security report/feature request. chroot for SFTP, ssh, http, all services.

This is both a security vulnerability report, and feature request.

The Virtualmin default settings for ProFTP, web, etc, allow the user, or a minimally skilled hacker, to browse almost the entire filesystem of the server, read sensitive information such as the system password hash files, service config files, database config files, any cleartext settings, passwords or keys stored in those files, etc.

A recent example. Virtualmin standard settings make it so that a user's web application located in their home directory is NOT jailed in a chroot to that home directory. A vulnerability in a web application is disclosed, in this example, a joomla component that allows upload of images, in this case a PNG image which contains malicious PHP code added inside. A hacker with little skill easily upload a PHP shell called C99, executed it, searched for all config files on the system, read mysql config, ran mysqldump, copied the entire contents of the server and all databases on the system, implanted an IRC remote controlled back door, and used that PHP shell's features to try to obtain root by a number of methods.

Examples like this make it so that complete isolation via chroot and/or similar methods, is a very hot topic in the hosting world now.

Either chroot, or a similar technique, could be used, to jail any user (or hacker) to the web home or virtual server home directory. Prevent hackers using a php shell from browsing the entire server filesystem. At most they would be able to get only that user's data and files, not the entire server and all virtual server accounts.

Cloudmin/Virtualmin/Webmin could seamlessly implement a chroot feature (or something as effective at locking down the user to their own virtual server directory), for ftp ssh and web. There are other control panels providing this full isolation between virtual server and between virtual sub-server accounts. It'd be nice to resolve this issue, and protect the security/privacy of user information in the Virtualmin shared hosting environment.



Assuming that an attacker is limited to running commands as the domain owner, he shouldn't be able to read files like /etc/shadow that contain hashed passwords, or any file that contains the MySQL root password. The default Virtualmin permissions also disallow domain owners from accessing the /home sub-directory belonging to any other domain..

So I'm not seeing what benefits a chroot would bring, especially given the complexity of setting it up while still allowing PHP scripts to execute.