BubbleWrap jail for ssh/crons (BETA)(TEMPLATES)(SKINS)

Version 1.61.0


For CentOS 7 and up, CustomBuild now supports: ./build bubblewrap ./build jailshell to install /usr/bin/jailshell. DirectAdmin can make use of this with a new value (set to 0 by default) /usr/local/directadmin/directadmin set jail 1 service directadmin restart which enables the package/reseller/user.conf options for "jail=ON/OFF" Any sshd related changes will save /usr/bin/jailshell (if exists) to that User's shell in /etc/passwd. Any cron changes will save SHELL=/usr/bin/jailshell (if exists) in that User's crontab. ssh does not need to be enabled to enable jail for the given User. Alternatively, you can set: /usr/local/directadmin/directadmin set jail 2 service directadmin restart so that regardless of any package/reseller/user.conf settings, jail is ALWAYS enabled, and will always be set for ssh/cron when saved. Note this does not work on all OSs and some VPSs due to either the kernel not supporting it, or for VPSs due to the fact the VPS may already be using this jailing technology, so it cannot be double-bubbled. -------------------- KNOWN ISSUES exim is within the jail and is not yet able to read the exim.conf. We're working on a solution. -------------------- GLOBAL TOKENS HAVE_JAIL=0|1|2 Note that this is entirely based on the directadmin.conf. CustomBuild will need to set jail=1 upon ./build jailshell and restart DA. Admins can bump this up to level 2 if desired. -------------------- TEMPLATE TOKENS USE_JAILSHELL=no|yes JAIL_TRUE_FALSE= "" || "jail=true" #where if it's false, it's blank. jail=true is in the token only if it's enabled for this User. -------------------- TEMPLATES virtual_host2*.conf to add |JAIL_TRUE_FALSE| just after the |DOMAIN|.ini in the 2x FCGIWrapper lines. -------------------- SKINS reseller/create_customized_user.html reseller/modify_user.html lang/en/lf_standard.html lang/en/internal/command.txt -------------------- TAGS jail chroot sandbox -------------------- Evo1866 Possible design change: da.conf:jail=1 is a feature, not a requirement. Aside from =2, some way to prevent Resellers from disabling it. Not applicable with =2, but an Admin may want more control over forcing Resellers/Users, with control over on/off on a per-account basis.

Interested to try DirectAdmin? Get a 30-day Free Trial!