SSH / chroot / user jail - vaporware?
- Thread starter nekote
- Start date
ah24
Verified User
jail shell
i was testing jail on centos 4.4 and it working fine, i login to it without any problems, but im interesting how to add example mc on jailed shell, because on fresh install, mc and other appications does not working. How i make to add this to jailed shell?
i was testing jail on centos 4.4 and it working fine, i login to it without any problems, but im interesting how to add example mc on jailed shell, because on fresh install, mc and other appications does not working. How i make to add this to jailed shell?
- Joined
- Feb 27, 2003
- Messages
- 8,509
Add the full path to the program you wish to the /usr/local/directadmin/customapache/jail/files.list.
John
John
ah24
Verified User
hi ecsportal! i uninstall jail on user by delete this user and add the same new user. Only this way you can uninstall jail on user. i think so
sorry little mistake. in /etc/passwd is ususer with jail, just simple change it on normal password
Last edited:
ah24
Verified User
John, did You notify any problems with jail?
- Joined
- Feb 27, 2003
- Messages
- 8,509
We have not had any reports in quite a while.
John
John
ah24
Verified User
John I add full path to mc in /usr/local/directadmin/customapache/jail/files.list.
and i got this error:
*** err [lib/liblow.c(258)]:
checking tty name failed
Segmentation fault
No work has been done on jailing for a while. We're trying to nail out the bugs in the backup system and get a few more OS's released. We do have very primitive jail working, but it's missing things like the ability to send formmail with cgi scripts because the mailer is outside of the shell. There will be many issues like that, but it's still on the backburner. Another reason is because the demand that we see has slowed, but that's most likely due to patient people like yourself... at any rate, we really want to get it released, along with several other features/OS's, but there aren't enough hours in the day, so we need to prioritize.
John
Howabout hiring more staff, programmers? How many people actually work at DA? I heard it was 2. Surely, your making money arent you? I mean every DC iv seen is offering DA therefore you must have an income that can warrant continued production on DA in a faster manner by hiring addtional staff (programmers). Thats how a business works and how it grows. Overwhelming yourselves and stating you dont have enought time in the day, like all of us, is a crazy thing to say in my opinion. Time to look at getting some more people to Moderate on a technical level (sorry Jeff), support and most importantely handle the feature requests and continued development of this product.
hostpc.com
Verified User
I know I'm probably beating a dead horse, but got a couple of questions. We've modified this jailshell a bit, added other programs etc.
We're facing a couple of issues.
1. Users adding additional domains are not getting automatically jailed for that new domain. Can any type of check be implemented so thtat if a user adds a domain to their account (virtual) that the new domain will automatically get the environment set correctly?
SetEnv JAIL_DIR |HOME|
2. If a user is NOT using jailed SSH .. is there any advantage to using a SetEnv JAIL_DIR |HOME| directive for that user? I'm specifically thinking this might help avoid XSS attacks, bad php scripts, etc. Any chance that'd help prevent malicious attacks/scripts?
Thanks
We're facing a couple of issues.
1. Users adding additional domains are not getting automatically jailed for that new domain. Can any type of check be implemented so thtat if a user adds a domain to their account (virtual) that the new domain will automatically get the environment set correctly?
SetEnv JAIL_DIR |HOME|
2. If a user is NOT using jailed SSH .. is there any advantage to using a SetEnv JAIL_DIR |HOME| directive for that user? I'm specifically thinking this might help avoid XSS attacks, bad php scripts, etc. Any chance that'd help prevent malicious attacks/scripts?
Thanks
- Joined
- Feb 27, 2003
- Messages
- 8,509
Hello,
1) The domain_create_post.sh should be handling that.. check for the line:
which should add the SetEnv bit to /usr/local/directadmin/data/users/username/domains/domain.com.cust_httpd ... so also check teh cust_httpd file to see if it's being added.
2) The jail with the SetEnv only applies to scripts run through suexec. mod_php is not run through suexec, so php scripts are not jailed. Suexec really only applies to the cgi-bin folder. Php scripts can be run through suexec if they have #!/usr/local/bin/php at the top line of the file, exist in the cgi-bin file and handle all environmental varibles correct.. because cgi-bin folders are not handed the formated variables as they are in mod_php. A better solution for php is suPhp (custombuild), as I believe it does have jailing for php correctly.
John
1) The domain_create_post.sh should be handling that.. check for the line:
Code:
echo "SetEnv JAIL_DIR |HOME|" > /usr/local/directadmin/data/users/${username}/domains/${domain}.cust_httpd2) The jail with the SetEnv only applies to scripts run through suexec. mod_php is not run through suexec, so php scripts are not jailed. Suexec really only applies to the cgi-bin folder. Php scripts can be run through suexec if they have #!/usr/local/bin/php at the top line of the file, exist in the cgi-bin file and handle all environmental varibles correct.. because cgi-bin folders are not handed the formated variables as they are in mod_php. A better solution for php is suPhp (custombuild), as I believe it does have jailing for php correctly.
John
hostpc.com
Verified User
Thanks for the fast responses.... DA RockS!
Henrik, you will be able to use "./build all_jail" to build everything, it will add patched suexec file to Apache using "./build apache" (if jail=yes is set in the options.conf file). And yes, it will work with Apache 2.x.