Sorry to be grumpy.
SSH / chroot / user jail was supposed to happen, "soon", wasn't it?
As a lowly reseller & user, I'm still waiting for Putty SSH ability, right?

Have I missed something important, maybe?
OK, everything always takes longer.
But, come on, how many months has it been?

Is this going to get done?
When?
What is it going to take to have sufficient priority to insure it gets done?

Grumpy, gumble, murmur, mumble, grrr, klasdjklfsdakljlk;afsk

Please accept this grousing from a respectful kindred spirit who has been there / done that.

What's the straight poop???

Straight poop:

We've been quiet about it, but I will say that programming is complete for jailing at all levels. It's a major system change so it's something we refuse to rush into.

We've also been quite busy, especially with the FreeBSD development and now Fedora / Enterprise. That's on top of the regular support tasks, sales tasks, etc. See:

http://www.directadmin.com/versions.php

:D

It's coming!

Mark

It's coming!yea, so is New Year's.

But really, what target do you have penciled in?
By the end of February?
Shooting for mid-March, but definitely by end-March?

I know the swamp rises and falls.
And that the crocs and 'gators are tough, hungry dudes.
We talkin' 'bout trying to make the summer?

You're grumpy but very funny being so :D

You're grumpy but very funny being so :D yea, well, like I said - been there, done that.
I'm sure DirectAdmin doesn't need some 2 bit bystander carping and bitching at them.
That BS never helped me.

But, it has had the effect of reminding me and re-focusing me on finishing getting that sucker nailed down and forced into the "can", such that life can go on, so to speak.

What is truly necessary and remains to be done?
What's it gonna' take / have to be different / differed / postponed / lowered in priority in order to have enough resources (person hours) to actually make it happen?

And all the while remembering that old maxim:
Adding more people to a late software project makes it later.

IMHO: The really helpful thing to do is to remove other distractions / responsibilities from those already doing the work, so they can concentrate their time more effectively.

Assigning / hiring others to spend time and effort on filtering and handling those things that don't absolutely need the team's direct attention ?

Say, like, by not spending as much (any?) time reading or responding to posts by 2 bit bystanders, like (errr, Ahem, cough cough) me?

Originally posted by nekote
Say, like, by not spending as much (any?) time reading or responding to posts by 2 bit bystanders, like (errr, Ahem, cough cough) me?
I partially agree with you, the chroot for SSH has been postponed (that correct english ?) a few times, and I'd like to see it before the summer if possible.

But I believe what really adds value to DA is that the persons responsible for making it accually are the persons who respond to help requests, feature requests etc. This way DA has a bit more of a personal support level than per example cPanel. Granted, cPanel has forums, but as far as I know the original creators of cPanel don't read those forums much.

At the moment server 2 server transfers, backup stuff and Fedora support has a higher priority, I respect that, since I also would like these features in the near future. Chrooted SSH is also on my list of features I'd like to see, but I'd rather see server 2 server and complete backups instead of chrooted SSH...

yep, I gotta' agree.

Absolutely everybody (that wants something) is going to have their own "highest priority" list of what to do, next. Me, me, me. :)

And I agree - Personal responses by the people who do the work is very highly satisfying - both for the poster and the responder. Certainly one of the joys in my life - knowing I'm making a difference.

That's certainly at the bottom of *my* list of desireables to lose.

But, if something's gotta' go, in order to make something else possible, I'm willing to "volunteer" something that I highly value for something I value even more.

I've had my 2¢.
And I have been heard.

Thanks for considering my request / point of view.

Well it sounds like your not understand John so i will put my input in, Jailed SSH he does nto want to rush into because he does not want exploits, bugs and so on found by lammers that would give the ablity to find a way to run serviices and so on. I also want Jailed SSH but i will wait in tell he gets it pretty much perfect., actually one my customers want DA to get it done really bad also.

First post in this thread was 2/17.
That was after about 6 months or so of patience.

Another month has passed.

Considering how much progress was made in a month, versus how much more still needs to be done, is there a realistic estimate of when this will finally be available?

TIA

No work has been done on jailing for a while. We're trying to nail out the bugs in the backup system and get a few more OS's released. We do have very primitive jail working, but it's missing things like the ability to send formmail with cgi scripts because the mailer is outside of the shell. There will be many issues like that, but it's still on the backburner. Another reason is because the demand that we see has slowed, but that's most likely due to patient people like yourself :) ... at any rate, we really want to get it released, along with several other features/OS's, but there aren't enough hours in the day, so we need to prioritize.

John

John; you sound like your company is, uhhm, having some problems with the number of people working there. Wouldn't this qualify to start looking for a new programmer or something to strengthen your team ?

Note: as the rest of you all; still waiting... ;)

For what it's worth, I'm very interested in moving from Ensim to DirectAdmin. However, I won't do so unless and until there is at least a jailed shell, or (preferably) chroot support.

Just thought it might be worth hearing from a lurker/potential customer who is considering DA.

I'm guessing I'm not the only one you have never heard from, but who would be interested in DA if it weren't for the lack of this feature.

For those desperate for chroot and jailing, you could temporarily use a grsec patched kernel to allow it...

Chris

I've ran a GRSec kernel set to medium security with DA and RH9 for a few weeks on a production server with no problems whatsoever if that helps.

Matt

Originally posted by thoroughfare
I've ran a GRSec kernel set to medium security with DA and RH9 for a few weeks on a production server with no problems whatsoever if that helps.

Matt

Got more info on this? What OS? Redhat 9? is there an easily attainable RPM for this kernel or does it require compiling?

Jailed SSH is a HUGE concern for me I haven't mentioned it in a while mainly because I didn't figure it'd help to keep screaming about it, but I dont want the DA team to think interest is waning...

Redhat 9. It's a kernel patch, you'd need to recompile your kernel. I have GRSecurity set to medium setting and it's caused no problems. I haven't set up ACLs yet. www.grsecurity.net

HTH,
Matt :)

http://forum.ev1servers.net/showthread.php?s=&threadid=11858&perpage=25&pagenumber=2

Lack of jail cited as a reason for not giving DA a chance (right before he accuses me of being a shill for Directadmin, funny stuff).

Just an FYI to the DA devs, jailed cgi/ssh is a huge concern whether people are mentioning it much here or not, I know of several people who've basically said "until the user environment is jailed in some way I won't even consider it".

Almost another month.

Any word? Waiting patiently ...
:confused:

Yea, yea, yea.
Grumble, grumble, grumble.

First post in this thread was February, 2004.
And that was after 6 months of waiting silently.
Now heading for June (2004).

Grumble, grumble, grumble.

Given up on planning to offer SSH / chroot / user jail ?
Just too tough?

Gonna' be available, "tomorrow" ?

Got any schedule penciled in?
Something we could take to the bank?

Sorry to still be carping and bitching from the peanut gallery.

Best of Luck.

Just a frustrated reminder.

Another month has past.

Sigh.

How time flies, when you're having fun.

Indeed...

Is the jail ready to be released as a beta version of DA for people who want to test it?

Thanks,
Matt

Another month - another bump to catch John's attention :)

Originally posted by DirectAdmin Sales
Straight poop:

We've been quiet about it, but I will say that programming is complete for jailing at all levels. It's a major system change so it's something we refuse to rush into.

We've also been quite busy, especially with the FreeBSD development and now Fedora / Enterprise. That's on top of the regular support tasks, sales tasks, etc. See:

http://www.directadmin.com/versions.php

:D

It's coming!

Mark

Okay guys. It has been almost 5 months (the above originally posted on 02-14-2004 03:11 PM) since Mark posted the above. I am getting clients who WANT to move to DA but NEED SSH access. Can we PLEASE get a update on the progress of this important feature?? PLEASE???

Well we don't give SSH access. Neither with jail we will, so it isn't a problem. Customers can use the File Manager to do most of the things they "want" to do in SSH (chmod, chown) so it isn't a problem.

I suggest not giving customers SSH access...not a good idea.

The chroot isn't just for SSH.

It improves the security of many other things (PHP, CGI, etc).

Matt :)

John? :confused:

Matt :cool:

Mark is out for the week so John is busy with support email.

Post support@ an email if you want to bring this to John's attention. :)

Phi1.

Ah ok, I'll give him a break for a week :)

Matt

Ok, week is up... any word from DA on this issue? John? Matt? Fido?

I second that notion :)

Pretty please?

Matt :D

With sugar on top? and a cherry?

Jailed CGI/SSH is really the only missing feature I'd consider "important enough to ask for".

While we're at it, phpsuexec would be nice _as an option_ however there may already be instructions on this somewhere I only recently got the idea to check into this, I'll be searching after I post :D

It's a how-to in the forum already I think :)

A response from DA would be great on chrooting tho please :)

Matt

I need this feature to allow my clients to have Jailed SSH to their game servers. AS allot of other server companies offer it would give users more of an incentive to join the company.

John? Please? Just an update?

Matt :)

Hi everyone,

We *will* be releasing jailing with our new reseller system. We have quite a few large companies waiting for the jailing feature, and without that reseller system we would be overwhelmed by the amount of new licenses generated.

Resellers will receive DirectAdmin licenses at heavy discounts and in return are responsible for offering technical support on them. All customers, both internal and external, would purchase from resellers. We would still provide the option to purchase directly from us, but the cost would be higher.

We hope to have the reseller system functional within a month, and we already have a list of people qualified to be resellers.

I know you guys have been waiting for a while, and we normally like shooting out features as fast as possible. But, we must balance that demand with being able to offer general support at the same time.

On the bright side, watch the announcements forum, as the beta testing will begin in less than 2 weeks (yes, you can hold us to that!). :D

Mark

Yeeeaaaay :D

Matt

Actually Mark - with the new expansion of DA etc, will you be hiring another developer?

As I understand it, there's only John who actually codes DA. If he suddenly became involved in a car accident or for some reason was unable to work on DA, we'd all be screwed. For John's sake alone, I hope nothing like that happens... but it kinda makes you think.

Is there any kind of backup plan in place?

Matt :)

We definitely have backup plans. :D We do have other coders available locally if some emergency did come up.

Hired help would also take the form of local employees, as there are security issues of course (not only protecting our source code, but making sure nobody harms our customers' systems either).

Mark

Hi Guys,

Ok, here we go :)

I'll classify this as pre-beta.. alpha even.. I have tested it somewhat, but there are so many areas that this script will touch that we can only assume it won't be perfect straight out of the gates.

I'll also ask that all "issues" with it get posted back here and not emailed to us so that we don't get duplicate support requests piled up in our inbox :)

Also note that there is no jailing interface for DA as this time, and all jailed users will need to be done manually by running a script for each one (you could actually add it to the user_create_post.sh script, but i'll let you guys figure that out)

Installation of the jailing scripts and patches:
cd /usr/local/directadmin/customapache
mkdir jail
cd jail
wget http://files.directadmin.com/services/customapache/jail/build
chmod 755 build
./build update
./build allThat should get the new files, patch apache and build a few programs.

Once that's all good and ready, I recommend you backup /etc/passwd, /etc/shadow, /etc/group, and /etc/master.passwd (if you have it), just for safety measures ;)

To jail a particular user, first create him through DA, and make sure he has SSH enabled. This will add all required lines to the sshd_config file. Once created and ssh is enabled, you can then setup the jailing environment:
cd /usr/local/directadmin/customapache/jail
./jail_user.sh usernameThat should setup the environment and also setup the jailed shell.

If you want them to have Jailed CGI, then you need to add some code to their httpd.conf. Go to Admin Panel -> Admin Settings -> Custom httpd configurations -> domain.com (for each of their domains) and add:
SetEnv JAIL_DIR |HOME|

Php (when run as apache) isn't jailed like cgi is, but with the open_basedir function, it should help tighten things up.

I've included nbsmtp as a replacement for sendmail inside the jail which basically just connects to port 25 to send email through the regular exim.

I expect it not to be perfect at this point, but it should be functional at least. :)

John

Originally posted by DirectAdmin Support
Hi Guys,

Ok, here we go :)

I'll classify this as pre-beta.. alpha even.. I have tested it somewhat, but there are so many areas that this script will touch that we can only assume it won't be perfect straight out of the gates.

I'll also ask that all "issues" with it get posted back here and not emailed to us so that we don't get duplicate support requests piled up in our inbox :)

Also note that there is no jailing interface for DA as this time, and all jailed users will need to be done manually by running a script for each one (you could actually add it to the user_create_post.sh script, but i'll let you guys figure that out)

Installation of the jailing scripts and patches:
cd /usr/local/directadmin/customapache
mkdir jail
cd jail
wget http://files.directadmin.com/services/customapache/jail/build
chmod 755 build
./build update
./build allThat should get the new files, patch apache and build a few programs.

Once that's all good and ready, I recommend you backup /etc/passwd, /etc/shadow, /etc/group, and /etc/master.passwd (if you have it), just for safety measures ;)

To jail a particular user, first create him through DA, and make sure he has SSH enabled. This will add all required lines to the sshd_config file. Once created and ssh is enabled, you can then setup the jailing environment:
cd /usr/local/directadmin/customapache/jail
./jail_user.sh usernameThat should setup the environment and also setup the jailed shell.

If you want them to have Jailed CGI, then you need to add some code to their httpd.conf. Go to Admin Panel -> Admin Settings -> Custom httpd configurations -> domain.com (for each of their domains) and add:
SetEnv JAIL_DIR |HOME|

Php (when run as apache) isn't jailed like cgi is, but with the open_basedir function, it should help tighten things up.

I've included nbsmtp as a replacement for sendmail inside the jail which basically just connects to port 25 to send email through the regular exim.

I expect it not to be perfect at this point, but it should be functional at least. :)

John
this is very good :)
this working and in freebsd? (both versions) or only in redhat?

FreeBSD and RedHat :)
testing is required for both.

John

Originally posted by DirectAdmin Support
Php (when run as apache) isn't jailed like cgi is, but with the open_basedir function, it should help tighten things up.

I thought if each user was chrooted to their home directory and jailed in there, it would mean that anything they use (such as Apache/PHP) would also be limited to their jail?

Thanks,
Matt :)

The user doesn't run apache - the server does so apache itself isn't chrooted.

Using open_base_dir or safe mode helps, you can also use phpsu and then php does run much like CGI perl will (or should be).

I'm hoping to try this jail out soon and report back.

Oh, I thought Apache would be sort of chrooted into the user dir too... I guess that's not possible though?

So the jail is mainly for giving more secure SSH access to users?

Thanks,
Matt

*bump*

PS Has anyone starting testing the jail yet?

Matt

First time I've seen this thread. I'll volunteer to test.

Install went very clean, jailed first user and logged in ok, it is definatly jailed. Still testing further.

Directory stucture is a bit screwy, such as domains, mail and public_html rightfully belong under the jailed home/huskey12 directory and not under jail root. Of course I'm sure that was intentional due docroot being defined as "DocumentRoot /home/huskey12/domains/huskeyenterprises.com/public_html", which won't change until an interface is added to DirectAdmin to jail a user.


[root@taz huskey12]# pwd
/home/huskey12
[root@taz huskey12]# ls -al
total 60
drwx--x--x 9 huskey12 huskey12 4096 Jul 15 16:00 .
drwxr-xr-x 35 root root 4096 Jul 13 15:16 ..
-rw-r--r-- 1 huskey12 huskey12 24 Apr 19 08:31 .bash_logout
-rw-r--r-- 1 huskey12 huskey12 191 Apr 19 08:31 .bash_profile
-rw-r--r-- 1 huskey12 huskey12 124 Apr 19 08:31 .bashrc
drwxr-xr-x 2 root root 4096 Jul 15 16:07 bin
drwx--x--x 6 huskey12 huskey12 4096 Apr 19 08:31 domains
-rw-r--r-- 1 huskey12 huskey12 847 Apr 19 08:31 .emacs
drwxr-xr-x 3 root root 4096 Jul 15 16:07 etc
-rw-r--r-- 1 huskey12 huskey12 120 Apr 19 08:31 .gtkrc
drwxr-xr-x 3 root root 4096 Jul 15 16:00 home
drwxr-xr-x 3 root root 4096 Jul 15 16:00 lib
drwx------ 2 huskey12 huskey12 4096 Apr 19 08:31 mail
lrwxrwxrwx 1 huskey12 huskey12 43 Apr 19 08:31 public_html -> ./domains/huskeyenterprises.c
om/public_html
-rw-r----- 1 huskey12 mail 13 Jul 15 16:00 .shadow
drwxr-xr-x 9 root root 4096 Jul 15 16:00 usr

Originally posted by thuskey
If anyone would like to login, test their cgi's for jail compliance, try to break out of jail or whatever please do.

Server: testbox.my1host.com
Service/Port: SSH/22
Login: huskey12
Password: abc123

note, php open_basedir is currently commented out in the users apache config. Let me know if your testing requires turning it on.
I think someone got it; can't connect to the server...
I was hoping to do some tests with compiling and running applications (while no longer logged in). ;)

if necessary, try the ip address: 66.246.169.144. I run portsentry on all my servers so don't screw up and try to telnet in first because iptables will block you out. If this happens, drop me your IP address via PM and I'll remove it from the block list.

Originally posted by thuskey
if necessary, try the ip address: 66.246.169.144. I run portsentry on all my servers so don't screw up and try to telnet in first because iptables will block you out. If this happens, drop me your IP address via PM and I'll remove it from the block list.

Thanks :)

Uhhm, this is a really limited shell...
Compiler can't be found, dig doesn't work, ping doesn't work, all i could find without a problem is a php executable.
Didn't even try to get programs to run with the shell. It's really limited :D
I only forgat to try mysql client and wget.
(and tar)...

But i presume they aren't working.
It's almost perfect so far, just need a few more permissions until it's good enough to use in a production environment.
Oh by the way: did anyone try to gain root from the crooted environment ?


Semi edit:


-/bin/bash-2.05b$ uname -a
-/bin/bash: uname: command not found
-/bin/bash-2.05b$ mysql -v
ERROR 2002: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
-/bin/bash-2.05b$ wget --help
-/bin/bash: wget: command not found
-/bin/bash-2.05b$


This way users can't do anything, just like we want it :D

Is it me, or is the Vi installation acting up a bit ?
Command's don't seem to work the way they should...

Not sure if this is a problem but got this when creating a user:

cp: cannot create regular file `/home/voiceofuk/usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE/libperl.so': No such file or directory

Also, The users are being jailed to /home/USER/home/USER:confused:
Shouldn't it be /home/UESR ?

Originally posted by Peter Verrill
Not sure if this is a problem but got this when creating a user:

cp: cannot create regular file `/home/voiceofuk/usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE/libperl.so': No such file or directory

does /usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE/libperl.so exist on your server?

Yea, its there.

Hmm, It looks like the file was created though. I never looked before...

Originally posted by Peter Verrill
Also, The users are being jailed to /home/USER/home/USER:confused:
Shouldn't it be /home/UESR ?

Only root sees /home/user/home/user/, the user actually sees /home/user/ only, which is similar to the way most all jail setups work.

The only major change I would make, would probably be to put them in directories like:

/home/reseller/home/reseller/domains/
/home/reseller/home/reseller/mail/
/home/reseller/home/reseller/public_html/
/home/reseller/home/user1/domains/
/home/reseller/home/user1/mail/
/home/reseller/home/user1/public_html/

with all file and directory permissions looking something like this draft model, from the root users point of view:

drwx------ reseller:reseller /home/reseller
drwxr-xr-x reseller:reseller /home/reseller/home
drwxrwx--- reseller:reseller /home/reseller/home/reseller/
drwxrwx--- user1:user1 /home/reseller/home/user1
drwxrwx--- user2:user2 /home/reseller/home/user2
drwxrwx--- user3:user3 /home/reseller/home/user3

Then the reseller would be a member of the groups: reseller user1 user2 user3, giving them power to assist their users when needed.

Yea, that makes sense.

When I first loged in with a test account I created the full system path was:
/home/user/home/user (/home/user to the jailed user)
and I had to use cd / to get to /home/user (/ to jailed user).

I guess what i'm trying to say is why isn't the main path /home/user (opposed to /home/user/home/user), just makes more sense to me.

Originally posted by Peter Verrill
Yea, that makes sense.

When I first loged in with a test account I created the full system path was:
/home/user/home/user (/home/user to the jailed user)
and I had to use cd / to get to /home/user (/ to jailed user).

I guess what i'm trying to say is why isn't the main path /home/user (opposed to /home/user/home/user), just makes more sense to me.

Your right, it makes a whole lot of sense, since public_html, domains, and mail all reside at /home/user and not at /home/user/home/user. But would it make more since to you if it looked more like this to the root user:

/home/user/
/home/user/bin/
/home/user/etc/
/home/user/lib/
/home/user/usr/
/home/user/home/user/domains/
/home/user/home/user/mail/
/home/user/home/user/public_html/

and this to the jailed user:

/
/bin/
/etc/
/lib/
/usr/
/home/user/domains/
/home/user/mail/
/home/user/public_html/

... hey, I just logged in and confused my self. /home/huskey12 was empty, forgot all those files currently exist in jailroot :)

Yea, it would make sense if it looked like that, but currently, doesn't:p

Hi Guys :)

Thanks for testing it out. The jail wrapper doesn't seem to be able to handle all shell functions. Like in vi, the arrows don't work, so you need to use hjkl to move around.

Not sure about the perl thing. The jail_user.sh script calls "ldd" on each file in files.list (list of files you want in the jail). This allows you to add/remove files you want to be added to the jail to new jails, without worry of breaking library dependancies.

John

Originally posted by DirectAdmin Support
Like in vi, the arrows don't work, so you need to use hjkl to move around.

That would drive me nuuuuuuts lol :D

Matt ;)

Any update on the "official release" that was coming? :)

I think DA need more beta testers. The problem is that it needs to be a busy system so that we can properly test it, but I don't think there'll be many hosts willing to beta test out such a feature as SSH jails on a production server. I know I wouldn't try it.

:(
Matt

Originally posted by DirectAdmin Support on 07-19-2004
Hi Guys :)

Thanks for testing it out. The jail wrapper doesn't seem to be able to handle all shell functions. Like in vi, the arrows don't work, so you need to use hjkl to move around.

Not sure about the perl thing. The jail_user.sh script calls "ldd" on each file in files.list (list of files you want in the jail). This allows you to add/remove files you want to be added to the jail to new jails, without worry of breaking library dependancies.

John


Any updates? While I'd love to be able to "test" it, I can't test it with a live server, but I gotta believe that the folks at DA have something active they can test it with.


7-6-2004: I expect it not to be perfect at this point, but it should be functional at least.

This has been in the works for almost a year - has there been any further progress since the last "official" response to this thread on 07-19-2004 (Almost 2 months ago)?

Indeed :(

Matt

Originally posted by DirectAdmin Support
Hi Guys,

Ok, here we go :)

.....

you could actually add it to the user_create_post.sh script, but i'll let you guys figure that out)

......

John

What user_create_post.sh script are you talking about?!
I didnt found it in DA :(

You have to create that file in /usr/local/directadmin/scripts/custom.

Has anyone else noticed that DA has been unusually quiet on this topic? 2+ months ago they "released" it, about a year after announcing it was "coming"... but it's still not even in "beta" - and doesn't appear that it's even being worked on.

Other issues like log file rotation have also gone "unanswered" - so it's not unique to this topic.

I've emailed support and John directly concerning this, and emails have gone unanswered, tho I'm not quite sure why.

There was a time when John & crew were answering topics in the forums within minutes after they were posted - now it's rare to see them post anything here. Unanswered emails, phone disconnected, live support that hasn't worked since I bought my licenses - I'm not getting "warm fuzzies" here.

Indeed - I agree completely.

I think DA is just experiencing growing pains - it's a lot of work for a two-man team. Anyone who runs a business will appreciate that sometimes you have a major obstacle which you need to complete before things become smoother and more efficient.

In the case of DA, they have the following obstacles:

- reseller scheme (needed before the user jail is implemented, since the sales will grow exponentially after the addition of this feature)
- clustering abilities
- increasing number of OSes supported
...etc

They should get things sorted soon hopefully.

Matt

i would also like to get this done: f.i. with a simple php script like this, users without ssh access can access "/" on my server. They can't delete anything or so, but i don't like they are able to see it

http://greenhell.com/archives/7_phpFileFarm.html

cgi

For php you can use open_base...

But! Not only php but also CGI script like this

#!/usr/bin/perl
use CGI qw(param);

my $request=param('request');
my $action=param('action');

my @result=`$request`;

print "Content-type: text/html\n\n";
print "<html><body>\n";


print "<p>Request:<br><b>\n";
foreach $line (@result) {
print "$line<br>\n";
}
print "</b></p>";

print <<FORM;
<p>
<form method=POST action=>
<input type=text name=request value="$request" >
<input type=submit name=action value=execute >
</form>
</p>

FORM

print "</body></html>\n";

allow users list from / and execute shell's commands

so, jail-chroot not solved problem finnally

What another sollution could any suggest?

John? Mark? Any updates?!

Matt

I think anyone who wants an update on this or similar issues will need to message John or Mark by email :D I have a feeling John and Mark are awful busy anymore and don't have time to keep up on their forums like they used to.

Of course, I could be utterly wrong. Maybe DA wants to surprise everyone. ;)

Cheers, Phi1.

Originally posted by l0rdphi1
I think anyone who wants an update on this or similar issues will need to message John or Mark by email :D
Cheers, Phi1.

That's kinda the point Phi1 - I personally HAVE emailed him on this subject and others - still no response.

Speaking of, I emailed YOU yesterday, and you didn't get back to me either - I'm beginning to see a pattern :)

Maybe something is wrong with your SMTP? :D :D

No, on a serious note, I didn't realize DA wasn't talking by Email either. Hmm...

As for your issue, I didn't respond back?

*checks* ...

Oh, I didn't. :o Must have slipped my mind. Anyway, let me do that now :)

Phi1

Would be nice to get some type of update on this. Seems things have almost died, the website still has screenshots of the older skin.

:(

Originally posted by Dale
Seems things have almost died...
Just 4 days after a new version was released, you think so?

This thread is giving a whole new meaning to the word Vaporware.

Vaporware: adj; see DA Jail

Hi guys,

To put it plain and simple we can't move forward without any feedback. There seem to be lots of people interested in the feature but very little testing involved. Everything looks good on our systems but that doesn't mean it will operate perfectly in the real world. The number of testers so far can be counted on one hand, so it wouldn't be wise to release the feature to everyone at the moment.

If nobody watching this thread is interesting in testing, perhaps we can make an announcement, or even better include testing information with new license purchase e-mails to get the ball rolling a bit faster.

Mark

I will test for you on my testing DA box, get back to me if you want my help.

My testbed is currently quite busy but I'll be able to test it in about two weeks, after I return from ISP.CON, if you still need testers then.

Jeff

Originally posted by DirectAdmin Sales
Hi guys,

To put it plain and simple we can't move forward without any feedback. There seem to be lots of people interested in the feature but very little testing involved. Everything looks good on our systems but that doesn't mean it will operate perfectly in the real world. The number of testers so far can be counted on one hand, so it wouldn't be wise to release the feature to everyone at the moment.

If nobody watching this thread is interesting in testing, perhaps we can make an announcement, or even better include testing information with new license purchase e-mails to get the ball rolling a bit faster.

Mark

Where do you want the feedback sent to? I'll put up a test box I guess and ask for volunteers to test it out from my own user forums.

Hi Gary,

You can send any errors to support@directadmin.com , and please provide as much information as possible. We just want to know what problems, if any, are encountered during day-to-day operations.

We will support these test systems, so if there is an error affecting the functionality of the box then we will treat it as a normal support request. Hopefully this will help.

Mark

Hi,

I did some testing with the jail.
I use FreeBSD 4.9 so things are probably a bit different for me.
What I found that a number of programs does not work because the files have a different path in FreeBSD.
Findings:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
vi
does not work, because of
1) wrong path
solution: change vi path in files.list to "/usr/bin/vi".
2) No terminal database found
solution:
add "mkdir -p $USER_HOME/usr/share" to jail_user.sh
add "mkdir -p $USER_HOME/usr/share/misc" to jail_user.sh
add /usr/share/misc/termcap.db to files.list
3) ex/vi: Error: Unable to create temporary file: No such file or directory
solution:
add "mkdir -p $USER_HOME/tmp" to jail_user.sh
add "mkdir -p $USER_HOME/var/tmp" to jail_user.sh
add "chmod 777 $USER_HOME/tmp" to jail_user.sh
add "chmod 777 $USER_HOME/var/tmp" to jail_user.sh
4) vi strange behaviour: messed up screen, invisible text, etc.
solution: add "mysetenv("TERM", "vt100");" to chrootshell.c and ./build shell
alternate solution: TERM=vt100;export TERM
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
sh
the .profile is not read
solution: none yet
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
bash
the .bash_profile is not read
solution: none yet
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ping
does not work because of:
1) wrong path
solution:
add "mkdir -p $USER_HOME/sbin" to jail_user.sh
add "/sbin/ping" to files.list
add /sbin to $PATH
after this, ping seems to work, but:
$ ping trends.org
ping: socket: Operation not permitted
(probably permission problem for socket)
solution:
omit ping from jail
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
man is not working
solution: none yet
I have spent a couple of hours on man, but was unable to solve all the problems.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
tar is not there
solution:
add "/usr/bin/tar" to files.list
I am not sure, but I think I have also added "/usr/bin/gzip" to files.list
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
find is not there: add "/usr/bin/find"
more is not there: add "/usr/bin/more"
unzip is not there: add "/usr/local/bin/unzip" + the PATH to unzip
zcat is not there: add "/usr/bin/zcat"
uname is not there: add "/usr/bin/uname"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

There are probable more problems than the above, but it is getting usable.
One of the important things to fix is the execution of .profile or .bash_profile because of the PATH settings.

Has anyone tried using Installatron in a jailed environment? Installatron is currently storing user data in /usr/local/directadmin/plugins/iTron/data/ (which his chmod 777), and each user owns a file in that directory for his or her data. I don't think this is going to work given a jail, but I'm not too experienced with jailing and therefore can't answer this question for myself. :)

Phi1.

I dont have installatron though I dont think a jail would have any difference.

The installatron scripts would be executed by DirectAdmin which would be able to write to that directory...

Hi Phi1,

I use Installatron.
I have just installed an application with a jailed user, and it works.

You mean this directory:
/usr/local/directadmin/plugins/iTron/data/installs:
total 8
drwxrwxrwx 2 admin admin 512 Oct 30 00:52 .
drwxr-xr-x 4 admin admin 512 Oct 15 17:07 ..
... etc
-rw-r--r-- 1 multidns admin 166 Oct 30 00:52 multidns
... etc
Normal permissions, same as users that are not jailed.

Thank you Theo. That settles that issue. :)

Phi1.

Originally posted by l0rdphi1
Has anyone tried using Installatron in a jailed environment? Installatron is currently storing user data in /usr/local/directadmin/plugins/iTron/data/ (which his chmod 777), and each user owns a file in that directory for his or her data. I don't think this is going to work given a jail, but I'm not too experienced with jailing and therefore can't answer this question for myself. :)

Phi1.

If the installatron uses CGI instead of perl - then yes that could impact it.

One thing Ensim does is uses hardlinks to files it needs in its shell. However I've had a theory that all those darned hardlinks is maybe why Ensim always had screwed up quotas.

hey 113345 thanks, glad someone tested it on FreeBSD, I havent had time yet been busy.

Originally posted by DirectAdmin Sales 02-14-2004 05:11 PM
Straight poop:

We've been quiet about it, but I will say that programming is complete for jailing at all levels. It's a major system change so it's something we refuse to rush into.
It's coming!

Mark [/B]

9 months ago, programming was "complete" - now we moved into "testing" phase, feedback is being provided about what's in there, etc ... is any progress being made on getting another "completed" message?

I hate to pound on this subject, but there's a LOT of users that want/need/require shell access to perform tasks. We're constantly answering questions about when this is going to be available, as it's been "announced" several times.

Any update on the status of the "testing" or what not... we've been hearing about and talking about jailed environments for SSH etc for a year or so...

Be nice to be able to offer this feature....

I doubt you will ever see it. It's been almost a YEAR since this thread started and it's still vaporware. I guess DA is now managed by Ensim.

Notice it's DirectAdmin Sales, not DirectAdmin Programmer. Sales ppl will promise you anything whether it's real or not...don't you ever read Dilbert? LOL.

Originally posted by sullise
I doubt you will ever see it. It's been almost a YEAR since this thread started and it's still vaporware. I guess DA is now managed by Ensim.
Since people can't always tell if you're being facetious in a post it's probably not a good idea to say things like this which aren't true; these statements may not be obvious to all readers, especially those not familiar with english.

DirectAdmin is owned by JBMC software, though I usually just call them "DA" in these forums. They have no connection with Ensim.

Notice it's DirectAdmin Sales, not DirectAdmin Programmer. Sales ppl will promise you anything whether it's real or not...don't you ever read Dilbert? LOL.
Whereas DA staff wear different hats, the sales department and the other departments work together to continue to make DA the best possible Server Control Panel under the limitations of staff size and budget.

Jeff

We asked DA's support:

What about this?
http://www.directadmin.com/forum/showthread.php?s=&postid=39428#post39428
It is real actual features


They answered:

Hello,
we need people to test it, but nobody is. The jailing itself seems to work fine.. all that's left is to integrate it into DA .. but we can't release it as stable without any testing (I believe we've had maybe 3 people test it).
Thank you,
John

So, we should find people to test it and cooperate with DA support.
Is anybody? (who know English good, I cannot, my English not so good)

Ok..in future when I throw out some sarcasim, I'll be sure to include the <sarcasim> tags. ;)

As for the other comment, you have to admit, put yourself in the clients shoes....I think you'd feel the same way.


Whereas DA staff wear different hats, the sales department and the other departments work together to continue to make DA the best possible Server Control Panel under the limitations of staff size and budget.

I guess humor is not DA's forte.

Originally posted by sullise
Ok..in future when I throw out some sarcasim, I'll be sure to include the <sarcasim> tags. ;)
Actually not a bad idea; many people who don't speak english have problem picking out sarcasm.

I guess humor is not DA's forte.
I speak for myself, not for DA staff.

Jeff

Right, this needs sorting :)

Here's the problem; everyone wants user jailing, but obviously no one wants to test it on a production server.

If I set up a FreeBSD test server (which I'm more than happy to do), is there anyone who'd be willing to host their non-critical sites on there?

Please post below and I'll add your usernames to a list here:

THE LIST
[list=1]
thoroughfare
hostpc
interfasys
andyl
sullise
Chrysalis
sullise
[/list=1]

After about a week, I'll get the server set up and we can get testing.

Thanks,
Matt :D

Do you have installatron on that server? If not, maybe you can talk to them and have a temp license for that server.

That way we could install many scripts on a domain name and see how it goes?

I'd toss my hat in the ring, however all my servers are RH / FC - so a FreeBSD test probably wont do me any good. I think I can ask our datacenter to throw a rh9 or fc box online for us to test for a couple weeks... I'll make the calls today.

I just hope that with all our tests that a prototype beta IS ready for testing.

Hi,

I am using the jail on a production server since October.
There is only one customer using it, we don't promote the jail.
In my firewall there is a rule for his IP, I don't want the whole world to abuse SSH, as there are often brute force attacks.
My customer is happy with the jail.

I also use Installatron, my customer uses the TSEP search engine and everything works like it would without the jail.

I have made some modifications to the original jail and gave feedback to John.
You can add programs that you need/like to the files.list.

Originally posted by interfasys
Do you have installatron on that server? If not, maybe you can talk to them and have a temp license for that server.

Unfortunately not as it's a test server, but I can certainly contact Phil from iTron and see a test license is possible.

Do you have a site or sites you could host there?

Thanks,
Matt

Originally posted by hostpc.com
I'd toss my hat in the ring, however all my servers are RH / FC - so a FreeBSD test probably wont do me any good. I think I can ask our datacenter to throw a rh9 or fc box online for us to test for a couple weeks... I'll make the calls today.

I just hope that with all our tests that a prototype beta IS ready for testing.

Can someone from DA confirm this - do we need a test server for each OS in order to fully test the jails?

If it's necessary, then that sounds brilliant. Otherwise it might be best to concentrate all of our efforts on one test server to begin with.

Thanks,
Matt :)

Originally posted by 113345
Hi,

I am using the jail on a production server since October.
There is only one customer using it, we don't promote the jail.
In my firewall there is a rule for his IP, I don't want the whole world to abuse SSH, as there are often brute force attacks.
My customer is happy with the jail.

I also use Installatron, my customer uses the TSEP search engine and everything works like it would without the jail.

I have made some modifications to the original jail and gave feedback to John.
You can add programs that you need/like to the files.list.

Hi Theo,

Sounds good. Did John implement the feedback you sent? If not, could you post it so that we can keep a list of known issues?

Also, have you performed any security testing on the jail? My main concerns are two fold:

1. The jail must work as well as the existing system.
2. The jail must be as secure as possible (nothing's 100%, but as close as possible would be good ;)

Thanks,
Matt :)

I could spare $7.95 on a domain name just for the test?

I've got a bunch of names we could use... just let me know where/when - I'll gladly change them over

Hi Matt,

John has implemented the feedback.
I haven't done any security testing on the jail, that's why I don't promote it. I trust the customer who is using the jail.
When you look at the code for the jail, you can see it is taken from another project, I don't know how old the code is.
The changes I have made were small, my main problem is that the .profile or .bash_profile are not executed.
Solved the path settings and TERM settings by adding them to the chrootshell.c code.

I have recently brought a domain and am prepared to help test while I develop my site, but if I do can you allow me to use 2 email addresses and have dns control, as I am planning to setup some vhosts on the domain.

I have a testbed server I'm rebuilding today as CentOS (compatible with RHEL, WBEL). I have domain names available specifically for testing.

I have an Installatron license specifically for testing.

But I don't have time to do any testing myself.

Anyone interested in working with this setup?

Jeff

I'm sure I have a handful of domains that I'm not doing squat with that we can use as well...right now they're just sitting in Sedo..and not doing much..lol...

(see what I started. :) ).

Hi thoroughfare,

I have a domain I'm willing to offer for the cause, if you're still looking for testers.

Thanks,
Andy

Originally posted by 113345
Hi Matt,

John has implemented the feedback.
I haven't done any security testing on the jail, that's why I don't promote it. I trust the customer who is using the jail.
When you look at the code for the jail, you can see it is taken from another project, I don't know how old the code is.
The changes I have made were small, my main problem is that the .profile or .bash_profile are not executed.
Solved the path settings and TERM settings by adding them to the chrootshell.c code.

Thanks for the info 113345.

John/Mark from DA: Can you please setup a section on the forum for jail beta-testing, so we can report problems and known issues rather than putting them all in one thread? It'll be easier to address each issue that way.

Matt :)

Thanks to everyone who has shown interest so far. I'm still looking for more testers, so anyone is welcome.

I must stress that any domain you host on the test server must either:

1. be an actual site, so that we can achieve as real a test as possible by testing it with real-world applications
2. a site that wasn't in use before, but one you'd be willing to spend time testing, playing around with DA/SSH and PHP/Perl.

JLasman: I'm thinking that we'll need to test this on all DA platforms. Like I said, I can provide a FreeBSD test server. You can cover CentOS, what does that leave?

Matt

CentOS/RHEL/WBEL are functionally the same and all of them are based on RHL9.

On the other subject, it's easy enough to test well-written sites on test domains.

You just (for example) set up a site called "test.nobaloney.net", and then update the contents of the real "nobaloney.net" site to it.

DA doesn't differentiate between a site set up as a third level or second level domain, and wellwritten sites don't use the site name in any of the links, so this should work.

Jeff

I have a couple sites that are in development that I can put on there to test.

That's 7 testers so far on the list :)

Jeff - when I mean 'real' sites, I didn't necessarily mean a domain dedicated to testing - just a website that is typical of websites we'd normally host. For example, most of my customers run PHP scripts that rely on MySQL, so therefore if we had some sites like that it'd help.

Matt

And CGI, definately CGI :)

maybe an attempt to load an IRC bot, something that requires sessions (which currently write to /var/tmp), majordomo lists (which currently store digests in /var/tmp - on occasion). CGI is the biggest culprit of getting into /var/tmp and /tmp ... I realize a jail wont stop them, but it'll take some of the tools they need away.

With the recent CURL and WGET exploits, testing those would be a good idea too.

I think I've got an old copy of phpBB that can be installed, and then we can all try and "break" it :)

CGI of course.

If anyone has a collection of nasty Perl scripts to run, please feel free to get those ready. Anything we can use to test security.

Matt

My site currently doesnt exist but when I start working on it, it will use php and mysql so I think will be a fair test, and I would like ssh access to do mysql commands so overall I think a good test of the whole jail system.

Ok that's good :)

Anybody else interested? I'm going to have this system ready by 2-3rd February.

Matt

I installed it last night on our production server that has some add-ons like pgsql and Installatron...it's working great! However, I did have to add a few things to jail_user.sh, files.list, and chrootshell.c.

jail_user.sh:


mkdir -p $USER_HOME/usr/local/pgsql/lib
mkdir -p $USER_HOME/usr/share/terminfo/v
mkdir -p $USER_HOME/usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE

pgsql/lib was for my postgres install. /usr/share/terminfo/v was so I could copy vt100's file in the terminfo area. This, plus another file in files.list got rid of the vt100 problem when using vi or commands like 'clear.' The perl5 directory was to clear up a 'not found' error that kept happening.


if [ ! -e $USER_HOME/$USER_HOME ]; then
# Ok, we can't assume it's in /home, so create
# all directory paths like before, then delete the users home
# then create the symbolic link. If we didn't
# create the full path first, there might be
# missing directories if they've got a weird home path.
mkdir -p $USER_HOME$USER_HOME
rm -rf $USER_HOME$USER_HOME
ln -sf .. $USER_HOME$USER_HOME
fi


There used to be a slash between the two USER_HOMEs that was causing a problem; also, the rm -rf line wasn't working at all before.

In files.list:


/usr/share/misc/termcap.db
/usr/share/terminfo/v/vt100
/usr/local/pgsql/lib/libpq.so.3
/bin/gunzip
/etc/termcap
/bin/more


The termcaps got rid of all vt100 problems and also made vi work beautifully again. 'more' and 'gunzip' I felt were necessary.

Looking good! Now all we need is for the system to run this automatically when we enable ssh for someone. :)

Also forgot to change $USER_HOME/$USER_HOME to leave out the slash; do this anywhere it appears. Since the user home will start with a slash, it's unecessary. My install was on RH9.

I also added these to files.list:

/usr/bin/top
/usr/bin/uptime

And then added this to jail_user.sh:

mkdir -p $USER_HOME/proc
mount -t proc proc $USER_HOME/proc

These were necessary for top and uptime to run. Other things also use proc, so I figured it'd make a good addition.

Just realized on the mounting of proc, the mount wont stay if you reboot...does this mean we'd need every user in /etc/fstab? If so, you can do this in jail_user.sh:

echo "none $USER_HOME/proc proc defaults 0 0" >> /etc/fstab

Not sure if this would work...any ideas?

Hi,

I noticed this is an issue constantly pushed back by DA, is there/will there be ANY update/implementation of this?

I hate to drag the issue back up, but it seems like if someone isn't publically displaying interest DA seems to think it's all fine and dandy to forget about it. :(

Thanks,
Adam

Well, I hate to bring up an oldie like this thread, but I think we've got it nailed down finally. It's working fine on a test server that was _not_ updated, but I've got a couple issues on one with a new update.

One question for John and the DA guys... is there any chance that recent Apache upgrades, etc would interfere with this jail and your original scripts? If so, can these scripts be updated as well?

Thanks

Joe

****BUMP****

http://help.directadmin.com/item.php?id=90

beta

Hello,

Updaing apcahe would in fact overwrite the jail patch onto suexec. I'll look into adding a check for the jailed files during the apache update.. if they exist, it will re-patch apache.

John

Thanks, I didnt see that in my searches in the past few days...

-XereX

Quick question... if system binaries etc are copied into the chroot directory to create an environment for the user, what do we do when those binaries are updated on the base system? Would hardlinking work?

Thanks,
Matt :)

I believe hard linking can work if the system files used in the users home are on the same partition .. I don't think hardlinking works across partitions.. but does work through jails.

To update any files for the current setup.. you can delete any binaries from within the jail and then rejailing the user should work. It will notice the missing file and copy it over.

John

Thanks John - hardlinking would certainly save space, if it could work over partitions. Perhaps updating the binaries should be built in to the DirectAdmin jail mechanism, e.g. a switch in the jail.sh that deletes all binaries from all jails so that they're rebuilt.

Matt

this doesnt work for apache 2?

Is this coming out of beta any time soon?

Jon

Originally posted by thoroughfare
Thanks John - hardlinking would certainly save space, if it could work over partitions.
Hard links cannot work over partitions because here's how a hard link works:

When you create a file two things happen: The file is written to a location on the partition, and a directory entry is written that points to the location.

A hard link is simply another pointer. Because of the way the pointers are structured, they can't link to a different partition; they have no way in the structure to identify it.

Jeff

Using this on CentOS 4.3. Extensive testing .. So far working beautifully. I would like to see if DA still plans to support this in the future?

yes I think this feature would be good. I hate plesk, its horrible and slow but I did like the feature to choose which shell to give users

I do have an issue with this though. How do I remove a user? Can't delete the directories etc.

Testing jailed shell...

i was testing jail on centos 4.4 and it working fine, i login to it without any problems, but im interesting how to add example mc on jailed shell, because on fresh install, mc and other appications does not working. How i make to add this to jailed shell?

Add the full path to the program you wish to the /usr/local/directadmin/customapache/jail/files.list.

John

I do have an issue with this though. How do I remove a user? Can't delete the directories etc.

hi ecsportal! i uninstall jail on user by delete this user and add the same new user. Only this way you can uninstall jail on user. i think so

sorry little mistake. in /etc/passwd is ususer with jail, just simple change it on normal password

Add the full path to the program you wish to the /usr/local/directadmin/customapache/jail/files.list.

John

John, did You notify any problems with jail?

We have not had any reports in quite a while.

John

We have not had any reports in quite a while.

John

John I add full path to mc in /usr/local/directadmin/customapache/jail/files.list.
and i got this error:

*** err [lib/liblow.c(258)]:
checking tty name failed
Segmentation fault

Is it true that this still only works with Apache 1.3? Does it work with the new build system? Thanks!

No work has been done on jailing for a while. We're trying to nail out the bugs in the backup system and get a few more OS's released. We do have very primitive jail working, but it's missing things like the ability to send formmail with cgi scripts because the mailer is outside of the shell. There will be many issues like that, but it's still on the backburner. Another reason is because the demand that we see has slowed, but that's most likely due to patient people like yourself :) ... at any rate, we really want to get it released, along with several other features/OS's, but there aren't enough hours in the day, so we need to prioritize.

John

Howabout hiring more staff, programmers? How many people actually work at DA? I heard it was 2. Surely, your making money arent you? I mean every DC iv seen is offering DA therefore you must have an income that can warrant continued production on DA in a faster manner by hiring addtional staff (programmers). Thats how a business works and how it grows. Overwhelming yourselves and stating you dont have enought time in the day, like all of us, is a crazy thing to say in my opinion. Time to look at getting some more people to Moderate on a technical level (sorry Jeff), support and most importantely handle the feature requests and continued development of this product.

It is working fine, but there is something strange - mc isnt working. I need to mount /dev to users jail and it will be. Do you know how I can do this?

Thanks

mount -t devpts dev $USER_HOME/dev

doesnt help :(

I know I'm probably beating a dead horse, but got a couple of questions. We've modified this jailshell a bit, added other programs etc.

We're facing a couple of issues.

1. Users adding additional domains are not getting automatically jailed for that new domain. Can any type of check be implemented so thtat if a user adds a domain to their account (virtual) that the new domain will automatically get the environment set correctly?
SetEnv JAIL_DIR |HOME|

2. If a user is NOT using jailed SSH .. is there any advantage to using a SetEnv JAIL_DIR |HOME| directive for that user? I'm specifically thinking this might help avoid XSS attacks, bad php scripts, etc. Any chance that'd help prevent malicious attacks/scripts?

Thanks

Hello,

1) The domain_create_post.sh should be handling that.. check for the line:
echo "SetEnv JAIL_DIR |HOME|" > /usr/local/directadmin/data/users/${username}/domains/${domain}.cust_httpdwhich should add the SetEnv bit to /usr/local/directadmin/data/users/username/domains/domain.com.cust_httpd ... so also check teh cust_httpd file to see if it's being added.

2) The jail with the SetEnv only applies to scripts run through suexec. mod_php is not run through suexec, so php scripts are not jailed. Suexec really only applies to the cgi-bin folder. Php scripts can be run through suexec if they have #!/usr/local/bin/php at the top line of the file, exist in the cgi-bin file and handle all environmental varibles correct.. because cgi-bin folders are not handed the formated variables as they are in mod_php. A better solution for php is suPhp (custombuild), as I believe it does have jailing for php correctly.

John

Thanks for the fast responses.... DA RockS!

Can you make a version for Apache 2? I had to go to Apache 2 because of moddav...

Afonso, it's done and will be released soon :)

How will it be implemented, from an administrator's point of view?

And also, will it work with Apache 2.2.x?


Thanks :)

Henrik, you will be able to use "./build all_jail" to build everything, it will add patched suexec file to Apache using "./build apache" (if jail=yes is set in the options.conf file). And yes, it will work with Apache 2.x.

Excellent, thank you for working on this.

What does it jail exactly? Does it jail just things run through Apache (that is, PHP, Perl, etc scripts run as CGI), or also FTP/SSH users?

It jails SSH and CGI.

Any update on the release of this?

I know, I know, I'm impatient ... life on the edge, what can I say :)

Hello,

1) The domain_create_post.sh should be handling that.. check for the line:
echo "SetEnv JAIL_DIR |HOME|" > /usr/local/directadmin/data/users/${username}/domains/${domain}.cust_httpdwhich should add the SetEnv bit to /usr/local/directadmin/data/users/username/domains/domain.com.cust_httpd ... so also check teh cust_httpd file to see if it's being added.

2) The jail with the SetEnv only applies to scripts run through suexec. mod_php is not run through suexec, so php scripts are not jailed. Suexec really only applies to the cgi-bin folder. Php scripts can be run through suexec if they have #!/usr/local/bin/php at the top line of the file, exist in the cgi-bin file and handle all environmental varibles correct.. because cgi-bin folders are not handed the formated variables as they are in mod_php. A better solution for php is suPhp (custombuild), as I believe it does have jailing for php correctly.

John


I absolutely **HATE** suexec ... every dang file gets treated as a CGI process which kills server resources. I know, I know, pro's and con's - but in my mind, there's more con's than pro's - can anyone convince me otherwise? I'm always open to hearing both sides of the argument.

Joseph, no release date is set :) But you can find the test files here: http://files.directadmin.com/services/custombuild/jail/cbtest/.

I absolutely **HATE** suexec ... every dang file gets treated as a CGI process which kills server resources. I know, I know, pro's and con's - but in my mind, there's more con's than pro's - can anyone convince me otherwise? I'm always open to hearing both sides of the argument.

I guess it depends on whether you have control over what goes on the server or not, and how quickly you update things like PHP when there is a vulnerability.

Case 1: PHP Vulnerability
Unjailed - If you don't update right away, then a PHP vulnerability with safe_mode or open_basedir (and there have been many over the years) can effect all sites on the server by just exploiting one site.

Jailed - it effects one site, and is contained to just that site (giving you time to fix the problem).

Case 2: Client installs exploitable package
Unjailed - could lead to complete compromise of the server.

Jailed - it effects one site, and is contained to just that site.


For a small decrease in performance (usually not that noticeable for most sites, realistically), that seems like a big pro, and a small con, from where I sit.

I absolutely **HATE** having a server owned. :-)

(Yes, it's only one part of the bigger security picture, but it can be a good first step in reducing the effects felt by a compromise of a particular site)

(Exchange PHP with Perl, or another package run as CGI. I realize that suPHP is likely the better way to jail PHP scripts)

In a jailed environment, does the files .bashrc, .bash_profile, .profile /home/jailed_user/etc/profile, or others are taken into account?

I was trying to change the user's prompt but I didn't find a way...

If I manually
export PS1='\[\033[01;31m\]\u@\h \[\033[01;34m\]\W \$ \[\033[00m\]'
it just works!