Jail-shell is a linux security tool mainly using chroot, namespaces technologies, limiting users to perform specific commands, and access sepcific directories.
License: GNU General Public License v2.0
I jailed an already created user using your commands.
The /home/user directory has files and directories like public_html, mail, www, ssl, etc.
But in the jailed environment, the /home/user directory is empty.
I checked that in WinSCP.
I want that when I jail user, the home folder should retain all its files and folders.
pam_jail_shell.c:29:34: fatal error: security/pam_modules.h: No such file or directory
#include <security/pam_modules.h>
The users in cloudlinux seem to be already having restricted access to files and folders.
CageFs is installed in cloudlinux.
When I jail a user in cloudlinux 8.7 and try to login to that user from winscp, it shows the same files and folders that was shown before jailing it.
I have followed the instructions to to install and jail-shell is compiled and installed.
Now when i follow the instructions to create a new user on the system called "tester", i am STILL able to see the entire file system, including those of other users on the system, both with SSH and SFTP. This is NOT what I am after.
I need each user on my system to have their own shell, restricted to a very limited set of commands that i wish they have access to, plus I need them only to be able to see or navigate only the files they own within their own home directory. When SFTP is used, they should not be able to move outside their directory.
What is the magic words I need to be searching for because restricted shell, jail nor chroot all work for both SSH and SFTP even though SFTP is uses SSH2.
I am at my wits end here. This is what prevents me from moving away from cPanel. I am building a cPanel-like web hosting solution based around Traefik 2.x but this security stuff needs to be addressed first. This will be open sourced.
Your help is appreciated.
UPDATE:
I was finally able to get the jail-shell working for "tester" where SSH is concerned but i still don't have any SFTP access.
Hello,
Thank you for providing this project.
Having security concerns what is the best way to provide the jail user permission to restart a specific service inside jail?
Thank you
Hello
What is best way to make a unix socket available inside the jail?
To test this I have created a clink to mysql socket, for example:
clink /var/run/mysql.sock /var/run/mysql.sock
It works until mysql service is restarted. The only way to make it work again is to install jail by doing so "jail-shell jail -i jailname".
Thank you
profile bashrc...,such files in jail or out jail are all unuseful to add a env for the command. How to add a env for a chroot?
[root@k8s-master02 jail-shell]# ssh [email protected]
[email protected]'s password:
client_loop: send disconnect: Broken pipeI jailed a user. The user has php binaries. So the php command works. But when I execute php artisan commands like 'php artisan serve' or 'php artisan optimize:clear' from that user's terminal, I get fatal error as shown below:
Fatal error: Uncaught ReflectionException: Class "config" does not exist in /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php:912
Stack trace:
#0 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php(912): ReflectionClass->__construct('config')
#1 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php(795): Illuminate\Container\Container->build('config')
#2 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Application.php(933): Illuminate\Container\Container->resolve('config', Array, true)
#3 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php(731): Illuminate\Foundation\Application->resolve('config', Array)
#4 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Application.php(918): Illuminate\Container\Container->make('config', Array)
#5 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php(1454): Illuminate\Foundation\Application->make('config')
#6 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(544): Illuminate\Container\Container->offsetGet('config')
#7 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(595): Illuminate\Log\LogManager->getDefaultDriver()
#8 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(124): Illuminate\Log\LogManager->parseDriver(NULL)
#9 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(665): Illuminate\Log\LogManager->driver()
#10 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(287): Illuminate\Log\LogManager->error('Call to undefin...', Array)
#11 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(250): Illuminate\Foundation\Exceptions\Handler->reportThrowable(Object(Error))
#12 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Console/Kernel.php(522): Illuminate\Foundation\Exceptions\Handler->report(Object(Error))
#13 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Console/Kernel.php(203): Illuminate\Foundation\Console\Kernel->reportException(Object(Error))
#14 /home/salman/public_html/your-project-name/artisan(35): Illuminate\Foundation\Console\Kernel->handle(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#15 {main}
Next Illuminate\Contracts\Container\BindingResolutionException: Target class [config] does not exist. in /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php:914
Stack trace:
#0 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php(795): Illuminate\Container\Container->build('config')
#1 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Application.php(933): Illuminate\Container\Container->resolve('config', Array, true)
#2 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php(731): Illuminate\Foundation\Application->resolve('config', Array)
#3 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Application.php(918): Illuminate\Container\Container->make('config', Array)
#4 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php(1454): Illuminate\Foundation\Application->make('config')
#5 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(544): Illuminate\Container\Container->offsetGet('config')
#6 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(595): Illuminate\Log\LogManager->getDefaultDriver()
#7 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(124): Illuminate\Log\LogManager->parseDriver(NULL)
#8 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(665): Illuminate\Log\LogManager->driver()
#9 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(287): Illuminate\Log\LogManager->error('Call to undefin...', Array)
#10 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(250): Illuminate\Foundation\Exceptions\Handler->reportThrowable(Object(Error))
#11 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Console/Kernel.php(522): Illuminate\Foundation\Exceptions\Handler->report(Object(Error))
#12 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Console/Kernel.php(203): Illuminate\Foundation\Console\Kernel->reportException(Object(Error))
#13 /home/salman/public_html/your-project-name/artisan(35): Illuminate\Foundation\Console\Kernel->handle(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#14 {main}
thrown in /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php on line 914
I faced this issue in almalinux 8, centos and ubuntu 18 but not in ubuntu 20.
Below is the user's jail config:```
dir /root/ 0700 root:root
dir /dev/ 0755 root:root
dir /etc/ 0755 root:root
dir /home/ 0755 root:root
dir /proc/ 0755 root:root
dir /usr/bin 0755 root:root
dir /usr/sbin 0755 root:root
dir /usr/lib/ 0755 root:root
dir /usr/lib64/ 0755 root:root
dir /usr/share/terminfo 0755 root:root
dir /usr/lib/terminfo 0755 root:root
dir /var 0755 root:root
slink /usr/bin /bin
slink /usr/sbin /sbin
slink /usr/lib /lib
slink /usr/lib64 /lib64
clink /etc/alternatives /etc/alternatives
clink /etc/named /etc/named
clink /etc/pam.d /etc/pam.d
clink /etc/pki /etc/pki
clink /etc/security /etc/security
clink /etc/ssh /etc/ssh
clink /etc/ssl /etc/ssl
clink /etc/systemd /etc/systemd
clink /etc/terminfo /etc/terminfo
clink /etc/aliases /etc/aliases
clink /etc/bashrc /etc/bashrc
clink /etc/crontab /etc/crontab
clink /etc/fstab /etc/fstab
clink /etc/inputrc /etc/inputrc
clink /etc/ld.so.conf /etc/ld.so.conf
clink /etc/nsswitch.conf /etc/nsswitch.conf
clink /etc/localtime /etc/localtime
clink /etc/mailips /etc/mailips
clink /etc/my.cnf /etc/my.cnf
clink /etc/hosts /etc/hosts
clink /etc/hostname /etc/hostname
clink /etc/services /etc/services
clink /etc/virc /etc/virc
clink /etc/shells /etc/shells
file /usr/local/jail-shell/misc/rootfs/etc/profile /etc/profile 0755 root:root
clink /dev/null /dev/null
clink /dev/zero /dev/zero
clink /dev/ptmx /dev/ptmx
clink /dev/urandom /dev/urandom
clink /dev/tty /dev/tty
clink /dev/tty1 /dev/tty1
clink /dev/tty2 /dev/tty2
clink /dev/tty3 /dev/tty3
slink /proc/self/fd/2 /dev/stderr
slink /proc/self/fd/0 /dev/stdin
slink /proc/self/fd/1 /dev/stdout
clink /usr/bin/sh /usr/bin/sh
clink /usr/bin/cat /usr/bin/cat
clink /usr/bin/ls /usr/bin/ls
clink /usr/bin/ps /usr/bin/ps
clink /usr/bin/bash /usr/bin/bash
clink /usr/bin/grep /usr/bin/grep
clink /usr/bin/rm /usr/bin/rm
clink /usr/bin/cp /usr/bin/cp
clink /usr/bin/touch /usr/bin/touch
clink /usr/bin/mv /usr/bin/mv
clink /usr/bin/hostname /usr/bin/hostname
clink /usr/bin/sed /usr/bin/sed
clink /usr/bin/true /usr/bin/true
clink /usr/bin/false /usr/bin/false
clink /usr/bin/mkdir /usr/bin/mkdir
clink /usr/bin/rmdir /usr/bin/rmdir
clink /usr/bin/dd /usr/bin/dd
clink /usr/bin/uname /usr/bin/uname
clink /usr/bin/date /usr/bin/date
clink /usr/bin/kill /usr/bin/kill
clink /usr/bin/tar /usr/bin/tar
clink /usr/bin/gzip /usr/bin/gzip
clink /usr/bin/[ /usr/bin/[
clink /usr/bin/tail /usr/bin/tail
clink /usr/bin/less /usr/bin/less
clink /usr/bin/awk /usr/bin/awk
clink /usr/bin/free /usr/bin/free
clink /usr/bin/head /usr/bin/head
clink /usr/bin/id /usr/bin/id
clink /usr/bin/tee /usr/bin/tee
clink /usr/bin/test /usr/bin/test
clink /usr/bin/gawk /usr/bin/gawk
clink /usr/bin/watch /usr/bin/watch
clink /usr/bin/which /usr/bin/which
clink /usr/bin/xargs /usr/bin/xargs
clink /usr/bin/find /usr/bin/find
clink /usr/bin/scp /usr/bin/scp
clink /usr/bin/basename /usr/bin/basename
clink /usr/bin/c++ /usr/bin/c++
clink /usr/bin/gcc /usr/bin/gcc
clink /usr/bin/as /usr/bin/as
clink /usr/bin/aulast /usr/bin/aulast
clink /usr/bin/authselect /usr/bin/authselect
clink /usr/bin/alias /usr/bin/alias
clink /usr/bin/alt-mysql-reconfigure /usr/bin/alt-mysql-reconfigure
clink /usr/bin/alt-php-mysql-reconfigure /usr/bin/alt-php-mysql-reconfigure
clink /usr/bin/alt-php-mysql-reconfigure.py /usr/bin/alt-php-mysql-reconfigure.py
clink /usr/bin/whatis /usr/bin/whatis
clink /usr/bin/bg /usr/bin/bg
clink /usr/bin/chage /usr/bin/chage
clink /usr/bin/chattr /usr/bin/chattr
clink /usr/bin/chgrp /usr/bin/chgrp
clink /usr/bin/chmod /usr/bin/chmod
clink /usr/bin/chown /usr/bin/chown
clink /usr/bin/cmp /usr/bin/cmp
clink /usr/bin/col /usr/bin/col
clink /usr/bin/clear /usr/bin/clear
clink /usr/bin/column /usr/bin/column
clink /usr/bin/command /usr/bin/command
clink /usr/bin/cpp /usr/bin/cpp
clink /usr/bin/crontab /usr/bin/crontab
clink /usr/bin/curl /usr/bin/curl
clink /usr/bin/cut /usr/bin/cut
clink /usr/bin/df /usr/bin/df
clink /usr/bin/dig /usr/bin/dig
clink /usr/bin/dirname /usr/bin/dirname
clink /usr/bin/du /usr/bin/du
clink /usr/bin/echo /usr/bin/echo
clink /usr/bin/egrep /usr/bin/egrep
clink /usr/bin/eject /usr/bin/eject
clink /usr/bin/fold /usr/bin/fold
clink /usr/bin/git /usr/bin/git
clink /usr/bin/git-shell /usr/bin/git-shell
clink /usr/bin/hash /usr/bin/hash
clink /usr/bin/host /usr/bin/host
clink /usr/bin/info /usr/bin/info
clink /usr/bin/install /usr/bin/install
clink /usr/bin/jobs /usr/bin/jobs
clink /usr/bin/join /usr/bin/join
clink /usr/bin/journalctl /usr/bin/journalctl
clink /usr/bin/killall /usr/bin/killall
clink /usr/bin/last /usr/bin/last
clink /usr/bin/lastlog /usr/bin/lastlog
clink /usr/bin/link /usr/bin/link
clink /usr/bin/linux32 /usr/bin/linux32
clink /usr/bin/linux64 /usr/bin/linux64
clink /usr/bin/setarch /usr/bin/setarch
clink /usr/bin/ln /usr/bin/ln
clink /usr/bin/locale /usr/bin/locale
clink /usr/bin/login /usr/bin/login
clink /usr/bin/loginctl /usr/bin/loginctl
clink /usr/bin/look /usr/bin/look
clink /usr/bin/lynx /usr/bin/lynx
clink /usr/bin/mail /usr/bin/mail
clink /usr/bin/mailx /usr/bin/mailx
clink /usr/bin/mailq /usr/bin/mailq
clink /usr/bin/Mail /usr/bin/Mail
clink /usr/bin/mailq.exim /usr/bin/mailq.exim
clink /usr/bin/mailq.sendmail /usr/bin/mailq.sendmail
clink /usr/bin/make /usr/bin/make
clink /usr/bin/mailstat /usr/bin/mailstat
clink /usr/bin/man /usr/bin/man
clink /usr/bin/makedb /usr/bin/makedb
clink /usr/bin/mount /usr/bin/mount
clink /usr/bin/mknod /usr/bin/mknod
clink /usr/bin/mysql /usr/bin/mysql
clink /usr/bin/mysql_config_editor /usr/bin/mysql_config_editor
clink /usr/bin/mysqladmin /usr/bin/mysqladmin
clink /usr/bin/mysqlbinlog /usr/bin/mysqlbinlog
clink /usr/bin/mysqlcheck /usr/bin/mysqlcheck
clink /usr/bin/mysqldump /usr/bin/mysqldump
clink /usr/bin/mysqlimport /usr/bin/mysqlimport
clink /usr/bin/netstat /usr/bin/netstat
clink /usr/bin/nslookup /usr/bin/nslookup
clink /usr/bin/nohup /usr/bin/nohup
clink /usr/bin/openssl /usr/bin/openssl
clink /usr/bin/paste /usr/bin/paste
clink /usr/bin/perl /usr/bin/perl
clink /usr/bin/php /usr/bin/php
clink /usr/bin/php-cgi /usr/bin/php-cgi
clink /usr/bin/ping /usr/bin/ping
clink /usr/bin/pkttyagent /usr/bin/pkttyagent
clink /usr/bin/printf /usr/bin/printf
clink /usr/bin/pwd /usr/bin/pwd
clink /usr/bin/quota /usr/bin/quota
clink /usr/bin/read /usr/bin/read
clink /usr/bin/readlink /usr/bin/readlink
clink /usr/bin/realpath /usr/bin/realpath
clink /usr/bin/rmail /usr/bin/rmail
clink /usr/bin/rpm /usr/bin/rpm
clink /usr/bin/rsync /usr/bin/rsync
clink /usr/bin/script /usr/bin/script
clink /usr/bin/sftp /usr/bin/sftp
clink /usr/bin/sort /usr/bin/sort
clink /usr/bin/split /usr/bin/split
clink /usr/bin/ssh /usr/bin/ssh
clink /usr/bin/ssh-add /usr/bin/ssh-add
clink /usr/bin/ssh-agent /usr/bin/ssh-agent
clink /usr/bin/ssh-copy-id /usr/bin/ssh-copy-id
clink /usr/bin/ssh-keygen /usr/bin/ssh-keygen
clink /usr/bin/ssh-keyscan /usr/bin/ssh-keyscan
clink /usr/bin/stty /usr/bin/stty
clink /usr/bin/sleep /usr/bin/sleep
clink /usr/bin/size /usr/bin/size
clink /usr/bin/systemctl /usr/bin/systemctl
clink /usr/bin/top /usr/bin/top
clink /usr/bin/unlink /usr/bin/unlink
clink /usr/bin/unzip /usr/bin/unzip
clink /usr/bin/vi /usr/bin/vi
clink /usr/bin/wget /usr/bin/wget
clink /usr/bin/whereis /usr/bin/whereis
clink /usr/bin/who /usr/bin/who
clink /usr/bin/whoami /usr/bin/whoami
clink /usr/bin/yum /usr/bin/yum
clink /usr/lib/systemd /usr/lib/systemd
clink /usr/lib64/libnss_compat-2.28.so /usr/lib64/libnss_compat-2.28.so
clink /usr/lib64/libnss_compat.so.2 /usr/lib64/libnss_compat.so.2
clink /usr/lib64/libnss_files-2.28.so /usr/lib64/libnss_files-2.28.so
clink /usr/lib64/libnss_files.so.2 /usr/lib64/libnss_files.so.2
clink /usr/lib64/libnss_dns-2.28.so /usr/lib64/libnss_dns-2.28.so
clink /usr/lib64/libnss_dns.so.2 /usr/lib64/libnss_dns.so.2
bind / ro,nodev,nosuid
bind /dev ro,dev,noexec,nosuid
bind /usr/share/terminfo /usr/share/terminfo ro,nodev,nosuid
bind /var /var ro,nodev,nosuid
bind /home/salman /home/salman rw,nodev,nosuid
cmd /usr/bin/passwd /usr/bin/passwd -:-
dir /usr/lib64 0755 root:root
dir /lib64 0755 root:root
clink /lib64/libnss_compat.so.2 /lib64/libnss_compat.so.2
clink /lib64/libnss_files.so.2 /lib64/libnss_files.so.2
clink /lib64/libnss_dns.so.2 /lib64/libnss_dns.so.2
I was able to get it to work on older versions of ubuntu, however on 22.04 I was getting,
install: creating directory '/etc/jail-shell'
install: creating directory '/etc/jail-shell/jail-config'
install: creating directory '/usr/local/jail-shell/misc'
install: creating directory '/usr/local/jail-shell/bin'
'jail-cmd/jail-cmd' -> '/usr/local/jail-shell/jail-cmd/jail-cmd'
'jail-cmd/jail-cmdd' -> '/usr/local/jail-shell/jail-cmd/jail-cmdd'
'/usr/sbin/jail-cmdd' -> '/usr/local/jail-shell/jail-cmd/jail-cmdd'
'bin/jail-shell' -> '/usr/local/jail-shell/bin/jail-shell'
'bin/jail-shell-setup' -> '/usr/local/jail-shell/bin/jail-shell-setup'
'bin/jail-shell-post' -> '/usr/local/jail-shell/bin/jail-shell-post'
'pam_jail_shell/jail-init' -> '/usr/local/jail-shell/bin/jail-init'
'/usr/sbin/jail-shell' -> '/usr/local/jail-shell/bin/jail-shell'
'pam_jail_shell/pam_jail_shell.so' -> '/lib/x86_64-linux-gnu/security/pam_jail_shell.so'
'pam_jail_shell/jail-shell.conf' -> '/etc/jail-shell/jail-shell.conf'
'/etc/security/jail-shell.conf' -> '/etc/jail-shell/jail-shell.conf'
'etc/init.d/jail-shell' -> '/etc/init.d/jail-shell'
dirname: missing operand
Try 'dirname --help' for more information.
Failed to stop jail-shell.service: Unit jail-shell.service not loaded.
jail-shell.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable jail-shell
dirname: missing operand
Try 'dirname --help' for more information.
Any ideas what might be causing this?
I tried the tips in "jail.cfg.sample", as following:
"# export a writable upload directory.
dir /upload 0755 root:root
bind /opt/upload /upload rw,nodev,noexec,nosuid"
and reinstall this jail. the upload directory showed, but is read-only.
Hello,
I'm having a small issue where for a jailshell user, I cannot make their /home/USER directory writable.
control:~ $ touch 1
touch: cannot touch '1': Read-only file system
I've tried everything from using a bind (with rw flag) to adjusting the namespace config. The only thing that works is using uts in the config, but that gives access to far more than I wanted to.
Is there a way to make the home directory read / writable for this user?
Do you have any suggestions to make PHP Composer working in the jailed shell? I've tried to clink it, but that's not the way... Generally PHP itself has problem to work in this environment, including DNS resolving issues. I'd be appreciated if you come up with a solution.
if the command has a long output, run the command time and time again, we could find sometimes the command failed to run.
root@vm:~/jail-shell# make
make -C jail-cmd all
make[1]: Entering directory '/root/jail-shell/jail-cmd'
cc -g -O2 -Werror -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o jail-cmd.o jail-cmd.c
In file included from /usr/include/string.h:495,
from jail-cmd.h:10,
from jail-cmd.c:5:
In function ‘strncpy’,
inlined from ‘cmd_init’ at jail-cmd.c:92:3:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Werror=stringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[1]: *** [: jail-cmd.o] Error 1
make[1]: Leaving directory '/root/jail-shell/jail-cmd'
make: *** [Makefile:14: JAIL_CMD] Error 2
root@vm:~/jail-shell# lsb_release -a
No LSB modules are available.
Distributor ID: Linuxmint
Description: Linux Mint 20
Release: 20
Codename: ulyana
Is there a way to execute /bin/bash as user and enter the jailed environment?
Basically I need a command to enter /bin/bash when stepping down as user using posix_setuid.
Environment - Ubuntu 16.04 in a Vagrant machine
Immediate error after cloning the repo.
root@jenkins:~/jail-shell# make
make -C jail-cmd all
make[1]: Entering directory '/root/jail-shell/jail-cmd'
cc -g -O2 -Werror -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o jail-cmd.o jail-cmd.c
jail-cmd.c: In function ‘help’:
jail-cmd.c:46:2: error: format not a string literal and no format arguments [-Werror=format-security]
printf(help);
^
jail-cmd.c: In function ‘cmd_init’:
jail-cmd.c:100:4: error: format not a string literal and no format arguments [-Werror=format-security]
snprintf(cmd->term, TMP_BUFF_LEN_32, getenv("TERM"));
^
jail-cmd.c:100:4: error: format not a string literal and no format arguments [-Werror=format-security]
jail-cmd.c: In function ‘process_cmd’:
jail-cmd.c:191:3: error: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Werror=unused-result]
write(STDOUT_FILENO, cmd_data->data, cmd_head->data_len);
^
jail-cmd.c:196:3: error: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Werror=unused-result]
write(STDERR_FILENO, cmd_data->data, cmd_head->data_len);
^
cc1: all warnings being treated as errors
<builtin>: recipe for target 'jail-cmd.o' failed
make[1]: *** [jail-cmd.o] Error 1
make[1]: Leaving directory '/root/jail-shell/jail-cmd'
Makefile:14: recipe for target 'JAIL_CMD' failed
make: *** [JAIL_CMD] Error 2
Hello,
In documentation says users can login through SCP but using default settings or even trying to debug i couldn't get SCP to work.
At first i found a few files missing on the jail and so have give them access:
clink /etc/security/pam_env.conf /etc/security/pam_env.conf
clink /etc/environment /etc/environment
clink /var/run/dbus/system_bus_socket /var/run/dbus/system_bus_socket
But still doesn't work and only thing i can get from strace is:
select(7, [3 4], NULL, NULL, NULL) = ? ERESTARTNOHAND (To be restarted if no handler)
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=28203, si_uid=0, si_status=0, si_utime=1, si_stime=0} ---
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG, NULL) = 28203
wait4(-1, 0x7fffb9d61694, WNOHANG, NULL) = -1 ECHILD (No child processes)
rt_sigaction(SIGCHLD, NULL, {sa_handler=0x555f300fcfc0, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fd2f3a37400}, 8) = 0
rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system call)
select(7, [3 4], NULL, NULL, NULL^Cstrace: Process 18335 detached
Thank you
When i enter "make", it gives this error:
[root@devloc jail-shell]# make
make -C jail-cmd all
make[1]: Entering directory '/jail-shell/jail-cmd'
cc -g -O2 -Werror -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o jail-cmd.o jail-cmd.c
jail-cmd.c: In function ‘cmd_init’:
jail-cmd.c:92:3: error: ‘strncpy’ specified bound 32 equals destination size [-Werror=stringop-truncation]
strncpy(cmd->jsid, getenv(JAIL_KEY), sizeof(cmd->jsid));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[1]: *** [: jail-cmd.o] Error 1
make[1]: Leaving directory '/jail-shell/jail-cmd'
make: *** [Makefile:14: JAIL_CMD] Error 2
.
.
I removed -Werror from Makefile in /jail-shell/jail-cmd and then entered "make". It gave me these warnings:
[root@devloc jail-shell]# make
make -C jail-cmd all
make[1]: Entering directory '/jail-shell/jail-cmd'
cc -g -O2 -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o jail-cmd.o jail-cmd.c
jail-cmd.c: In function ‘cmd_init’:
jail-cmd.c:92:3: warning: ‘strncpy’ specified bound 32 equals destination size [-Wstringop-truncation]
strncpy(cmd->jsid, getenv(JAIL_KEY), sizeof(cmd->jsid));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc -g -O2 -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o jail-common.o jail-common.c
cc -g -O2 -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing jail-cmd.o jail-common.o -o jail-cmd
cc -g -O2 -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o jail-cmdd.o jail-cmdd.c
jail-cmdd.c: In function ‘run_process’:
jail-cmdd.c:354:37: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 4066 [-Wformat-truncation=]
snprintf(cmd_path, PATH_MAX, "%s/%s%s", COMMAND_ROOT_PATH, jail_name, cmd_name);
^~ ~~~~~~~~
jail-cmdd.c:354:2: note: ‘snprintf’ output 31 or more bytes (assuming 4126) into a destination of size 4096
snprintf(cmd_path, PATH_MAX, "%s/%s%s", COMMAND_ROOT_PATH, jail_name, cmd_name);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc -g -O2 -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing jail-cmdd.o jail-common.o -o jail-cmdd -lutil
make[1]: Leaving directory '/jail-shell/jail-cmd'
make -C pam_jail_shell all
make[1]: Entering directory '/jail-shell/pam_jail_shell'
cc -g -O2 -fPIC -Wall -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o pam_jail_shell.o pam_jail_shell.c
pam_jail_shell.c: In function ‘run_jail_post_script.part.1’:
pam_jail_shell.c:934:38: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 4053 [-Wformat-truncation=]
snprintf(post_cmd, PATH_MAX, "%s %s %s/%s", LOGIN_POST_SCRIPT, user, jail_home, info->jail);
^~ ~~~~~~~~~
pam_jail_shell.c:934:2: note: ‘snprintf’ output 45 or more bytes (assuming 5163) into a destination of size 4096
snprintf(post_cmd, PATH_MAX, "%s %s %s/%s", LOGIN_POST_SCRIPT, user, jail_home, info->jail);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pam_jail_shell.c: In function ‘do_mount’:
pam_jail_shell.c:445:36: warning: ‘/ptmx’ directive output may be truncated writing 5 bytes into a region of size between 1 and 4096 [-Wformat-truncation=]
snprintf(check_file, PATH_MAX, "%s/ptmx", pts_path);
^~~~~
pam_jail_shell.c:445:2: note: ‘snprintf’ output between 6 and 4101 bytes into a destination of size 4096
snprintf(check_file, PATH_MAX, "%s/ptmx", pts_path);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pam_jail_shell.c:486:52: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 4077 [-Wformat-truncation=]
snprintf(mount_cmd, PATH_MAX, "mount -t proc proc %s -o nosuid,noexec,nodev,ro", proc_path);
^~ ~~~~~~~~~
pam_jail_shell.c:486:2: note: ‘snprintf’ output between 46 and 4141 bytes into a destination of size 4096
snprintf(mount_cmd, PATH_MAX, "mount -t proc proc %s -o nosuid,noexec,nodev,ro", proc_path);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pam_jail_shell.c:493:56: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 4073 [-Wformat-truncation=]
snprintf(mount_cmd, PATH_MAX, "mount -t devpts devpts %s -o nosuid,noexec", pts_path);
^~ ~~~~~~~~
pam_jail_shell.c:493:2: note: ‘snprintf’ output between 41 and 4136 bytes into a destination of size 4096
snprintf(mount_cmd, PATH_MAX, "mount -t devpts devpts %s -o nosuid,noexec", pts_path);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pam_jail_shell.c: In function ‘set_jsid_env’:
pam_jail_shell.c:836:43: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 27 [-Wformat-truncation=]
snprintf(jsid_env, TMP_BUFF_LEN_32, "%s=%s", JAIL_KEY, buff);
^~ ~~~~
pam_jail_shell.c:836:3: note: ‘snprintf’ output between 6 and 4101 bytes into a destination of size 32
snprintf(jsid_env, TMP_BUFF_LEN_32, "%s=%s", JAIL_KEY, buff);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pam_jail_shell.c: In function ‘start_jail’:
pam_jail_shell.c:991:40: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size between 0 and 4095 [-Wformat-truncation=]
snprintf(jail_path, MAX_LINE_LEN, "%s/%s", jail_home, info->jail);
^~
pam_jail_shell.c:991:2: note: ‘snprintf’ output between 2 and 5120 bytes into a destination of size 4096
snprintf(jail_path, MAX_LINE_LEN, "%s/%s", jail_home, info->jail);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pam_jail_shell.c:962:2: warning: ‘strncpy’ specified bound 4096 equals destination size [-Wstringop-truncation]
strncpy(user, user_pam, MAX_LINE_LEN);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc -g -O2 -fPIC -Wall -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing pam_jail_shell.o -shared -o pam_jail_shell.so
cc -g -O2 -fPIC -Wall -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o jail_init.o jail_init.c
jail_init.c: In function ‘main’:
jail_init.c:138:4: warning: ‘strncpy’ specified bound 4096 equals destination size [-Wstringop-truncation]
strncpy(user, optarg, MAX_LINE_LEN);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc -g -O2 -fPIC -Wall -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing jail_init.o -o jail-init
make[1]: Leaving directory '/jail-shell/pam_jail_shell'
.
.
Removing -Werror from Makefile gets the job done but I don't think it is a good practice to ignore all these warnings. Can you fix these?
I receive the error below when I try to use nano command inside jailed shell:
Error opening terminal: xterm.
Any ideas on how to solve it?
Is there a way to change the php version jail-shell uses?
I tried to change by setting alias php="desired/php/path" in .bashrc and .bash_profile but without success.
hi
i can upload files into the home directory through jailed user. I can add/remove files/directories too. But i couldnt find same file/directory through system root user. I searched the uploaded file name across the file system but didnt find it through system root user. My idea is to link sftp user home directory to a mounted volume. please assist
Regards
[root@s home]# su sen
directory /usr/lib/terminfo or /var/local/jail-shell/jails/sen-jail//usr/lib/terminfo doesn't exist
command failed at line 133: bind /usr/lib/terminfo /usr/lib/terminfo ro,nodev,nosuid
su: cannot open session: User not known to the underlying authentication module
Related issue: gravitational/teleport#3171
I'm trying to use jail-shell pam module with "Teleport" it's a SSH Gateway, when using the jail-shell pam module with it I get:
PAM unable to dlopen(/lib/x86_64-linux-gnu/security/pam_jail_shell.so): /lib/x86_64-linux-gnu/security/pam_jail_shell.so: undefined symbol: pam_get_user
I tried to use ldd on the file "pam_jail_shell.so":
/lib/x86_64-linux-gnu/security# ldd -r pam_jail_shell.so
linux-vdso.so.1 (0x000072e1dab34000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x000072e1d9d7a000)
/lib64/ld-linux-x86-64.so.2 (0x000072e1dab35000)
undefined symbol: pam_get_user (./pam_jail_shell.so)
undefined symbol: pam_vsyslog (./pam_jail_shell.so)
undefined symbol: pam_putenv (./pam_jail_shell.so)
Check related issue for more details (like my common-session file which Teleport run).
Maybe I need to import a parent library ? I don't know what I am missing..
Your module work in normal SSH tho.
Hi
Has anyone come across an issue where a jailed user cannot log in.
When trying to log in using SSH, I get error about broken pipe.
Trying to log in locally using sudo su - USER outputs this error:
su: cannot create child process: Cannot allocate memory
I am running Ubuntu 20.04.2
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.