DirectAdmin Knowledge Base and Support

DirectAdmin is a web panel for a simple administration of both virtual and dedicated servers. DirectAdmin is faster, safe and more powerful than any other CP. And we know how to customize and support it.

BubbleWrap jail for users on Directadmin servers

| 00:47:18 07.06.2020

Since the version 1.61.0 of DirectAdmin a jailed shell and jailed cron are supported. This can be achieved with a help of BubbleWrap the unprivileged sandboxing tool. On Linux servers it gives another layer of a security, and restricts users.

What is BubbleWrap jail?

The goal of bubblewrap is to run an application in a sandbox, where it has restricted access to parts of the operating system or user data such as the home directory. 

The BubbleWrap jail works by creating a new, completely empty, mount namespace where the root is on a tmpfs that is invisible from the host, and will be automatically cleaned up when the last process exits. 

An user can specify exactly what parts of the filesystem should be visible in the sandbox. 

The maintainers of this tool believe that it does not, even when used in combination with typical software installed on that distribution, allow privilege escalation. 


Installation of BubbleWrap jail

For CentOS 7 and up run the following commands as root:

cd /usr/local/directadmin/custombuild
./build update
./build bubblewrap
./build jailshell

to install /usr/bin/jailshell.

DirectAdmin can make use of this with a new value "jail" (set to 0 by default)

/usr/local/directadmin/directadmin set jail 1 restart

which enables the package/reseller/user.conf options for "jail=ON/OFF"

Any sshd related changes will save /usr/bin/jailshell (if exists) to that User's shell in /etc/passwd:

Any sshd related changes will save /usr/bin/jailshell (if exists) to that User's shell in /etc/passwd

Any cron changes will save SHELL=/usr/bin/jailshell (if exists) in that User's crontab.

ssh does not need to be enabled to enable jail for the given User.

Here how a new option looks in DirectAdmin interface:

BubbleWrap jail for users on Directadmin servers

You can enable jail for users selectively or for all users at once.


Enable Jail for all users in DirectAdmin

Alternatively, you can set:

/usr/local/directadmin/directadmin set jail 2 restart

so that regardless of any package/reseller/user.conf settings, jail is ALWAYS enabled, and will always be set for ssh/cron when saved.


What does it all mean?

In short, this is a security measure to safely restrict users when allowing them to use SSH on a server and run cron-tasks.

Jailed users can not access other users' homedirs either in SSH session or in a script running with cron. 

Jailed users can still run all necessary binaries and commands from shell.


Related links


Tags: directadmin Cron Security ssh2 jail BubbleWrap chroot sandbox 
←  ClamAV stopped and does not start with custom viruses definition bases  | Start |  Native support of PHP extensions in DirectAdmin  →
About Us
We are a team of professionals, and specialize in installation, configuring and managing of remote virtual and dedicated servers powered by Linux/Unix-like OS with DirectAdmin. We support various sets of software, including web-servers Apache, Nginx; internet domain name servers Bind, PowerDNS; mail-servers with POP3, IMAP and SMTP, FTP-servers, etc. After years of working through the most complex server challenges our team has gathered valuable experience and universal solutions suitable for everyday tasks. We are here to lend you a helping hand and take care of your servers in order to let you have enough time to do more of what you love.




SEE HOW WE CAN HELP!
All of the information and data on this site is for informational purposes only and is provided for the convenience of the user.
Powered by: Amiro.CMS - Free edition