search

pymumu / jail-shell

Jail-shell is a linux security tool mainly using chroot, namespaces technologies, limiting users to perform specific commands, and access sepcific directories.
GNU General Public License v2.0
116 stars 20 forks source link

Effectively non-chrooted/jailed users. What am i missing? #8

Open maietta opened 4 years ago

maietta commented 4 years ago

I have followed the instructions to to install and jail-shell is compiled and installed.

Now when i follow the instructions to create a new user on the system called "tester", i am STILL able to see the entire file system, including those of other users on the system, both with SSH and SFTP. This is NOT what I am after.

I need each user on my system to have their own shell, restricted to a very limited set of commands that i wish they have access to, plus I need them only to be able to see or navigate only the files they own within their own home directory. When SFTP is used, they should not be able to move outside their directory.

What is the magic words I need to be searching for because restricted shell, jail nor chroot all work for both SSH and SFTP even though SFTP is uses SSH2.

I am at my wits end here. This is what prevents me from moving away from cPanel. I am building a cPanel-like web hosting solution based around Traefik 2.x but this security stuff needs to be addressed first. This will be open sourced.

Your help is appreciated.

UPDATE:

I was finally able to get the jail-shell working for "tester" where SSH is concerned but i still don't have any SFTP access.

pymumu commented 4 years ago

Add the following lines to your config file, and reinstall the jail.

dir /usr/lib/openssh 0755 root:root
clink /usr/lib/openssh/sftp-server /usr/lib/openssh/sftp-server
maietta commented 4 years ago

Add the following lines to your config file, and reinstall the jail.

dir /usr/lib/openssh 0755 root:root
clink /usr/lib/openssh/sftp-server /usr/lib/openssh/sftp-server

I appreciate the response, however, these two lines don't make sense and I've been using Linux for at least 20 years.

Are you saying that /usr/lib/openssh needs to be owned by root:root and set to 0755 permissions? And what is clink and why when i google search for it am i getting many references to Windows environment?

If I didn't know any better, you are expecting me to be working with Windows. I am trying to do this on a Linux server.

pymumu commented 4 years ago

use this command to edit the specific jail-shell config, test-jail is the jail name

sudo jail-shell jail -e test-jail

and add those lines to the jail config, after that save and exit.
(this will add sftp-server to the jail.)

dir /usr/lib/openssh 0755 root:root
clink /usr/lib/openssh/sftp-server /usr/lib/openssh/sftp-server

and then run the following commad to reinstall the specific jail-shell

sudo jail-shell jail -i test-jail
maietta commented 4 years ago

use this command to edit the specific jail-shell config, test-jail is the jail name

sudo jail-shell jail -e test-jail

and add those lines to the jail config, after that save and exit. (this will add sftp-server to the jail.)

dir /usr/lib/openssh 0755 root:root
clink /usr/lib/openssh/sftp-server /usr/lib/openssh/sftp-server

and then run the following commad to reinstall the specific jail-shell

sudo jail-shell jail -i test-jail

Awesome!! that works, but not exactly what I wanted (but very, very close)

The goal is to ensure that when users sign in, they are dropped into their home directory. I am currently using for virtual web hosting, the /home//public_html and would like that for the sftp and forcing chroot type behavior so users cannot browse above this directory.

Like sftp, i would like users who use ssh to be dropped into their home directory. I would also like to see that they cannot browse above their /home// directory.

Can this be achieved with jail-shell and how?

Additionally, i am stumped as to what the proper permissions should be for /home and for /home/[user]/.

Mind you, I am using containerized Apache/PHP etc with a bind mount between the container's /var/www/html and the local host file system's /home/[user]/public_html. This is the ideal situation however if things need to be different to use the jail-shell system, I would be more than glad to adopt your methods or techniques.

TLDR; (Shorter description of needs)

Your help is greatly appreciated. I just donated $30 USD to show my appreciation and if you can help me solve my problem you will be greatly rewarded as I can do so.

pymumu commented 4 years ago

try the following config, this will map /home/[user] in jail /home/[user]

bind /home/%u/ /home/%u/  rw,nodev,noexec,nosuid

DESC: bind a directory to jail COMMAND: bind [SRC] DEST OPTION OPTION: rw,ro,dev,nodev,exec,noexec, refer to (man mount) for the parameter description %u in path '[SRC] DEST' will be replaced as user name EXAMPLE: bind / ro,nodev,nosuid bind /opt/ /opt/ ro,nodev,noexec bind /opt/upload /opt/upload rw,nodev,noexec,nosuid bind /opt/%u /opt/upload ro,nodev,noexec,nosuid