SSH / chroot / user jail - vaporware?

[smtalk]

It jails SSH and CGI.

 

[hostpc.com]

Any update on the release of this?

I know, I know, I'm impatient ... life on the edge, what can I say

 

[hostpc.com]

Hello,

1) The domain_create_post.sh should be handling that.. check for the line:

echo "SetEnv JAIL_DIR |HOME|" > /usr/local/directadmin/data/users/${username}/domains/${domain}.cust_httpd

which should add the SetEnv bit to /usr/local/directadmin/data/users/username/domains/domain.com.cust_httpd ... so also check teh cust_httpd file to see if it's being added.

2) The jail with the SetEnv only applies to scripts run through suexec. mod_php is not run through suexec, so php scripts are not jailed. Suexec really only applies to the cgi-bin folder. Php scripts can be run through suexec if they have #!/usr/local/bin/php at the top line of the file, exist in the cgi-bin file and handle all environmental varibles correct.. because cgi-bin folders are not handed the formated variables as they are in mod_php. A better solution for php is suPhp (custombuild), as I believe it does have jailing for php correctly.

John

I absolutely **HATE** suexec ... every dang file gets treated as a CGI process which kills server resources. I know, I know, pro's and con's - but in my mind, there's more con's than pro's - can anyone convince me otherwise? I'm always open to hearing both sides of the argument.

 

[smtalk]

Joseph, no release date is set But you can find the test files here: http://files.directadmin.com/services/custombuild/jail/cbtest/.

 

[zaphod]

I absolutely **HATE** suexec ... every dang file gets treated as a CGI process which kills server resources. I know, I know, pro's and con's - but in my mind, there's more con's than pro's - can anyone convince me otherwise? I'm always open to hearing both sides of the argument.

I guess it depends on whether you have control over what goes on the server or not, and how quickly you update things like PHP when there is a vulnerability.

Case 1: PHP Vulnerability
Unjailed - If you don't update right away, then a PHP vulnerability with safe_mode or open_basedir (and there have been many over the years) can effect all sites on the server by just exploiting one site.

Jailed - it effects one site, and is contained to just that site (giving you time to fix the problem).

Case 2: Client installs exploitable package
Unjailed - could lead to complete compromise of the server.

Jailed - it effects one site, and is contained to just that site.


For a small decrease in performance (usually not that noticeable for most sites, realistically), that seems like a big pro, and a small con, from where I sit.

I absolutely **HATE** having a server owned.

(Yes, it's only one part of the bigger security picture, but it can be a good first step in reducing the effects felt by a compromise of a particular site)

 

[zaphod]

(Exchange PHP with Perl, or another package run as CGI. I realize that suPHP is likely the better way to jail PHP scripts)

 

[Afonso]

In a jailed environment, does the files .bashrc, .bash_profile, .profile /home/jailed_user/etc/profile, or others are taken into account?

I was trying to change the user's prompt but I didn't find a way...

If I manually
export PS1='\[\033[01;31m\]\u@\h \[\033[01;34m\]\W \$ \[\033[00m\]'
it just works!