What does the "jailed home" option do exactly?

[Richard G]

I've just seen a "jailed home" option in user packages. Probably only for modern licenses, not sure.
I know about jail shell for SSH, is that the same option? Or does the "jailed home" do something different?
Does the "jailed home" prevent users to go outside their home directory with for example php scripts to read other users directory's? Because I thought the "open basedir" protection took care of that.

 

[zEitEr]

Rebranded new old feature)

 

[Richard G]

So it's the old "jail shell for SSH?" feature then I presume? Or another old rebranded new ... well.... LoL

 

[zEitEr]

Whatever you like more. Anyway it is just jail=yes|no in user.conf.

 

[Richard G]

Whatever you like more.

I don't mind which one. I just would like to know if this is only for SSH or also for scripts.
And if it's also for scripts, then I wonder what the difference is between jailed home and "open basedir" protection.
That's what confuses me a little.

 

[zEitEr]

PHP-FPM does honour open basedir restrictions: https://www.php.net/manual/en/ini.core.php#ini.open-basedir
It will be tricky to put PHP-FPM into a jail on a shared hosting server. But PHP CLI will be jailed if a user is configured to use a jailed shell.

 

[Ohm J]

Jailshell have the background script protection.


Example cli: "php -q 1.php"

#1.php

exec("php 2.php &");

#2.php

sleep(999999999);

If no jailshell, "2.php" will run forever. If jailshell enable, 2.php and any child process will terminate after "1.php" done.

To let jailshell working with background. you need to (sleep forever at 1.php too).


This will make it easy tracking the script if one of the user have malware executing via cli / cron.

 

[Richard G]

Thanks for the explanation both but it's even more confusing for me now. Let me ask another way.

So Alex says it's tricky to use jailshell when using php-fpm if I understand correctly.
None of my users will have SSH acces anyway.

Open basedir restrictions are in effect.

So if no users have SSH access, and Open Basedir protection is in effect, is it wise to also enable jailshell too, or if it's more safe to -not- do that in a php-fpm environment? Or not required in php-fpm environment?

 

[Ohm J]

@Richard G
Not required and conflic with jailshell mechanism, because there have it own process management and secure enought.

 

[Richard G]

Ok so best is to leave it disabled in php-fpm and no users with SSH situation. Thank you!

Is there an easy way to remove it in case other admin sets it active by accident? Except disabling it from package? Or no removing required?

 

[Ohm J]

@Richard G
Don't worry, jailshell still not implemented in php-fpm process. Even ssh disable, it's still working for cronjob or other service that have integration from DA Dev.

 

[zEitEr]

So Alex says it's tricky to use jailshell when using php-fpm if I understand correctly.

A little bit different. You can use jailshell even with PHP-FPM. I was referring to the fact, that directadmin does not put PHP-FPM into a jail. Otherwise it would need to create separate instances for PHP-FPM per user, instead of using pools. Correct me if I'm wrong here)