Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 2nd May 2008, 00:19
t-mug t-mug is offline
Member
 
Join Date: Jun 2007
Posts: 70
Thanks: 11
Thanked 6 Times in 5 Posts
Default Chroot Cage Folders in Non-SSH Webs

Hi,

the passwd line looks like:
Code:
web27_grrr:x:10040:10027:grrr:/var/www/web27/./:/bin/false
I followed Falkos instructions to compile a new openssh server (only point 2 of the instructions, but nothing more on my Debian Etch, because I was too lazy for zlib compiling and creating the folders in /home/chroot/) and I set the ISPconfig 2.2.23 config.inc.php value to $go_info["server"]["ssh_chroot"] = 1; as necessary.

All seems to work correctly, but all new webs get the cage folders like /usr, /etc, /bin. /lib, /var copied to /var/www/web27_grrr.

What's my mistake? Or is this intended?
Thanks for the help.
Reply With Quote
Sponsored Links
  #2  
Old 2nd May 2008, 16:07
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

That's the correct behaviour. The /home/chroot from the tutorial is just an example; ISPConfig chroots the users to the web directory they belong to.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 2nd May 2008, 17:50
t-mug t-mug is offline
Member
 
Join Date: Jun 2007
Posts: 70
Thanks: 11
Thanked 6 Times in 5 Posts
Default

Sorry. my question was not clear enough. Another try: if I create a new web then the bin, usr, etc, var folders are copied to the webs root, although SSH is not and was never enabled. How can I avoid this?
Reply With Quote
  #4  
Old 3rd May 2008, 21:02
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

I think you'd have to modify the ISPConfig sources.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 4th May 2008, 12:33
t-mug t-mug is offline
Member
 
Join Date: Jun 2007
Posts: 70
Thanks: 11
Thanked 6 Times in 5 Posts
Default

There are 2 functions inside /root/ispconfig/scripts/lib/config.lib.php: user_insert() and user_update() which, at their very end, call the script for creating the chroot folders:
PHP Code:
if($go_info["server"]["ssh_chroot"]) {
          
exec("/root/ispconfig/scripts/shell/create_chroot_env.sh $user_username");
  } 
and indeed this is called for every user when ssh_chroot for the server is enabled, regardless if the web or even the user has chroot access. This is consuming customers webspace (consider mounts of user accounts) and is irritating also.
Changing these lines (for ISPconfig 2.2.23 at line number 767 and 941 of config.lib.php) to:
PHP Code:
if($go_info["server"]["ssh_chroot"] == && $user["user_shell"] && $web["web_shell"]) {
          
exec("/root/ispconfig/scripts/shell/create_chroot_env.sh $user_username");
  } 
works as expected: no SSH folders will be created on new webs or users with non-checked SSH.

Falko, do you think there is sth. missing in this solution that could make side effects?

Nevertheless this does not delete the chroot folders for users if SSH in the admin panel is unchecked again, for both the user or the web. The chroot folders will, once enabled, remain.

Last edited by t-mug; 4th May 2008 at 16:53.
Reply With Quote
  #6  
Old 5th May 2008, 18:15
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

Quote:
Originally Posted by t-mug
Falko, do you think there is sth. missing in this solution that could make side effects?
I don't think so.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 8th December 2008, 14:16
t-mug t-mug is offline
Member
 
Join Date: Jun 2007
Posts: 70
Thanks: 11
Thanked 6 Times in 5 Posts
Default Patch

This Patch is for the 2.2.28 release.
Attached Files
File Type: gz config.lib.inc.patch.gz (539 Bytes, 120 views)
Reply With Quote
The Following User Says Thank You to t-mug For This Useful Post:
falko (9th December 2008)
  #8  
Old 9th December 2008, 19:49
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

I am just wondering why this info:

Quote:
I set the ISPconfig 2.2.23 config.inc.php value to $go_info["server"]["ssh_chroot"] = 1; as necessary.
is not mentioned anywhere or did I jsut not find it? I was wodnering all the time, how ispconfig knows I employed the chroot how-to :-)
Reply With Quote
  #9  
Old 12th December 2008, 16:00
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

Oh, I just foudn out my ssh users were no longer chrooted :-(

it seems one of the apt-get dist-upgrades broke the jail :-(

I guess it was an update of sshd? Meaning after any sshd upgrade I have to redo the chroot howto? How can I block the sshd from being upgraded? anything else one needs to take care of?
Reply With Quote
  #10  
Old 12th December 2008, 17:40
t-mug t-mug is offline
Member
 
Join Date: Jun 2007
Posts: 70
Thanks: 11
Thanked 6 Times in 5 Posts
 
Default openssh package

You have to compile your version of openssh by yourself, see: http://chrootssh.sourceforge.net
and, yes, look again at the tutorial - there is a hint preventing ssh from being updated:
Quote:
# echo "openssh-server hold" | dpkg --set-selections
but I guess, after a dist-upgrade the old "holds" get lost.

You can test your holded ssh package at any time by:
Quote:
# dpkg --get-selections | grep hold | grep ssh
Maybe it's a good idea to put generally some system testing in your crontab and getting notified in case your chroot or even other sensible system points got broken. Crontab entries survive dist-upgrades.

But probably a much easier way to maintain things is to give your semi trusted users a special bash link that is restricted by apparmor.

Last edited by t-mug; 12th December 2008 at 21:11.
Reply With Quote
The Following User Says Thank You to t-mug For This Useful Post:
Tenaka (15th December 2008)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Chroot ssh login problem gral Server Operation 3 2nd November 2007 18:25
Chroot SSH - Opensuse 10.2 alexillsley General 10 4th April 2007 04:58
chroot ssh seanheng Installation/Configuration 1 29th October 2006 23:25
SSH Users CHROOT howser Installation/Configuration 20 2nd August 2006 08:22
ssh chroot works, but no scp for chroot users zokahn HOWTO-Related Questions 5 30th January 2006 09:33


All times are GMT +2. The time now is 21:06.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.