pymumu / jail-shell Goto Github PK

Jail-shell is a linux security tool mainly using chroot, namespaces technologies, limiting users to perform specific commands, and access sepcific directories.

License: GNU General Public License v2.0

Makefile 1.49% C 68.28% Shell 30.23%

security-hardening shell chroot linux ssh security linux-namespaces jail

jail-shell's Introduction

Jail-Shell

中文REAMDME请看这里

Jail-shell is a Linux security tool mainly using chroot, namespaces technologies, limiting users to perform specific commands, and access specific directories.

Users can login through SSH, SCP, SFTP, Telnet, terminals, etc. and be restricted to a secure operating enviroment.

Jail-shell can be used for webhost ssh access control, enterprise Administrator's privilege hierarchy management.

Features

Easy to use

Through the configuration file jail-shell automatically generates the chroot running environment. Through jail-shell management commands it's very easy to add, list, delete, restrict users, and easy to install, delete chroot running environment.

Chroot technology limits user access

The Linux chroot technology is used to restrict the user's directory access, to avoid users accessing restricted directories and to prevent users from destroying the system.

Directory read-only protection

The chroot running enviroment is readonly, this prevents users from deleting protected directories and files, creating device files, and accessing restricted files.

Namespace limit user Visible range

Use Linux namespace technology, limit the visible range of user PID, Mount directories, and avoid information leakage.

System command channel

Provides a system command-and-proxy channel that allows users to execute a real system's restricted command in a chroot environment, protecting the system in the event that it provides the necessary functionality.

Automatic processing of chroot Environment command library dependencies

Only a list of commands is required to automatically copy the dynamic library that the command relies on to the chroot environment, avoiding the cumbersome work of copying the dynamic library manually.

Capabilities Restrictions

Discard critical capabilities privileges to avoid the system, and the chroot running environment, being cracked by rootkit.

Multi-Linux operating system support

Supports Redhat, SLEs, Debian and their derivative operating systems.

Architecture

Jail-shell contains 3 parts, Pam Plugins, jail-cmd command agents, Jail-shell command tools.

pam_jail_shell Plugins

Mainly control the login of users. according to the configuration list, use chroot and namespace technology to restrict the login users to a specific restricted directory.

jail-cmd command-and-proxy

It forwards specific command to the real system, such as passwd, or other user-related business commands, and it also prevents command injection.

jail-shell commandline tool

Mainly provides the ability to manage the restricted security shell, making it easier for administrators to use, including user's add, delete, shell's configuration, installation, deletion, etc.

Instructions

According to the configuration, pam_jail_shell limits users to the specified chroot enviroment.
Administrators use jail-shell command to manage the list of restricted users, manage the list of commands for the chroot enviroment, and manage the access range of directories.
Jail-cmd proxies specific command, to help implement the necessary business functions.

Compile and install

Compile

git clone https://github.com/pymumu/jail-shell.git
cd jail-shell
make

Install

sudo make install

Uninstall

sudo /usr/local/jail-shell/install -u

Usage

After installation, you can use jail-shell command to manage jails, jail-shell -h for help.
In use, the steps are as follows:

Use useradd username command to add user to the system.
Use jail-shell jail command to create a chroot enviroment.
Use jail-shell user command to add user to the jails.

Example

The following is an example of adding user test to a jail named test-jail.

add user test，and set password

sudo useradd test -s /bin/bash
sudo passwd test

create chroot enviroment

sudo jail-shell jail -e test-jail

After executing the above command, a new jail configuration will be created from the template, and it is opened by vi, you can edit it, after that, remember to save the configuration with vi command :w!.

install chroot enviroment

sudo jail-shell jail -i test-jail

add user test to jail test-jail

sudo jail-shell user -a test -j test-jail

connect and test whether test is jailed.

ssh [email protected]

Jail Config file format description

The jail config file is located at /etc/jail-shell/jail-config/, and file suffix is .cfg
The configuration supports the following commands:

dir
- DESC:
  create a directory into jail
- COMMAND:
  dir PATH MODE OWNER
- EXAMPLE:
  dir /bin/ 0755 root:root
file:
- DESC:
  copy a file into jail
- COMMAND:
  file SRC DEST MODE OWNER
- EXAMPLE:
  file /etc/nsswitch.conf /etc/nsswitch.conf 0644 root:root
hlink:
- DESC:
  create a hardlink file into jail
- COMMAND:
  file SRC DEST MODE OWNER
- EXAMPLE:
  file /etc/nsswitch.conf /etc/nsswitch.conf 0644 root:root
slink:
- DESC:
  create a symbolic link into jail
- COMMAND:
  slink TARGET LINKNAME
- EXAMPLE:
  slink /bin/bash /bin/sh
clink:
- DESC:
  Try to create hardlinks instead of copying the files. If linking fails it falls back to copying
- COMMAND:
  clink TARGET LINKNAME
- EXAMPLE:
  clink /etc/localtime /etc/localtime
node:
- DESC:
  create device file.
- COMMAND:
  node PATH TYPE MAJON MINOR MODE OWNER
- EXAMPLE:
  node /dev/null c 1 3 666 root:root
- NOTE: security tips
  should avoid adding block device files.
bind:
- DESC:
  bind a directory to jail
- COMMAND:
  bind [SRC] DEST OPTION
- OPTION: rw,ro,dev,nodev,exec,noexec, refer to (man mount) for the parameter description
  %u in path '[SRC] DEST' will be replaced as user name
- EXAMPLE:
  bind / ro,nodev,nosuid
  bind /opt/ /opt/ ro,nodev,noexec
  bind /opt/upload /opt/upload rw,nodev,noexec,nosuid
  bind /opt/%u /opt/upload ro,nodev,noexec,nosuid
cmd:
- DESC:
  executes commands within the system which outside jail.
- COMMAND:
  cmd SRC DEST RUN_AS_USER
- RUN_AS_USER: User who executes system commands, -:- means user in jail
- EXAMPLE:
  cmd /usr/bin/passwd /usr/bin/passwd -:-
  cmd /some/root/command /some/root/command root:root
  cmd /some/user/command /some/user/command user:user
- NOTE: security tips This channel may lead users to escape jail, should avoid adding command which can be shell-inject,
  For example, read the commands entered by the user

Security Tips

When using jail-shell, the minimum security authorization principle should be adopted. In the premise of ensuring the use of functions, reduce user rights.

bind tips

Except /dev directory, it is recommended to add nodev parameters, /dev directory must set to ro, noexec (read-only, disable executable) permissions.
For the chroot environment directory, it is recommended to set ro, nodev, nosuid (read only, prohibit device files, and prohibit suid files) permissions.
For writable bind directories, it is recommended to set nodev, noexec, nosuid (disable device files, disable executable files, disable suid files) permissions.

avoid commands

avoid: debug commands such as gdb, mount, strace, etc..

File Directory Description

directory	description
`/etc/jail-shell/`	Configure file Directory
`/etc/jail-shell/jail-shell. conf`	Restricted User Configuration list file
`/etc/jail-shell/jail-config/`	The directory where the jail shell configuration file is located, and the suffix. cfg file is recognized as a jail configuration file.
`/var/local/jail-shell/`	Jail-shell Data Directory
`/var/local/jail-shell/jails`	Jail-shell chroot Environment Directory
`/usr/local/jail-shell`	Jail-shell program Directory

Debugging the chroot environment

When you copy a command to the chroot environment, if the copy command fails, you need to debug to find the missing dependent files, and add them to the chroot environment.
Copy the strace command into the chroot environment, and then use strace to execute the commands that need to be debugged to find the missing dependent files.
The following debugging commands are as follows

strace -F -eopen command

-eopen represents a list of files that the trace process opens.
After executing the above command, troubleshoot to find the open file list.

open ("/etc/ld.so.preload", "O_RDONLY") = -1 ENOENT (No, such, file, or, directory)

As indicated above, the /etc/ld-so.preload file does not exist when reading, and may need to add the above files to the chroot environment. At this point, you can use the clink, file command to add missing files to the chroot environment.

License

Jail-shell using GPL-V2 License.

Donate

jail-shell's People

Contributors

Stargazers

Watchers

Forkers

theraw skyformat99 apython123 jmcabandara luckypoem ryanbekabe dangolk byronigoe zhe1234zou lxngoddess5321 yxnt wprobot sequelwp viktordw millerantos arstercz gauravssnl ufoxu dewebdes

jail-shell's Issues

client_loop: send disconnect: Broken pipe

[root@k8s-master02 jail-shell]# ssh [email protected]
[email protected]'s password:
client_loop: send disconnect: Broken pipe

Is jailshell supported in cloudlinux?

The users in cloudlinux seem to be already having restricted access to files and folders.
CageFs is installed in cloudlinux.
When I jail a user in cloudlinux 8.7 and try to login to that user from winscp, it shows the same files and folders that was shown before jailing it.

Having issues with Ubuntu 22.04

I was able to get it to work on older versions of ubuntu, however on 22.04 I was getting,

install: creating directory '/etc/jail-shell'
install: creating directory '/etc/jail-shell/jail-config'
install: creating directory '/usr/local/jail-shell/misc'
install: creating directory '/usr/local/jail-shell/bin'
'jail-cmd/jail-cmd' -> '/usr/local/jail-shell/jail-cmd/jail-cmd'
'jail-cmd/jail-cmdd' -> '/usr/local/jail-shell/jail-cmd/jail-cmdd'
'/usr/sbin/jail-cmdd' -> '/usr/local/jail-shell/jail-cmd/jail-cmdd'
'bin/jail-shell' -> '/usr/local/jail-shell/bin/jail-shell'
'bin/jail-shell-setup' -> '/usr/local/jail-shell/bin/jail-shell-setup'
'bin/jail-shell-post' -> '/usr/local/jail-shell/bin/jail-shell-post'
'pam_jail_shell/jail-init' -> '/usr/local/jail-shell/bin/jail-init'
'/usr/sbin/jail-shell' -> '/usr/local/jail-shell/bin/jail-shell'
'pam_jail_shell/pam_jail_shell.so' -> '/lib/x86_64-linux-gnu/security/pam_jail_shell.so'
'pam_jail_shell/jail-shell.conf' -> '/etc/jail-shell/jail-shell.conf'
'/etc/security/jail-shell.conf' -> '/etc/jail-shell/jail-shell.conf'
'etc/init.d/jail-shell' -> '/etc/init.d/jail-shell'
dirname: missing operand
Try 'dirname --help' for more information.
Failed to stop jail-shell.service: Unit jail-shell.service not loaded.
jail-shell.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable jail-shell
dirname: missing operand
Try 'dirname --help' for more information.

Any ideas what might be causing this?

warnings after Werror removed in makefile

When i enter "make", it gives this error:

[root@devloc jail-shell]# make
make -C jail-cmd all
make[1]: Entering directory '/jail-shell/jail-cmd'
cc -g -O2 -Werror -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o jail-cmd.o jail-cmd.c
jail-cmd.c: In function ‘cmd_init’:
jail-cmd.c:92:3: error: ‘strncpy’ specified bound 32 equals destination size [-Werror=stringop-truncation]
strncpy(cmd->jsid, getenv(JAIL_KEY), sizeof(cmd->jsid));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[1]: *** [: jail-cmd.o] Error 1
make[1]: Leaving directory '/jail-shell/jail-cmd'
make: *** [Makefile:14: JAIL_CMD] Error 2

.
.

I removed -Werror from Makefile in /jail-shell/jail-cmd and then entered "make". It gave me these warnings:

[root@devloc jail-shell]# make
make -C jail-cmd all
make[1]: Entering directory '/jail-shell/jail-cmd'
cc -g -O2 -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o jail-cmd.o jail-cmd.c
jail-cmd.c: In function ‘cmd_init’:
jail-cmd.c:92:3: warning: ‘strncpy’ specified bound 32 equals destination size [-Wstringop-truncation]
strncpy(cmd->jsid, getenv(JAIL_KEY), sizeof(cmd->jsid));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc -g -O2 -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o jail-common.o jail-common.c
cc -g -O2 -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing jail-cmd.o jail-common.o -o jail-cmd
cc -g -O2 -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o jail-cmdd.o jail-cmdd.c
jail-cmdd.c: In function ‘run_process’:
jail-cmdd.c:354:37: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 4066 [-Wformat-truncation=]
snprintf(cmd_path, PATH_MAX, "%s/%s%s", COMMAND_ROOT_PATH, jail_name, cmd_name);
^~ ~~~~~~~~
jail-cmdd.c:354:2: note: ‘snprintf’ output 31 or more bytes (assuming 4126) into a destination of size 4096
snprintf(cmd_path, PATH_MAX, "%s/%s%s", COMMAND_ROOT_PATH, jail_name, cmd_name);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc -g -O2 -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing jail-cmdd.o jail-common.o -o jail-cmdd -lutil
make[1]: Leaving directory '/jail-shell/jail-cmd'
make -C pam_jail_shell all
make[1]: Entering directory '/jail-shell/pam_jail_shell'
cc -g -O2 -fPIC -Wall -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o pam_jail_shell.o pam_jail_shell.c
pam_jail_shell.c: In function ‘run_jail_post_script.part.1’:
pam_jail_shell.c:934:38: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 4053 [-Wformat-truncation=]
snprintf(post_cmd, PATH_MAX, "%s %s %s/%s", LOGIN_POST_SCRIPT, user, jail_home, info->jail);
^~ ~~~~~~~~~
pam_jail_shell.c:934:2: note: ‘snprintf’ output 45 or more bytes (assuming 5163) into a destination of size 4096
snprintf(post_cmd, PATH_MAX, "%s %s %s/%s", LOGIN_POST_SCRIPT, user, jail_home, info->jail);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pam_jail_shell.c: In function ‘do_mount’:
pam_jail_shell.c:445:36: warning: ‘/ptmx’ directive output may be truncated writing 5 bytes into a region of size between 1 and 4096 [-Wformat-truncation=]
snprintf(check_file, PATH_MAX, "%s/ptmx", pts_path);
^~~~~
pam_jail_shell.c:445:2: note: ‘snprintf’ output between 6 and 4101 bytes into a destination of size 4096
snprintf(check_file, PATH_MAX, "%s/ptmx", pts_path);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pam_jail_shell.c:486:52: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 4077 [-Wformat-truncation=]
snprintf(mount_cmd, PATH_MAX, "mount -t proc proc %s -o nosuid,noexec,nodev,ro", proc_path);
^~ ~~~~~~~~~
pam_jail_shell.c:486:2: note: ‘snprintf’ output between 46 and 4141 bytes into a destination of size 4096
snprintf(mount_cmd, PATH_MAX, "mount -t proc proc %s -o nosuid,noexec,nodev,ro", proc_path);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pam_jail_shell.c:493:56: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 4073 [-Wformat-truncation=]
snprintf(mount_cmd, PATH_MAX, "mount -t devpts devpts %s -o nosuid,noexec", pts_path);
^~ ~~~~~~~~
pam_jail_shell.c:493:2: note: ‘snprintf’ output between 41 and 4136 bytes into a destination of size 4096
snprintf(mount_cmd, PATH_MAX, "mount -t devpts devpts %s -o nosuid,noexec", pts_path);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pam_jail_shell.c: In function ‘set_jsid_env’:
pam_jail_shell.c:836:43: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 27 [-Wformat-truncation=]
snprintf(jsid_env, TMP_BUFF_LEN_32, "%s=%s", JAIL_KEY, buff);
^~ ~~~~
pam_jail_shell.c:836:3: note: ‘snprintf’ output between 6 and 4101 bytes into a destination of size 32
snprintf(jsid_env, TMP_BUFF_LEN_32, "%s=%s", JAIL_KEY, buff);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pam_jail_shell.c: In function ‘start_jail’:
pam_jail_shell.c:991:40: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size between 0 and 4095 [-Wformat-truncation=]
snprintf(jail_path, MAX_LINE_LEN, "%s/%s", jail_home, info->jail);
^~
pam_jail_shell.c:991:2: note: ‘snprintf’ output between 2 and 5120 bytes into a destination of size 4096
snprintf(jail_path, MAX_LINE_LEN, "%s/%s", jail_home, info->jail);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pam_jail_shell.c:962:2: warning: ‘strncpy’ specified bound 4096 equals destination size [-Wstringop-truncation]
strncpy(user, user_pam, MAX_LINE_LEN);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc -g -O2 -fPIC -Wall -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing pam_jail_shell.o -shared -o pam_jail_shell.so
cc -g -O2 -fPIC -Wall -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o jail_init.o jail_init.c
jail_init.c: In function ‘main’:
jail_init.c:138:4: warning: ‘strncpy’ specified bound 4096 equals destination size [-Wstringop-truncation]
strncpy(user, optarg, MAX_LINE_LEN);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc -g -O2 -fPIC -Wall -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing jail_init.o -o jail-init
make[1]: Leaving directory '/jail-shell/pam_jail_shell'

.
.

Removing -Werror from Makefile gets the job done but I don't think it is a good practice to ignore all these warnings. Can you fix these?

allow jail user to restart services

Hello,

Thank you for providing this project.

Having security concerns what is the best way to provide the jail user permission to restart a specific service inside jail?

Thank you

terminfo doesn't exist , almalinux 8

[root@s home]# su sen
directory /usr/lib/terminfo or /var/local/jail-shell/jails/sen-jail//usr/lib/terminfo doesn't exist
command failed at line 133: bind /usr/lib/terminfo /usr/lib/terminfo ro,nodev,nosuid

su: cannot open session: User not known to the underlying authentication module

can't export a writable directory

I tried the tips in "jail.cfg.sample", as following:
"# export a writable upload directory.
dir /upload 0755 root:root
bind /opt/upload /upload rw,nodev,noexec,nosuid"

and reinstall this jail. the upload directory showed, but is read-only.

Build error

root@vm:~/jail-shell# make
make -C jail-cmd all
make[1]: Entering directory '/root/jail-shell/jail-cmd'
cc -g -O2 -Werror -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -c -o jail-cmd.o jail-cmd.c
In file included from /usr/include/string.h:495,
from jail-cmd.h:10,
from jail-cmd.c:5:
In function ‘strncpy’,
inlined from ‘cmd_init’ at jail-cmd.c:92:3:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Werror=stringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[1]: *** [: jail-cmd.o] Error 1
make[1]: Leaving directory '/root/jail-shell/jail-cmd'
make: *** [Makefile:14: JAIL_CMD] Error 2

root@vm:~/jail-shell# lsb_release -a
No LSB modules are available.
Distributor ID: Linuxmint
Description: Linux Mint 20
Release: 20
Codename: ulyana

php artisan commands not working in almalinux 8 and centos 7,8

I jailed a user. The user has php binaries. So the php command works. But when I execute php artisan commands like 'php artisan serve' or 'php artisan optimize:clear' from that user's terminal, I get fatal error as shown below:


Fatal error: Uncaught ReflectionException: Class "config" does not exist in /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php:912
Stack trace:
#0 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php(912): ReflectionClass->__construct('config')
#1 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php(795): Illuminate\Container\Container->build('config')
#2 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Application.php(933): Illuminate\Container\Container->resolve('config', Array, true)
#3 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php(731): Illuminate\Foundation\Application->resolve('config', Array)
#4 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Application.php(918): Illuminate\Container\Container->make('config', Array)
#5 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php(1454): Illuminate\Foundation\Application->make('config')
#6 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(544): Illuminate\Container\Container->offsetGet('config')
#7 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(595): Illuminate\Log\LogManager->getDefaultDriver()
#8 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(124): Illuminate\Log\LogManager->parseDriver(NULL)
#9 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(665): Illuminate\Log\LogManager->driver()
#10 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(287): Illuminate\Log\LogManager->error('Call to undefin...', Array)
#11 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(250): Illuminate\Foundation\Exceptions\Handler->reportThrowable(Object(Error))
#12 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Console/Kernel.php(522): Illuminate\Foundation\Exceptions\Handler->report(Object(Error))
#13 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Console/Kernel.php(203): Illuminate\Foundation\Console\Kernel->reportException(Object(Error))
#14 /home/salman/public_html/your-project-name/artisan(35): Illuminate\Foundation\Console\Kernel->handle(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#15 {main}

Next Illuminate\Contracts\Container\BindingResolutionException: Target class [config] does not exist. in /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php:914
Stack trace:
#0 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php(795): Illuminate\Container\Container->build('config')
#1 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Application.php(933): Illuminate\Container\Container->resolve('config', Array, true)
#2 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php(731): Illuminate\Foundation\Application->resolve('config', Array)
#3 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Application.php(918): Illuminate\Container\Container->make('config', Array)
#4 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php(1454): Illuminate\Foundation\Application->make('config')
#5 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(544): Illuminate\Container\Container->offsetGet('config')
#6 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(595): Illuminate\Log\LogManager->getDefaultDriver()
#7 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(124): Illuminate\Log\LogManager->parseDriver(NULL)
#8 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Log/LogManager.php(665): Illuminate\Log\LogManager->driver()
#9 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(287): Illuminate\Log\LogManager->error('Call to undefin...', Array)
#10 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(250): Illuminate\Foundation\Exceptions\Handler->reportThrowable(Object(Error))
#11 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Console/Kernel.php(522): Illuminate\Foundation\Exceptions\Handler->report(Object(Error))
#12 /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Foundation/Console/Kernel.php(203): Illuminate\Foundation\Console\Kernel->reportException(Object(Error))
#13 /home/salman/public_html/your-project-name/artisan(35): Illuminate\Foundation\Console\Kernel->handle(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#14 {main}
  thrown in /home/salman/public_html/your-project-name/vendor/laravel/framework/src/Illuminate/Container/Container.php on line 914

I faced this issue in almalinux 8, centos and ubuntu 18 but not in ubuntu 20.

Below is the user's jail config:```

List of basic directories

dir /root/ 0700 root:root
dir /dev/ 0755 root:root
dir /etc/ 0755 root:root
dir /home/ 0755 root:root
dir /proc/ 0755 root:root
dir /usr/bin 0755 root:root
dir /usr/sbin 0755 root:root
dir /usr/lib/ 0755 root:root
dir /usr/lib64/ 0755 root:root
dir /usr/share/terminfo 0755 root:root
dir /usr/lib/terminfo 0755 root:root
dir /var 0755 root:root
slink /usr/bin /bin
slink /usr/sbin /sbin
slink /usr/lib /lib
slink /usr/lib64 /lib64

basic configration files

clink /etc/alternatives /etc/alternatives
clink /etc/named /etc/named
clink /etc/pam.d /etc/pam.d
clink /etc/pki /etc/pki
clink /etc/security /etc/security
clink /etc/ssh /etc/ssh
clink /etc/ssl /etc/ssl
clink /etc/systemd /etc/systemd
clink /etc/terminfo /etc/terminfo
clink /etc/aliases /etc/aliases
clink /etc/bashrc /etc/bashrc
clink /etc/crontab /etc/crontab
clink /etc/fstab /etc/fstab
clink /etc/inputrc /etc/inputrc
clink /etc/ld.so.conf /etc/ld.so.conf
clink /etc/nsswitch.conf /etc/nsswitch.conf
clink /etc/localtime /etc/localtime
clink /etc/mailips /etc/mailips
clink /etc/my.cnf /etc/my.cnf
clink /etc/hosts /etc/hosts
clink /etc/hostname /etc/hostname
clink /etc/services /etc/services
clink /etc/virc /etc/virc
clink /etc/shells /etc/shells

file /usr/local/jail-shell/misc/rootfs/etc/profile /etc/profile 0755 root:root

basic device files

clink /dev/null /dev/null
clink /dev/zero /dev/zero
clink /dev/ptmx /dev/ptmx
clink /dev/urandom /dev/urandom
clink /dev/tty /dev/tty
clink /dev/tty1 /dev/tty1
clink /dev/tty2 /dev/tty2
clink /dev/tty3 /dev/tty3
slink /proc/self/fd/2 /dev/stderr
slink /proc/self/fd/0 /dev/stdin
slink /proc/self/fd/1 /dev/stdout

basic command list

clink /usr/bin/sh /usr/bin/sh
clink /usr/bin/cat /usr/bin/cat
clink /usr/bin/ls /usr/bin/ls
clink /usr/bin/ps /usr/bin/ps
clink /usr/bin/bash /usr/bin/bash
clink /usr/bin/grep /usr/bin/grep
clink /usr/bin/rm /usr/bin/rm
clink /usr/bin/cp /usr/bin/cp
clink /usr/bin/touch /usr/bin/touch
clink /usr/bin/mv /usr/bin/mv
clink /usr/bin/hostname /usr/bin/hostname
clink /usr/bin/sed /usr/bin/sed
clink /usr/bin/true /usr/bin/true
clink /usr/bin/false /usr/bin/false
clink /usr/bin/mkdir /usr/bin/mkdir
clink /usr/bin/rmdir /usr/bin/rmdir
clink /usr/bin/dd /usr/bin/dd
clink /usr/bin/uname /usr/bin/uname
clink /usr/bin/date /usr/bin/date
clink /usr/bin/kill /usr/bin/kill
clink /usr/bin/tar /usr/bin/tar
clink /usr/bin/gzip /usr/bin/gzip
clink /usr/bin/[ /usr/bin/[
clink /usr/bin/tail /usr/bin/tail
clink /usr/bin/less /usr/bin/less
clink /usr/bin/awk /usr/bin/awk
clink /usr/bin/free /usr/bin/free
clink /usr/bin/head /usr/bin/head
clink /usr/bin/id /usr/bin/id
clink /usr/bin/tee /usr/bin/tee
clink /usr/bin/test /usr/bin/test
clink /usr/bin/gawk /usr/bin/gawk
clink /usr/bin/watch /usr/bin/watch
clink /usr/bin/which /usr/bin/which
clink /usr/bin/xargs /usr/bin/xargs
clink /usr/bin/find /usr/bin/find
clink /usr/bin/scp /usr/bin/scp
clink /usr/bin/basename /usr/bin/basename
clink /usr/bin/c++ /usr/bin/c++
clink /usr/bin/gcc /usr/bin/gcc
clink /usr/bin/as /usr/bin/as
clink /usr/bin/aulast /usr/bin/aulast
clink /usr/bin/authselect /usr/bin/authselect
clink /usr/bin/alias /usr/bin/alias
clink /usr/bin/alt-mysql-reconfigure /usr/bin/alt-mysql-reconfigure
clink /usr/bin/alt-php-mysql-reconfigure /usr/bin/alt-php-mysql-reconfigure
clink /usr/bin/alt-php-mysql-reconfigure.py /usr/bin/alt-php-mysql-reconfigure.py
clink /usr/bin/whatis /usr/bin/whatis
clink /usr/bin/bg /usr/bin/bg
clink /usr/bin/chage /usr/bin/chage
clink /usr/bin/chattr /usr/bin/chattr
clink /usr/bin/chgrp /usr/bin/chgrp
clink /usr/bin/chmod /usr/bin/chmod
clink /usr/bin/chown /usr/bin/chown
clink /usr/bin/cmp /usr/bin/cmp
clink /usr/bin/col /usr/bin/col
clink /usr/bin/clear /usr/bin/clear
clink /usr/bin/column /usr/bin/column
clink /usr/bin/command /usr/bin/command
clink /usr/bin/cpp /usr/bin/cpp
clink /usr/bin/crontab /usr/bin/crontab
clink /usr/bin/curl /usr/bin/curl
clink /usr/bin/cut /usr/bin/cut
clink /usr/bin/df /usr/bin/df
clink /usr/bin/dig /usr/bin/dig
clink /usr/bin/dirname /usr/bin/dirname
clink /usr/bin/du /usr/bin/du
clink /usr/bin/echo /usr/bin/echo
clink /usr/bin/egrep /usr/bin/egrep
clink /usr/bin/eject /usr/bin/eject
clink /usr/bin/fold /usr/bin/fold
clink /usr/bin/git /usr/bin/git
clink /usr/bin/git-shell /usr/bin/git-shell
clink /usr/bin/hash /usr/bin/hash
clink /usr/bin/host /usr/bin/host
clink /usr/bin/info /usr/bin/info
clink /usr/bin/install /usr/bin/install
clink /usr/bin/jobs /usr/bin/jobs
clink /usr/bin/join /usr/bin/join
clink /usr/bin/journalctl /usr/bin/journalctl
clink /usr/bin/killall /usr/bin/killall
clink /usr/bin/last /usr/bin/last
clink /usr/bin/lastlog /usr/bin/lastlog
clink /usr/bin/link /usr/bin/link
clink /usr/bin/linux32 /usr/bin/linux32
clink /usr/bin/linux64 /usr/bin/linux64
clink /usr/bin/setarch /usr/bin/setarch
clink /usr/bin/ln /usr/bin/ln
clink /usr/bin/locale /usr/bin/locale
clink /usr/bin/login /usr/bin/login
clink /usr/bin/loginctl /usr/bin/loginctl
clink /usr/bin/look /usr/bin/look
clink /usr/bin/lynx /usr/bin/lynx
clink /usr/bin/mail /usr/bin/mail
clink /usr/bin/mailx /usr/bin/mailx
clink /usr/bin/mailq /usr/bin/mailq
clink /usr/bin/Mail /usr/bin/Mail
clink /usr/bin/mailq.exim /usr/bin/mailq.exim
clink /usr/bin/mailq.sendmail /usr/bin/mailq.sendmail
clink /usr/bin/make /usr/bin/make
clink /usr/bin/mailstat /usr/bin/mailstat
clink /usr/bin/man /usr/bin/man
clink /usr/bin/makedb /usr/bin/makedb
clink /usr/bin/mount /usr/bin/mount
clink /usr/bin/mknod /usr/bin/mknod
clink /usr/bin/mysql /usr/bin/mysql
clink /usr/bin/mysql_config_editor /usr/bin/mysql_config_editor
clink /usr/bin/mysqladmin /usr/bin/mysqladmin
clink /usr/bin/mysqlbinlog /usr/bin/mysqlbinlog
clink /usr/bin/mysqlcheck /usr/bin/mysqlcheck
clink /usr/bin/mysqldump /usr/bin/mysqldump
clink /usr/bin/mysqlimport /usr/bin/mysqlimport
clink /usr/bin/netstat /usr/bin/netstat
clink /usr/bin/nslookup /usr/bin/nslookup
clink /usr/bin/nohup /usr/bin/nohup
clink /usr/bin/openssl /usr/bin/openssl
clink /usr/bin/paste /usr/bin/paste
clink /usr/bin/perl /usr/bin/perl
clink /usr/bin/php /usr/bin/php
clink /usr/bin/php-cgi /usr/bin/php-cgi
clink /usr/bin/ping /usr/bin/ping
clink /usr/bin/pkttyagent /usr/bin/pkttyagent
clink /usr/bin/printf /usr/bin/printf
clink /usr/bin/pwd /usr/bin/pwd
clink /usr/bin/quota /usr/bin/quota
clink /usr/bin/read /usr/bin/read
clink /usr/bin/readlink /usr/bin/readlink
clink /usr/bin/realpath /usr/bin/realpath
clink /usr/bin/rmail /usr/bin/rmail
clink /usr/bin/rpm /usr/bin/rpm
clink /usr/bin/rsync /usr/bin/rsync
clink /usr/bin/script /usr/bin/script
clink /usr/bin/sftp /usr/bin/sftp
clink /usr/bin/sort /usr/bin/sort
clink /usr/bin/split /usr/bin/split
clink /usr/bin/ssh /usr/bin/ssh
clink /usr/bin/ssh-add /usr/bin/ssh-add
clink /usr/bin/ssh-agent /usr/bin/ssh-agent
clink /usr/bin/ssh-copy-id /usr/bin/ssh-copy-id
clink /usr/bin/ssh-keygen /usr/bin/ssh-keygen
clink /usr/bin/ssh-keyscan /usr/bin/ssh-keyscan
clink /usr/bin/stty /usr/bin/stty
clink /usr/bin/sleep /usr/bin/sleep
clink /usr/bin/size /usr/bin/size
clink /usr/bin/systemctl /usr/bin/systemctl
clink /usr/bin/top /usr/bin/top
clink /usr/bin/unlink /usr/bin/unlink
clink /usr/bin/unzip /usr/bin/unzip
clink /usr/bin/vi /usr/bin/vi
clink /usr/bin/wget /usr/bin/wget
clink /usr/bin/whereis /usr/bin/whereis
clink /usr/bin/who /usr/bin/who
clink /usr/bin/whoami /usr/bin/whoami
clink /usr/bin/yum /usr/bin/yum

clink /usr/lib/systemd /usr/lib/systemd
clink /usr/lib64/libnss_compat-2.28.so /usr/lib64/libnss_compat-2.28.so
clink /usr/lib64/libnss_compat.so.2 /usr/lib64/libnss_compat.so.2
clink /usr/lib64/libnss_files-2.28.so /usr/lib64/libnss_files-2.28.so
clink /usr/lib64/libnss_files.so.2 /usr/lib64/libnss_files.so.2
clink /usr/lib64/libnss_dns-2.28.so /usr/lib64/libnss_dns-2.28.so
clink /usr/lib64/libnss_dns.so.2 /usr/lib64/libnss_dns.so.2

Base directory binding configuration

Set directory read-only, and prohibit device files

bind / ro,nodev,nosuid
bind /dev ro,dev,noexec,nosuid

bind /usr/share/terminfo /usr/share/terminfo ro,nodev,nosuid
bind /var /var ro,nodev,nosuid

bind /home/salman /home/salman rw,nodev,nosuid

system command list

this used for user to change password.

cmd /usr/bin/passwd /usr/bin/passwd -:-

Basic library list

dir /usr/lib64 0755 root:root
dir /lib64 0755 root:root
clink /lib64/libnss_compat.so.2 /lib64/libnss_compat.so.2
clink /lib64/libnss_files.so.2 /lib64/libnss_files.so.2
clink /lib64/libnss_dns.so.2 /lib64/libnss_dns.so.2

There is a certain degree of probability for command failed to run, without any results!

if the command has a long output, run the command time and time again, we could find sometimes the command failed to run.

Effectively non-chrooted/jailed users. What am i missing?

I have followed the instructions to to install and jail-shell is compiled and installed.

Now when i follow the instructions to create a new user on the system called "tester", i am STILL able to see the entire file system, including those of other users on the system, both with SSH and SFTP. This is NOT what I am after.

I need each user on my system to have their own shell, restricted to a very limited set of commands that i wish they have access to, plus I need them only to be able to see or navigate only the files they own within their own home directory. When SFTP is used, they should not be able to move outside their directory.

What is the magic words I need to be searching for because restricted shell, jail nor chroot all work for both SSH and SFTP even though SFTP is uses SSH2.

I am at my wits end here. This is what prevents me from moving away from cPanel. I am building a cPanel-like web hosting solution based around Traefik 2.x but this security stuff needs to be addressed first. This will be open sourced.

Your help is appreciated.

UPDATE:

I was finally able to get the jail-shell working for "tester" where SSH is concerned but i still don't have any SFTP access.

Cannot allocate memory

Hi
Has anyone come across an issue where a jailed user cannot log in.
When trying to log in using SSH, I get error about broken pipe.

Trying to log in locally using sudo su - USER outputs this error:

su: cannot create child process: Cannot allocate memory

I am running Ubuntu 20.04.2

Issue getting SCP to work on jail

Hello,

In documentation says users can login through SCP but using default settings or even trying to debug i couldn't get SCP to work.

At first i found a few files missing on the jail and so have give them access:

clink /etc/security/pam_env.conf /etc/security/pam_env.conf
clink /etc/environment /etc/environment
clink /var/run/dbus/system_bus_socket /var/run/dbus/system_bus_socket

But still doesn't work and only thing i can get from strace is:

select(7, [3 4], NULL, NULL, NULL) = ? ERESTARTNOHAND (To be restarted if no handler)
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=28203, si_uid=0, si_status=0, si_utime=1, si_stime=0} ---
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG, NULL) = 28203
wait4(-1, 0x7fffb9d61694, WNOHANG, NULL) = -1 ECHILD (No child processes)
rt_sigaction(SIGCHLD, NULL, {sa_handler=0x555f300fcfc0, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fd2f3a37400}, 8) = 0
rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system call)
select(7, [3 4], NULL, NULL, NULL^Cstrace: Process 18335 detached

Thank you

Home directory is stuck in read only.

Hello,

I'm having a small issue where for a jailshell user, I cannot make their /home/USER directory writable.

control:~ $ touch 1
touch: cannot touch '1': Read-only file system

I've tried everything from using a bind (with rw flag) to adjusting the namespace config. The only thing that works is using uts in the config, but that gives access to far more than I wanted to.

Is there a way to make the home directory read / writable for this user?

PHP Composer is not working

Do you have any suggestions to make PHP Composer working in the jailed shell? I've tried to clink it, but that's not the way... Generally PHP itself has problem to work in this environment, including DNS resolving issues. I'd be appreciated if you come up with a solution.

how to add environment variable for the cmd command defined in cfg file?

profile bashrc...，such files in jail or out jail are all unuseful to add a env for the command. How to add a env for a chroot?

Is there a way to execute /bin/bash as user and enter the jailed environment?

Is there a way to execute /bin/bash as user and enter the jailed environment?
Basically I need a command to enter /bin/bash when stepping down as user using posix_setuid.

"make" error

Environment - Ubuntu 16.04 in a Vagrant machine
Immediate error after cloning the repo.

root@jenkins:~/jail-shell# make
make -C jail-cmd  all
make[1]: Entering directory '/root/jail-shell/jail-cmd'
cc -g -O2 -Werror -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing    -c -o jail-cmd.o jail-cmd.c
jail-cmd.c: In function ‘help’:
jail-cmd.c:46:2: error: format not a string literal and no format arguments [-Werror=format-security]
  printf(help);
  ^
jail-cmd.c: In function ‘cmd_init’:
jail-cmd.c:100:4: error: format not a string literal and no format arguments [-Werror=format-security]
    snprintf(cmd->term, TMP_BUFF_LEN_32, getenv("TERM"));
    ^
jail-cmd.c:100:4: error: format not a string literal and no format arguments [-Werror=format-security]
jail-cmd.c: In function ‘process_cmd’:
jail-cmd.c:191:3: error: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Werror=unused-result]
   write(STDOUT_FILENO, cmd_data->data, cmd_head->data_len);
   ^
jail-cmd.c:196:3: error: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Werror=unused-result]
   write(STDERR_FILENO, cmd_data->data, cmd_head->data_len);
   ^
cc1: all warnings being treated as errors
<builtin>: recipe for target 'jail-cmd.o' failed
make[1]: *** [jail-cmd.o] Error 1
make[1]: Leaving directory '/root/jail-shell/jail-cmd'
Makefile:14: recipe for target 'JAIL_CMD' failed
make: *** [JAIL_CMD] Error 2

/home/user is empty

I jailed an already created user using your commands.
The /home/user directory has files and directories like public_html, mail, www, ssl, etc.
But in the jailed environment, the /home/user directory is empty.
I checked that in WinSCP.
I want that when I jail user, the home folder should retain all its files and folders.

Nano editor is not working

I receive the error below when I try to use nano command inside jailed shell:

Error opening terminal: xterm.

Any ideas on how to solve it?

socket to jail

Hello

What is best way to make a unix socket available inside the jail?

To test this I have created a clink to mysql socket, for example:

clink /var/run/mysql.sock /var/run/mysql.sock

It works until mysql service is restarted. The only way to make it work again is to install jail by doing so "jail-shell jail -i jailname".

Thank you

undefined symbol: pam_get_user

Related issue: gravitational/teleport#3171

I'm trying to use jail-shell pam module with "Teleport" it's a SSH Gateway, when using the jail-shell pam module with it I get:
PAM unable to dlopen(/lib/x86_64-linux-gnu/security/pam_jail_shell.so): /lib/x86_64-linux-gnu/security/pam_jail_shell.so: undefined symbol: pam_get_user

I tried to use ldd on the file "pam_jail_shell.so":

/lib/x86_64-linux-gnu/security# ldd -r pam_jail_shell.so 
	linux-vdso.so.1 (0x000072e1dab34000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x000072e1d9d7a000)
	/lib64/ld-linux-x86-64.so.2 (0x000072e1dab35000)
undefined symbol: pam_get_user	(./pam_jail_shell.so)
undefined symbol: pam_vsyslog	(./pam_jail_shell.so)
undefined symbol: pam_putenv	(./pam_jail_shell.so)

Check related issue for more details (like my common-session file which Teleport run).

Maybe I need to import a parent library ? I don't know what I am missing..

Your module work in normal SSH tho.

Can't change jail-shell php version

Is there a way to change the php version jail-shell uses?
I tried to change by setting alias php="desired/php/path" in .bashrc and .bash_profile but without success.

No such file or directory

pam_jail_shell.c:29:34: fatal error: security/pam_modules.h: No such file or directory
#include <security/pam_modules.h>

file not found through root user

i can upload files into the home directory through jailed user. I can add/remove files/directories too. But i couldnt find same file/directory through system root user. I searched the uploaded file name across the file system but didnt find it through system root user. My idea is to link sftp user home directory to a mounted volume. please assist

Regards

pymumu / jail-shell Goto Github PK

jail-shell's Introduction

Jail-Shell

Features

Architecture

Compile and install

Usage

Example

Jail Config file format description

Security Tips

File Directory Description

Debugging the chroot environment

License

Donate

Similar tools

jail-shell's People

Contributors

Stargazers

Watchers

Forkers

jail-shell's Issues

List of basic directories

basic configration files

basic device files

basic command list

Base directory binding configuration

Set directory read-only, and prohibit device files

system command list

this used for user to change password.

Basic library list

Recommend Projects

Recommend Topics

Recommend Org