Want more timely Centmin Mod News Updates?
Become a Member

Addon Req : Jailed/Chrooted Shell

Discussion in 'Feature Requests & Suggestions' started by IamJAX, Jul 14, 2014.

  1. IamJAX

    IamJAX New Member

    5
    1
    3
    May 30, 2014
    Ratings:
    +1
    Local Time:
    7:16 AM
    Jailed/Chrooted Shell is already there in todo list as well as a preview. It would be great to have this as an addon for testing until it is ready for the stable build.

    I recently had a situation where this would have been useful.


    I host few of my friend's low traffic sites for free on my server. One of the site was not kept updated and got hacked. Through it, it was possible to have access to all the sites on the server.

    Say, for example, if I add a file manager script on one of the vhost, it is able to access everything site on the server.

    Is there any way to fix this security issue?
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:46 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah Jailed/chroot shell accounts would of potentially helped with this. File manager script ? got a link to it ?

    But as FAQ 2 outlined at http://centminmod.com/faq.html suggests, Centmin Mod was never intended for full on shared hosting. So who you give site/account access to should be strictly based on level of trust in that person and their ability to keep their site/scripts up to date.

    Jailed chrooted shell preview outlined at https://community.centminmod.com/threads/jailed-chrooted-sftp-ssh-user-nginx-vhost-menu.8/ needs alot of testing and other items in place first and with CentOS 7.0 arriving will need more time to see how the new CentOS 7.0 changes affect Jailed/chroot access. Also other items on the to do list at https://community.centminmod.com/threads/centmin-mod-to-do-list.7/ would preferably need to come before Jailed/chroot feature as their addition could break or change Jailed/chroot feature.

    In a way, testing Jailed chroot features would involve testing everything within Centmin Mod including all the to do list features outlined at https://community.centminmod.com/threads/centmin-mod-to-do-list.7/.
     
  3. IamJAX

    IamJAX New Member

    5
    1
    3
    May 30, 2014
    Ratings:
    +1
    Local Time:
    7:16 AM
    This is the filemanager script I tried http://www.solitude.dk/filethingie/
    I just used it to see if one domain can access another one. I set the dir settings in it's config to the relative path to /home/nginx/domains and it was able to access all domains.

    Currently any script on any vhost/domain can access any other vhost/domain. Isn't this a serious security issue?

    I don't want shared hosting. But is there any way to protect other sites if one site gets hacked?


    As for the preview,if Jailed chrooted shell is already working with centos 6.5 and current centminmod, then more people using it helps find issues faster and all will expect bugs since it is just a preview.
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:46 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yes it would as expected as everything is own and run by nginx user as outlined in the background history part of how Centmin Mod came into being and where it derived it's Nginx domain/vhost and user structure from https://community.centminmod.com/threads/jailed-chrooted-sftp-ssh-user-nginx-vhost-menu.8/
    As outlined in the background history at https://community.centminmod.com/threads/jailed-chrooted-sftp-ssh-user-nginx-vhost-menu.8/ Centmin Mod derived it's current structure from original Centmin script and was and is never intended for shared hosting. It's intended for one owner to run their own sites and domains from. As such there's only one person accessing and touching the site and files = yourself the owner.

    Nginx itself installed via the YUM repos from CentOS or Ubuntu/Debian all out of the box also are non-jailed setups as well. No Nginx setup I know of comes with jailed chrooted setup out of the box right now. Centmin Mod's planned jailed chrooted feature as outlined at https://community.centminmod.com/threads/jailed-chrooted-sftp-ssh-user-nginx-vhost-menu.8/ would probably be one of the first to offer such.

    Yeah, eventually I'd release a beta version of Jailed chrooted features for beta testing but it's just not fully ready. As I said to properly beta test Jailed chrooted feature, you will need to test every feature that Centmin Mod offers via the shell based menu including all addons http://centminmod.com/addons.html as well as all web app configurations outlined at http://centminmod.com/nginx_configure.html to ensure it's all working.

    FYI, I am using the current Centmin Mod .08+ and higher beta testing user feedback https://community.centminmod.com/threads/how-to-help-test-08-centos-7-betas-with-github-code.813/ as gauge to measure how well Jailed chrooted beta testing and other to do list feature beta testing will fair. So more participation in the current beta testing projects and faster feedback generally mean faster completion and progress to the next item on the do list or add ons list and so forth ;)
     
  5. IamJAX

    IamJAX New Member

    5
    1
    3
    May 30, 2014
    Ratings:
    +1
    Local Time:
    7:16 AM
    Thank you for your detailed reply :)

    In short, nothing can be done to protect other sites, if there is an unfortunate event of site getting hacked. So only option now is to prevent any hacking by securing server and keeping everything updated
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:46 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yes that is always the case for any server config whether it be cpanel/whm, plesk, directadmin or via Centmin Mod - keep your web apps up to date :)
     
  7. NeiPCs

    NeiPCs Member

    40
    9
    8
    Jun 28, 2014
    Ratings:
    +13
    Local Time:
    10:46 PM
    1.11.1
    5.5
    This is what I was looking for.
    Thanks for detailed explanations on both, ask and answer :)

    I'll try to test beta versions too.

    +1 for this feature.
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:46 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  9. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    4:46 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Cloudlinux cagefs seems cool for this option to jail accounts :)
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:46 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah Centmin Mod hasn't been tested with Cloudlinux OS though heh
     
  11. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    4:46 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Any progress with jail root accounts? :)
     
  12. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    8:46 AM
    1.9.5
    10.0.21
    Did anyone workaround the setup jailed chroot with centminmod manually without scripting?
     
  13. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    4:46 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    I was able to do it but i got the user always to /home/username folder locked but no way to use a folder like :

    Code:
    /home/nginx/domains/mydomain/public/uploads
    Permissions seems to be the problem....
     
  14. Matt Williams

    Matt Williams WordPress Fanatic

    537
    104
    43
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +157
    Local Time:
    9:46 PM
    latest
    10
    Running some tests with CloudLinux + Centmin Mode tonight - we'll see how it goes!
     
  15. Inforit

    Inforit Premium Member Premium Member

    52
    15
    8
    Jul 30, 2014
    Ratings:
    +22
    Local Time:
    2:46 AM
    nginx/1.7.3
    MariaDB 5.5
    Hey Matt how did those tests go?
     
  16. Matt Williams

    Matt Williams WordPress Fanatic

    537
    104
    43
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +157
    Local Time:
    9:46 PM
    latest
    10
    Well, CloudLinux did fine for the install on the Node + Container with no issues. However, adding CageFS to a container which installed fine but upon testing the CageFS caused the Kernal to panic. Don't know why and CloudLinux has no clue of why the Kernal Panic'd either...
     
  17. Inforit

    Inforit Premium Member Premium Member

    52
    15
    8
    Jul 30, 2014
    Ratings:
    +22
    Local Time:
    2:46 AM
    nginx/1.7.3
    MariaDB 5.5
    Thanks for update Matt
     
  18. Mask

    Mask Active Member

    108
    31
    28
    Nov 10, 2014
    Ratings:
    +37
    Local Time:
    6:46 AM
    Nginx 1.9.1
    MariaDB 10.0.19
    Hi there,
    I know there is a lot going on with the CMM so it may be not the best time but is there any progress with this request?

    I totally understand that CMM is not meant for shared environment, (And probably that's how it should be) but sometimes my clients, or the dev working on site needs ssh access. (Usually just for /hone/nginx/domains.com part. So any "good way" to restrict them there??
    I don't mind if they can access a thing or two outside as well (i.e. even if it's not perfact) but at this point I will take something than nothing at all :)

    So even if you can point me in right direction, that be a great help.
    Thanks
     
  19. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:46 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod .08 beta 03 has a semi-workaround for this for pureftpd virtual FTP at Beta Branch - Centmin Mod .08 beta + pure-ftpd virtual FTP user support | Centmin Mod Community but nothing for SSH as yet.

    As you guessed, there's alot going on with Centmin Mod for .08 beta right now so want to get that stable first :)
     
  20. Mask

    Mask Active Member

    108
    31
    28
    Nov 10, 2014
    Ratings:
    +37
    Local Time:
    6:46 AM
    Nginx 1.9.1
    MariaDB 10.0.19
    I know, I know ...
    If I can be of any help, let me know :)

    If you have any "half working" setup, I be happy to use it as well. (No need to be part of CMM right now). But yea, we need to get v8 stable out there first :)