Re: [Jailkit-dev] owner restriction

[Richard Scott]

Hi,

Can you show some examples of folder structure and permissions as the jail directory *needs* to be owned by root for security...

The jail user then gets a home directory somewhere in side that directory that it has full permissions on.

For example, I have a user Bob that has a jail.

The jail is

/mnt/jail/bob (this ine is owned by root)

but the users home directory is

/mnt/jail/bob/home/bob

and this last directory bob has full permissions on.

This way it stops the jail user from updating any binary files in the jail and breaking out of it.

Rich

On 02/03/2014 00:51, Pas wrote:

Hello!

 

ISP Config has Jailkit support, but it doesn't chown the directory to the user, but leaves it owned by root. (Which is fine, the user has a few directories owned by itself.)

 

So I was a bit suprised to find that this is quite a showstopper, but then rejoiced when found this old thread ( http://lists.gnu.org/archive/html/jailkit-dev/2009-08/threads.html ), but then again found myself between a rock (tinkering with ISPConfig's PHP) and "forking" jailkit.

 

At least, if I correctly interpret the source, as in, it still needs target uid to own the target dir.

 

http://cvs.savannah.gnu.org/viewvc/jailkit/src/jk_chrootsh.c?root=jailkit&view=log uses testsafepath which at 1.19 is still very strict 

http://cvs.savannah.gnu.org/viewvc/jailkit/src/jk_lib.c?revision=1.19&root=jailkit&view=markup

 

Do you have any ideas about this?

 

Thanks,

Pas

_______________________________________________
Jailkit-dev mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-dev