Since the version 1.61.0 of DirectAdmin a jailed shell and jailed cron are supported. This can be achieved with a help of BubbleWrap the unprivileged sandboxing tool. On Linux servers it gives another layer of a security, and restricts users.
The goal of bubblewrap is to run an application in a sandbox, where it has restricted access to parts of the operating system or user data such as the home directory.
The BubbleWrap jail works by creating a new, completely empty, mount namespace where the root is on a tmpfs that is invisible from the host, and will be automatically cleaned up when the last process exits.
An user can specify exactly what parts of the filesystem should be visible in the sandbox.
The maintainers of this tool believe that it does not, even when used in combination with typical software installed on that distribution, allow privilege escalation.
For CentOS 7 and up run the following commands as root:
cd /usr/local/directadmin/custombuild ./build update ./build bubblewrap
to install /usr/bin/jailshell.
DirectAdmin can make use of this with a new value "jail" (set to 0 by default)
/usr/local/directadmin/directadmin set jail 1 restart
which enables the package/reseller/user.conf options for "jail=ON/OFF"
Any sshd related changes will save /usr/bin/jailshell (if exists) to that User's shell in /etc/passwd:
Any cron changes will save SHELL=/usr/bin/jailshell (if exists) in that User's crontab.
ssh does not need to be enabled to enable jail for the given User.
Here how a new option looks in DirectAdmin interface:
You can enable jail for users selectively or for all users at once.
Alternatively, you can set:
/usr/local/directadmin/directadmin set jail 2 restart
so that regardless of any package/reseller/user.conf settings, jail is ALWAYS enabled, and will always be set for ssh/cron when saved.
In short, this is a security measure to safely restrict users when allowing them to use SSH on a server and run cron-tasks.
Jailed users can not access other users' homedirs either in SSH session or in a script running with cron.
Jailed users can still run all necessary binaries and commands from shell.