Open maietta opened 4 years ago
Add the following lines to your config file, and reinstall the jail.
dir /usr/lib/openssh 0755 root:root
clink /usr/lib/openssh/sftp-server /usr/lib/openssh/sftp-server
Add the following lines to your config file, and reinstall the jail.
dir /usr/lib/openssh 0755 root:root clink /usr/lib/openssh/sftp-server /usr/lib/openssh/sftp-server
I appreciate the response, however, these two lines don't make sense and I've been using Linux for at least 20 years.
Are you saying that /usr/lib/openssh needs to be owned by root:root and set to 0755 permissions? And what is clink and why when i google search for it am i getting many references to Windows environment?
If I didn't know any better, you are expecting me to be working with Windows. I am trying to do this on a Linux server.
use this command to edit the specific jail-shell config, test-jail
is the jail name
sudo jail-shell jail -e test-jail
and add those lines to the jail config, after that save and exit.
(this will add sftp-server to the jail.)
dir /usr/lib/openssh 0755 root:root
clink /usr/lib/openssh/sftp-server /usr/lib/openssh/sftp-server
and then run the following commad to reinstall the specific jail-shell
sudo jail-shell jail -i test-jail
use this command to edit the specific jail-shell config,
test-jail
is the jail namesudo jail-shell jail -e test-jail
and add those lines to the jail config, after that save and exit. (this will add sftp-server to the jail.)
dir /usr/lib/openssh 0755 root:root clink /usr/lib/openssh/sftp-server /usr/lib/openssh/sftp-server
and then run the following commad to reinstall the specific jail-shell
sudo jail-shell jail -i test-jail
Awesome!! that works, but not exactly what I wanted (but very, very close)
The goal is to ensure that when users sign in, they are dropped into their home directory. I am currently using for virtual web hosting, the /home/
Like sftp, i would like users who use ssh to be dropped into their home directory. I would also like to see that they cannot browse above their /home/
Can this be achieved with jail-shell and how?
Additionally, i am stumped as to what the proper permissions should be for /home and for /home/[user]/.
Mind you, I am using containerized Apache/PHP etc with a bind mount between the container's /var/www/html and the local host file system's /home/[user]/public_html. This is the ideal situation however if things need to be different to use the jail-shell system, I would be more than glad to adopt your methods or techniques.
TLDR; (Shorter description of needs)
Your help is greatly appreciated. I just donated $30 USD to show my appreciation and if you can help me solve my problem you will be greatly rewarded as I can do so.
try the following config, this will map /home/[user] in jail /home/[user]
bind /home/%u/ /home/%u/ rw,nodev,noexec,nosuid
DESC: bind a directory to jail COMMAND: bind [SRC] DEST OPTION OPTION: rw,ro,dev,nodev,exec,noexec, refer to (man mount) for the parameter description %u in path '[SRC] DEST' will be replaced as user name EXAMPLE: bind / ro,nodev,nosuid bind /opt/ /opt/ ro,nodev,noexec bind /opt/upload /opt/upload rw,nodev,noexec,nosuid bind /opt/%u /opt/upload ro,nodev,noexec,nosuid
I have followed the instructions to to install and jail-shell is compiled and installed.
Now when i follow the instructions to create a new user on the system called "tester", i am STILL able to see the entire file system, including those of other users on the system, both with SSH and SFTP. This is NOT what I am after.
I need each user on my system to have their own shell, restricted to a very limited set of commands that i wish they have access to, plus I need them only to be able to see or navigate only the files they own within their own home directory. When SFTP is used, they should not be able to move outside their directory.
What is the magic words I need to be searching for because restricted shell, jail nor chroot all work for both SSH and SFTP even though SFTP is uses SSH2.
I am at my wits end here. This is what prevents me from moving away from cPanel. I am building a cPanel-like web hosting solution based around Traefik 2.x but this security stuff needs to be addressed first. This will be open sourced.
Your help is appreciated.
UPDATE:
I was finally able to get the jail-shell working for "tester" where SSH is concerned but i still don't have any SFTP access.