New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
https://github.com/dannysheehan/linux-chroot-jail
Not sure if there is something better out there, edit as you wish
Put each user in an unprivileged LXC container with its own HTTP daemon, shared IPv4 and dedicated IPv6.
Give user root SSH access inside the container.
Run domain forwarder on shared IPv4 port 80 443.
This is how we roll.
https://github.com/McSim85/make_chroot_jail it is newer but needs fixing to modern Debian.
LXC is not an option, to much overhead.
Wondering, how cPanel and DA do this...
Doing proper SSH chroot jail, so that things still work as expected is quite an task, and not that trivial.
Easiest way is to have a copy of the system/distro inside the user's account, so they still have access all to the bins, libs etc.
You can have hardlinks etc. to do this as well tho, bind mounts etc.
But then you are poking holes into the chroot.
There's Firejail tho: https://firejail.wordpress.com/
Which is a bit different than just SSH chroot jail. Have no experience with this.
By far easiest is the LXC container option, and any solution you do will inevitable go towards the container direction, no easy way around that.
Doing manual grsec/sellinux/apparmor rules might get you there, but again tons of work.
I have maintained grsec rules in the late 90s, early 00s, and it was a PITA. But yeah 2 decades of tooling will have probably made things easier.
If you're on centos cloudlinux, works even for non-cpanel. Their support said they are working on Ubuntu version but no ETA.
Otherwise nothing truly exists, we've looked. Your solution is to manually lock down SSH, and install lshell and lock it down as well. There is only one version of lshell that currently works, the original is defunct. Link below.
https://github.com/Applenice/lshell
The best option for limited shell is GNU RUSH, but it is very hard to interpret documentation as there is no examples on the net. Does anyone knows how DA does jailed ssh?
DA uses bubblewrap
Give them full access to root then change the password / keys when they done
That seems like a pretty decent script. A useful tip is to copy strace into your jail. If a program fails to run in your jail, then strace it to see what files it needs.
I run some webservers within a bubblewrap and created a similar script for minimal files in the jail.
If users need access to a lot of common programs you can considering bind mounting (
mount -o rbind
) or overlay filesystems (docker does this).If you are already using sshd to chroot (through
ChrootDirectory
in sshd_config) then why do you need rush to chroot again?I think the easiest solution is to tell them to get a VPS
Why not use something like docker?
I have a feeling if LXC is too much overhead, Docker would be too, they're in a way quite similar