Jailshell .. Should not be left out of the cPanel Comparison

26 posts / 0 new
Last post
#1 Wed, 08/10/2005 - 22:22
JamesMiller

Jailshell .. Should not be left out of the cPanel Comparison

Despite my overall disliking for cPanel/WHM, one feature that it has that comes in very handy is the Jailshell. Hosting clients, when granted shell access, should not be able to see anything except for their domain, their files, and their folders. They should feel like they are the only ones on the system.

I believe that jailshell also keeps people from even attempting anything malicious or overstepping their bounds, simply because they can't even try to open files that they shouldn't, because they are invisible to them.

The Virtualmin vs. cPanel comparison as a selling point should not ignore the lack of this feature. Jailshell is an important tool for web hosts because of the growing number of customers who request shell access with no intention of harming the system or gaining access to other users' files.

Sun, 06/07/2009 - 06:58
Joe
Joe's picture

Hi James,

Interesting, thanks for bringing this up! I really do want the comparison to be fair to cPanel, as I don't see any point in bringing someone over to Virtualmin only to have them disappointed by some lacking feature that we didn't mention in the comparison. I never noticed this feature in the cPanel documentation, but will look into it now. jailshell does sound like a very nice feature.

I'll update the cPanel comparison, and look into getting something similar into Virtualmin Professional. We do have some plans that go well beyond this, but in the short term it seems like a good idea.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 06:58
Joe
Joe's picture

Hey James and all,

I've done some research, and something along these lines is absolutely do-able. There are a few options out there and I thought I'd post them here and get some opinions if anyone has tried them:

JailKit: This one is the most mature and has a very competent developer behind it, but is also the most complicated. It sets up a chroot environment for shell users, and includes some tricky wrappers for things like procmail to prevent jail breakage via roundabout methods. It is quite complex in that in order to make the shell useful, we have to drop everything a user is going to use into the jail. This one would take a week or three to integrate into Virtualmin Professional. http://olivier.sessink.nl/jailkit/

ibsh: The Iron Bars Shell. This one is quite new, but looks like it has some great features. It is a very restrictive "deny everything unless told otherwise" shell, with much easier configuration than JailKit. It sounds like it does everything we'd like it to do, but I have concerns about its security due to its young age. There just isn't enough history to it for us to know if it is truly safe without a code audit (and even then something might get missed)--by the time we've audited it, we could have integrated JailKit, which has a track record. Without the audit, it could go into the very earliest beta versions this week. I really like the idea of this one, due to its simplicity...but it's pointless to choose something simple if it doesn't work. http://ibsh.sourceforge.net/

scponly: This one is the most restrictive of them all, and probably doesn't answer everyones needs in this space. On the other hand, it is extremely simple and easy to integrate into Virtualmin Professional, so it is going in whether we choose it as the primary "limited shell" option or not. It's just a good idea done well. Anyway, it wraps ssh to only permit a very limited subset of features--like scp, sftp, rsync, and CVS. Would this limited feature set be enough for your users that you don't trust with straight shell access, or do we need to pursue one of the more flexible options? http://www.sublimation.org/scponly/

rssh: Roughly the same as scponly. I've found fewer users talking about it, but it's probably just as good. Worth trying before choosing scponly for the specific problem they solve. http://www.pizzashack.org/rssh/

Thanks in advance for any thought anyone has on this one, or suggestions for other options that might solve the problem.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 06:58
Joe
Joe's picture

OK, I've added scponly to the installer and it will show up in the shells dropdown list when creating new templates. I'm working on building a chroot environment for it, so that scponly shell users won't be able to see the rest of the world...this same process should speed adoption of jailkit or something similar. I haven't figured out which of the full-featured, or I guess partiall-featured, restricted shells we'll be using--ibsh is really cool, but much less mature than I'd like...it doesn't even have tab completion or history!

I've updated the cPanel vs. Virtualmin Professional chart to include this feature (and I give us a yellow dot vs. their green, until we have a more complete solution in place).

--

Check out the forum guidelines!

Sun, 06/07/2009 - 06:58
JamesMiller

I am very glad to see that such an immediate response was initiated to include this feature. I am continually more and more convinced that Virtualmin is the future of web hosting control panels. Thanks Joe!

Sun, 06/07/2009 - 06:59
Joe
Joe's picture

OK, I've added scponly to the installer and it will show up in the shells dropdown list when creating new templates. I'm working on building a chroot environment for it, so that scponly shell users won't be able to see the rest of the world...this same process should speed adoption of jailkit or something similar. I haven't figured out which of the full-featured, or I guess partiall-featured, restricted shells we'll be using--ibsh is really cool, but much less mature than I'd like...it doesn't even have tab completion or history!

I've updated the cPanel vs. Virtualmin Professional chart to include this feature (and I give us a yellow dot vs. their green, until we have a more complete solution in place).

--

Check out the forum guidelines!

Sun, 06/07/2009 - 06:59
BryanRodriguez

Hello Joe,

I was wondering how the restricted shell access is coming along? I also would like to offer some assistance and a suggestion that would be nice for this feature. I have been stuck with virtualmin version 1.4 since the day of its release (I know, thats old). The reason is I completely revamped virtualmin to support restricted shells since then. Any upgrades would ruin my work. The following are current features I have:
1. When adding new customers it creates a restricted shell account under /home/(user-admin).
2. I give my customers the ability to add restricted shell accounts as well.
3. The restricted accounts they add are placed under /home/(user-admin)/homes/(admin)
4. So when my customer logs in they can see all their sub accounts, while those users only see their account.
5. I also limit the number of accounts my customers can add.

Since I add this its worked flawlessly and I have a lot of accounts based on the scheme.

I am writing this cause it would be nice to start using some of the new features virtualmin has. I am hoping you might see a future for these features in virtualmin. If you need any asistance feel free to ask.

Thanks

Sun, 06/07/2009 - 06:59
Joe
Joe's picture

OK, I've added scponly to the installer and it will show up in the shells dropdown list when creating new templates. I'm working on building a chroot environment for it, so that scponly shell users won't be able to see the rest of the world...this same process should speed adoption of jailkit or something similar. I haven't figured out which of the full-featured, or I guess partiall-featured, restricted shells we'll be using--ibsh is really cool, but much less mature than I'd like...it doesn't even have tab completion or history!

I've updated the cPanel vs. Virtualmin Professional chart to include this feature (and I give us a yellow dot vs. their green, until we have a more complete solution in place).

--

Check out the forum guidelines!

Sun, 06/07/2009 - 06:59
BryanRodriguez

Hello Joe,

I was wondering how the restricted shell access is coming along? I also would like to offer some assistance and a suggestion that would be nice for this feature. I have been stuck with virtualmin version 1.4 since the day of its release (I know, thats old). The reason is I completely revamped virtualmin to support restricted shells since then. Any upgrades would ruin my work. The following are current features I have:
1. When adding new customers it creates a restricted shell account under /home/(user-admin).
2. I give my customers the ability to add restricted shell accounts as well.
3. The restricted accounts they add are placed under /home/(user-admin)/homes/(admin)
4. So when my customer logs in they can see all their sub accounts, while those users only see their account.
5. I also limit the number of accounts my customers can add.

Since I add this its worked flawlessly and I have a lot of accounts based on the scheme.

I am writing this cause it would be nice to start using some of the new features virtualmin has. I am hoping you might see a future for these features in virtualmin. If you need any asistance feel free to ask.

Thanks

Sun, 06/07/2009 - 06:59
Joe
Joe's picture

Hey Bryan,

As mentioned in the post above, scponly is now included in the default install and works really well for the things that it does. It is not the solution for all situations, however, so I'm still thinking on other ideas.

I'd certainly welcome feedback on how you're accomplishing your restricted shell environment. Are you using one of the tools I've mentioned previously, or a custom chroot-based solution?

--

Check out the forum guidelines!

Sun, 06/07/2009 - 06:59
Joe
Joe's picture

OK, I've added scponly to the installer and it will show up in the shells dropdown list when creating new templates. I'm working on building a chroot environment for it, so that scponly shell users won't be able to see the rest of the world...this same process should speed adoption of jailkit or something similar. I haven't figured out which of the full-featured, or I guess partiall-featured, restricted shells we'll be using--ibsh is really cool, but much less mature than I'd like...it doesn't even have tab completion or history!

I've updated the cPanel vs. Virtualmin Professional chart to include this feature (and I give us a yellow dot vs. their green, until we have a more complete solution in place).

--

Check out the forum guidelines!

Sun, 06/07/2009 - 06:59
BryanRodriguez

Hello Joe,

I was wondering how the restricted shell access is coming along? I also would like to offer some assistance and a suggestion that would be nice for this feature. I have been stuck with virtualmin version 1.4 since the day of its release (I know, thats old). The reason is I completely revamped virtualmin to support restricted shells since then. Any upgrades would ruin my work. The following are current features I have:
1. When adding new customers it creates a restricted shell account under /home/(user-admin).
2. I give my customers the ability to add restricted shell accounts as well.
3. The restricted accounts they add are placed under /home/(user-admin)/homes/(admin)
4. So when my customer logs in they can see all their sub accounts, while those users only see their account.
5. I also limit the number of accounts my customers can add.

Since I add this its worked flawlessly and I have a lot of accounts based on the scheme.

I am writing this cause it would be nice to start using some of the new features virtualmin has. I am hoping you might see a future for these features in virtualmin. If you need any asistance feel free to ask.

Thanks

Sun, 06/07/2009 - 06:59
BryanRodriguez

Basically I am using a patch on SSH service. It looks at user's directory path. If they have a path like so:

/home/user/./files/

SSH restricts them from ./ on up when they login.

I have modified virtualmin and webmin to include /./ with every account creation. Also I have updates the /etc/skel dir to include files for all jailed accounts. That is it...besides the fact of adding limits for accounts.

Sun, 06/07/2009 - 07:01
pasiihalainen

Chroot/jail type behavior is quite an important concept to address. Is there a solution to this problem yet? I have scponly installed, and it works a restricted shell, but we would like the default situation to jail clients to their own home directory - without any command line intervention. If there is no virtualmin method, then how are other people dealing with this?

Sun, 06/07/2009 - 07:01
pasiihalainen

Chroot/jail type behavior is quite an important concept to address. Is there a solution to this problem yet? I have scponly installed, and it works a restricted shell, but we would like the default situation to jail clients to their own home directory - without any command line intervention. If there is no virtualmin method, then how are other people dealing with this?

Sun, 06/07/2009 - 07:01
Joe
Joe's picture

Hi Pasi,

If you have a very recent OS (one with Dovecot 1.0), you can lock down permissions very tightly, which resolves this issue entirely (without need of potentially very dangerous tactics like chrooting shells*).

We're rolling out Dovecot 1.0 to everyone over the next few days, which will allow us to make the default 750 for homes.

If you're running one of the operating systems that has 1.0 already (just FC6 and maybe Ubuntu 6.10), then you can browse to the Webmin System Users and Groups module, hit Module Config, and change the default permissions on new home directories to 0750 (and chmod 750 /home/*). If not, you'll have to wait a few days until we can get it packaged up for everyone and documentation posted for helping folks make the transition to the new version.

*-A general purpose chroot shell (i.e. one filled with lots of regular software and programming languages) introduces several potentially huge security issues, and really just shouldn't be done. Now that I've researched the issue more fully I can say with confidence that we will never offer a chroot shell, by default.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:01
pasiihalainen

Chroot/jail type behavior is quite an important concept to address. Is there a solution to this problem yet? I have scponly installed, and it works a restricted shell, but we would like the default situation to jail clients to their own home directory - without any command line intervention. If there is no virtualmin method, then how are other people dealing with this?

Sun, 06/07/2009 - 07:01
Joe
Joe's picture

Hi Pasi,

If you have a very recent OS (one with Dovecot 1.0), you can lock down permissions very tightly, which resolves this issue entirely (without need of potentially very dangerous tactics like chrooting shells*).

We're rolling out Dovecot 1.0 to everyone over the next few days, which will allow us to make the default 750 for homes.

If you're running one of the operating systems that has 1.0 already (just FC6 and maybe Ubuntu 6.10), then you can browse to the Webmin System Users and Groups module, hit Module Config, and change the default permissions on new home directories to 0750 (and chmod 750 /home/*). If not, you'll have to wait a few days until we can get it packaged up for everyone and documentation posted for helping folks make the transition to the new version.

*-A general purpose chroot shell (i.e. one filled with lots of regular software and programming languages) introduces several potentially huge security issues, and really just shouldn't be done. Now that I've researched the issue more fully I can say with confidence that we will never offer a chroot shell, by default.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:01
Joe
Joe's picture

Oh, yeah, as more systems get good quality ACLs (SELinux, and Posix ACLs in Solaris, for two examples), we'll begin integrating some additional roles to allow further restrictions in highly secure environments. The management tools for SELinux just really suck right now, and almost no one is using Solaris for hosting, so there isn't an intersect between what works and what people are using yet. Another release of Fedora will probably bring the policies and tools for SELinux up to a useful level.

--

Check out the forum guidelines!

Thu, 09/08/2011 - 22:01
yngens

Nice thread, but 1) comments are duplicated or even triplicated, would be nice if cleaned up; 2) no solution proposed yet.

Mon, 07/30/2012 - 17:15
lamigo

So I believe this is the reason why a FTP and/or SSH user is able to find and see most of the files and directories server wide.

It's hard for me to tell whether this would mean potential security risks, but it would be better for FTP and/or SSH users to be restricted to their respective accounts/domains only.

Besides that, I'm quite happy with Virtualmin so far. :)

Mon, 11/19/2012 - 18:54
nibb

+1 for this.

I still consider Jailshell insecure, because you can escape the chrooting with advanced skills, any SSH access to a server should be considered not safe. You need to trust the user first.

But I agree 100% with this request. For trusted users, which really need shell access, the only option is a jailed shell, and there are many options available, lets hope Virtualmin adds this as a feature soon.

Mon, 10/05/2015 - 04:38
ADDISON74

Joe could you please let me know what happened from this 2009 statement?

"OK, I've added scponly to the installer and it will show up in the shells dropdown list when creating new templates. I'm working on building a chroot environment for it, so that scponly shell users won't be able to see the rest of the world...this same process should speed adoption of jailkit or something similar. I haven't figured out which of the full-featured, or I guess partiall-featured, restricted shells we'll be using--ibsh is really cool, but much less mature than I'd like...it doesn't even have tab completion or history!"

1) Can I see a user guide for scponly in Virtualmin?

2) Do we have a chroot environment like cPanel?

I don't like Virtualmin users browsing the system. Not from web interface and terminal. It is no problem for webmin users.

Thu, 10/08/2015 - 18:51 (Reply to #23)
Joe
Joe's picture

chroot still only provides a false sense of security (I talked about this in a few other threads way back when this was a popular question, and we pretty much ruled out doing it in VIrtualmin because of the historic negative security implications, but even now, there is no security benefit to using chroot in this way).

scponly is no longer necessary, as ProFTPd supports FTP over SSH connections (though not general purpose ssh shell connections, but there's no safe way to restrict a full shell user from seeing the rest of the file system). Using the DefaultRoot option, you can restrict any type of connection or any type of user to their home directory.

So to specifically answer your questions:

  1. scponly is no longer needed or recommended (it's not dangerous, as far as I know, but it's not useful). You just need to use ProFTPd for all connections from users (except those you trust to have shell ssh access), and add "DefaultRoot ~" to the configuration.
  2. No, and we still discourage people from using a chroot environment for untrusted users. chroot has security implications that are difficult to reason about. It may be that recent versions of openssh make chroot safer, as it may be able to drop privileges in a safe way today (it probably can, if I'm reading the docs right); historically, even a single mistake in your chroot filesystem could lead to a root privilege escalation vulnerability (which is game over for security). I haven't done the research to understand how this risk has been mitigated in recent years, as I don't want to go down that path for security in Virtualmin. There are much better options today, including SELinux.

Also, note that Virtualmin has tighter permissions on home and safer defaults for web apps than other control panels (at least, it did last time I looked at how cPanel and Plesk were doing things). A chroot would provide little actual security benefit and would potentially open up security concerns of its own. On my personal systems, I don't mind granting untrusted (but not anonymous) users shell access. I'm not worried about them seeing files on my system, because UNIX systems were designed from the ground up to be multi-user systems.

chroot also does not prevent someone with any level of knowledge from seeing files on the filesystem (as they do when logging in without a chroot). There are many ways to see those files in any hosting system, including web applications, procmail recipes, cron jobs (though this can be forced to take on the environment of the chroot at the expense of a more complex chroot), etc. chrooting the shell or FTP provides a false sense of security.

I would like to spend more time with SELinux. It does provide means to do what many people use chroot for, without the problems of chroot. I made Virtualmin work comfortably with SELinux a while back when we built our new boxes on CentOS 7 (it actually wasn't that hard; took a couple of hours), but haven't done the work to package up the new rules that are needed yet. But, the standard strict SELinux rule set also does not prevent users from seeing files outside of their home. The stuff that people want chroot for just aren't security issues, generally speaking...they seem like security issues, but they're really not.

So, to sum up:

We don't do chroot because it does not improve security to do chroot. But, you can get the effect of a chroot for FTP and FTP over SSH connections using the DefaultRoot option in ProFTPd. This option is easy, and it is safe.

Oh, also, the new File Manager (Filemin) has this ability as well, and defaults to restricting user to their home (not for security, but for usability).

--

Check out the forum guidelines!

Fri, 10/09/2015 - 01:58
ADDISON74

Thank you. Your approach is very professional. I am looking forward for updates.

Tue, 09/13/2016 - 20:17
chrismfz

Do you have a working set of SELinux policy that works with virtualmin ? I tried using selinux minimal policy and adding a few rules / exceptions (logs, apache and mail mostly), it works, but I assume you did a better job :-)

Topic locked