How to setup jailed ssh and jailed cgi (beta)


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"

Top Level » The CustomBuild scripts » Jailing

How to setup jailed ssh and jailed cgi (beta)Last Modified: Jan 21, 2009, 4:12 pm
If you run custombuild, the jailed script portion of this guide is in the options.conf.

#Jailed shell (beta)
jail=yes

Then type

./build all_jail

The "./jail/jail_user.sh user" (from the custombuild dir) would be used for each user you want to jail.   The remaining httpd.conf and other options from this guide still apply.



1) First, install the scripts and binaries (note, currently for apache 1.3.x only):

cd /usr/local/directadmin/customapache
mkdir jail
cd jail
wget http://files.directadmin.com/services/customapache/jail/build
chmod 755 build
./build update
./build all


2) It's recommended you make backups of /etc/passwd, /etc/shadow, /etc/group, and /etc/master.passwd (if you have it)

cp -f /etc/passwd /etc/passwd.backup
cp -f /etc/group /etc/group.backup
cp -f /etc/shadow /etc/shadow.backup
cp -f /etc/master.passwd /etc/master.passwd.backup


3) To jail a specific user, this command is used:

cd /usr/local/directadmin/customapache/jail
./jail_user.sh username

If they are to use jailed CGI, then

SetEnv JAIL_DIR |HOME|

would need to be added to their virtualhosts (where home is their home directory, eg: /home/username).

Note that php through apache is not jailed, so enableing safemode and open_basedir would be recommended.

To *automate* the jailing process, you can create /usr/local/directadmin/scripts/custom/user_create_post.sh and fill it with:

#!/bin/sh
if [ $ssh = "ON" ]; then
  cd /usr/local/directadmin/customapache/jail
  ./jail_user.sh $username
fi
exit 0;

Then chmod it to 755:

chmod 755 /usr/local/directadmin/scripts/custom/user_create_post.sh



To automate the cgi jailing, then the SetEnv option has to be added to any virtualhost that is to use the jailing.  Create /usr/local/directadmin/scripts/custom/domain_create_post.sh with the following:

#!/bin/sh
COUNT=`grep -e "^${username}:" /etc/passwd | grep -c /bin/jail`
if [ $COUNT -eq 1 ]; then
  echo "SetEnv JAIL_DIR |HOME|" > /usr/local/directadmin/data/users/${username}/domains/${domain}.cust_httpd
  echo "action=rewrite&value=httpd&user=${username}" >> /usr/local/directadmin/data/task.queue
fi
exit 0;

and chmod to 755, like the user_create_post.sh script.

4) Since a user can be created without ssh, and it gets added later, we'll need to create a user_modify_post.sh script as well, but since it's the same code, we'll just create a symbolic link.

ln -s user_create_post.sh /usr/local/directadmin/scripts/custom/user_modify_post.sh



Note, that the jail_user.sh isn't going to be very speedy as it has to transfer over all program binaries and libraries that would be needed inside the jail.  This takes time.  It also takes a huge amount of space that will not be counted in the users total disk usage.
 
Related Helpfiles
Which folders are skipped from a DirectAdmin backup?

© 2003 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST