SSH / chroot / user jail - vaporware?

[Chrysalis]

My site currently doesnt exist but when I start working on it, it will use php and mysql so I think will be a fair test, and I would like ssh access to do mysql commands so overall I think a good test of the whole jail system.

 

[thoroughfare]

Ok that's good

Anybody else interested? I'm going to have this system ready by 2-3rd February.

Matt

 

[SteveK42]

I installed it last night on our production server that has some add-ons like pgsql and Installatron...it's working great! However, I did have to add a few things to jail_user.sh, files.list, and chrootshell.c.

jail_user.sh:

mkdir -p $USER_HOME/usr/local/pgsql/lib
mkdir -p $USER_HOME/usr/share/terminfo/v
mkdir -p $USER_HOME/usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE

pgsql/lib was for my postgres install. /usr/share/terminfo/v was so I could copy vt100's file in the terminfo area. This, plus another file in files.list got rid of the vt100 problem when using vi or commands like 'clear.' The perl5 directory was to clear up a 'not found' error that kept happening.

if [ ! -e $USER_HOME/$USER_HOME ]; then
        # Ok, we can't assume it's in /home, so create
        # all directory paths like before, then delete the users home
        # then create the symbolic link. If we didn't
        # create the full path first, there might be
        # missing directories if they've got a weird home path.
        mkdir -p $USER_HOME$USER_HOME
        rm -rf $USER_HOME$USER_HOME
        ln -sf .. $USER_HOME$USER_HOME
fi

There used to be a slash between the two USER_HOMEs that was causing a problem; also, the rm -rf line wasn't working at all before.

In files.list:

/usr/share/misc/termcap.db
/usr/share/terminfo/v/vt100
/usr/local/pgsql/lib/libpq.so.3
/bin/gunzip
/etc/termcap
/bin/more

The termcaps got rid of all vt100 problems and also made vi work beautifully again. 'more' and 'gunzip' I felt were necessary.

Looking good! Now all we need is for the system to run this automatically when we enable ssh for someone.

 

[SteveK42]

Also forgot to change $USER_HOME/$USER_HOME to leave out the slash; do this anywhere it appears. Since the user home will start with a slash, it's unecessary. My install was on RH9.

 

[SteveK42]

I also added these to files.list:

/usr/bin/top
/usr/bin/uptime

And then added this to jail_user.sh:

mkdir -p $USER_HOME/proc
mount -t proc proc $USER_HOME/proc

These were necessary for top and uptime to run. Other things also use proc, so I figured it'd make a good addition.

 

[SteveK42]

Just realized on the mounting of proc, the mount wont stay if you reboot...does this mean we'd need every user in /etc/fstab? If so, you can do this in jail_user.sh:

echo "none $USER_HOME/proc proc defaults 0 0" >> /etc/fstab

Not sure if this would work...any ideas?

 

[adam-pca]

Hi,

I noticed this is an issue constantly pushed back by DA, is there/will there be ANY update/implementation of this?

I hate to drag the issue back up, but it seems like if someone isn't publically displaying interest DA seems to think it's all fine and dandy to forget about it.

Thanks,
Adam

 

[hostpc.com]

Well, I hate to bring up an oldie like this thread, but I think we've got it nailed down finally. It's working fine on a test server that was _not_ updated, but I've got a couple issues on one with a new update.

One question for John and the DA guys... is there any chance that recent Apache upgrades, etc would interfere with this jail and your original scripts? If so, can these scripts be updated as well?

Thanks

Joe

 

[XereX]

Hate do do this....

****BUMP****

 

[sander815]

http://help.directadmin.com/item.php?id=90

beta

 

[DirectAdmin Support]

Hello,

Updaing apcahe would in fact overwrite the jail patch onto suexec. I'll look into adding a check for the jailed files during the apache update.. if they exist, it will re-patch apache.

John

 

[XereX]

Thanks, I didnt see that in my searches in the past few days...

-XereX

 

[thoroughfare]

Quick question... if system binaries etc are copied into the chroot directory to create an environment for the user, what do we do when those binaries are updated on the base system? Would hardlinking work?

Thanks,
Matt

 

[DirectAdmin Support]

I believe hard linking can work if the system files used in the users home are on the same partition .. I don't think hardlinking works across partitions.. but does work through jails.

To update any files for the current setup.. you can delete any binaries from within the jail and then rejailing the user should work. It will notice the missing file and copy it over.

John

 

[thoroughfare]

Thanks John - hardlinking would certainly save space, if it could work over partitions. Perhaps updating the binaries should be built in to the DirectAdmin jail mechanism, e.g. a switch in the jail.sh that deletes all binaries from all jails so that they're rebuilt.

Matt

 

[koh]

this doesnt work for apache 2?

 

[jjma]

Is this coming out of beta any time soon?

Jon

 

[nobaloney]

Thanks John - hardlinking would certainly save space, if it could work over partitions.

Hard links cannot work over partitions because here's how a hard link works:

When you create a file two things happen: The file is written to a location on the partition, and a directory entry is written that points to the location.

A hard link is simply another pointer. Because of the way the pointers are structured, they can't link to a different partition; they have no way in the structure to identify it.

Jeff

 

[ecsportal]

Using this on CentOS 4.3. Extensive testing .. So far working beautifully. I would like to see if DA still plans to support this in the future?

 

[felosi]

yes I think this feature would be good. I hate plesk, its horrible and slow but I did like the feature to choose which shell to give users