Legla
If you run custombuild, the jailed script portion of this guide is in the options.conf.
#Jailed shell (beta) jail=yes
Then type
./build all_jail
The ”./jail/jail_user.sh user” (from the custombuild dir) would be used for each user you want to jail. The remaining httpd.conf and other options from this guide still apply.
1) First, install the scripts and binaries (note, currently for apache 1.3.x only):
cd /usr/local/directadmin/customapache mkdir jail cd jail wget http://files.directadmin.com/services/customapache/jail/build chmod 755 build ./build update ./build all
2) It's recommended you make backups of /etc/passwd, /etc/shadow, /etc/group, and /etc/master.passwd (if you have it)
cp -f /etc/passwd /etc/passwd.backup cp -f /etc/group /etc/group.backup cp -f /etc/shadow /etc/shadow.backup cp -f /etc/master.passwd /etc/master.passwd.backup
3) To jail a specific user, this command is used:
cd /usr/local/directadmin/customapache/jail ./jail_user.sh username
SetEnv JAIL_DIR |HOME|
would need to be added to their virtualhosts (where home is their home directory, eg: /home/username).
Note that php through apache is not jailed, so enableing safemode and open_basedir would be recommended.
To *automate* the jailing process, you can create /usr/local/directadmin/scripts/custom/user_create_post.sh and fill it with:
#!/bin/sh if [ $ssh = "ON" ]; then cd /usr/local/directadmin/customapache/jail ./jail_user.sh $username fi exit 0;
Then chmod it to 755:
chmod 755 /usr/local/directadmin/scripts/custom/user_create_post.sh
To automate the cgi jailing, then the SetEnv option has to be added to any virtualhost that is to use the jailing. Create /usr/local/directadmin/scripts/custom/domain_create_post.sh with the following:
#!/bin/sh
COUNT=`grep -e "^${username}:" /etc/passwd | grep -c /bin/jail`
if [ $COUNT -eq 1 ]; then
echo "SetEnv JAIL_DIR |HOME|" > /usr/local/directadmin/data/users/${username}/domains/${domain}.cust_httpd
echo "action=rewrite&value=httpd&user=${username}" >> /usr/local/directadmin/data/task.queue
fi
exit 0;
and chmod to 755, like the user_create_post.sh script.
4) Since a user can be created without ssh, and it gets added later, we'll need to create a user_modify_post.sh script as well, but since it's the same code, we'll just create a symbolic link.
ln -s user_create_post.sh /usr/local/directadmin/scripts/custom/user_modify_post.sh
Note, that the jail_user.sh isn't going to be very speedy as it has to transfer over all program binaries and libraries that would be needed inside the jail. This takes time. It also takes a huge amount of space that will not be counted in the users total disk usage.