forte.

I speak for myself, not for DA staff.

Jeff

 

[thoroughfare]

Right, this needs sorting

Here's the problem; everyone wants user jailing, but obviously no one wants to test it on a production server.

If I set up a FreeBSD test server (which I'm more than happy to do), is there anyone who'd be willing to host their non-critical sites on there?

Please post below and I'll add your usernames to a list here:

THE LIST

1. thoroughfare
2. hostpc
3. interfasys
4. andyl
5. sullise
6. Chrysalis
7. sullise
   [/list=1]
   
   After about a week, I'll get the server set up and we can get testing.
   
   Thanks,
   Matt