Table of Contents

How-to Enable Jailed Shells

Related Documentation:

Prerequisites

Last Updated for InterWorx version 3.0.1

 You probably don’t need to do this. All servers installed with InterWorx-CP versions 2.1.0 and later already have this taken care of.

 This process is only required for servers that DO NOT have /usr/sbin/jk_chrootsh in the Default Shell drop-down on the Shell Users page.

Purpose

The jk_chrootsh jailed shell is one of several shell options you can give to a user. What distinguishes the jailed shell from the other shell options is that the user, once logged in to the server, will have a changed restricted directory. Specifically, the user’s / will actually be the system’s /chroot/ directory and the user will not be able to navigate out of the /chroot directory. This provides additional security when offering users shell access to the server, as they will only be able to access a restricted, and controlled, portion of the server. If you are upgrading from a previous version of InterWorx-CP, you will need to follow the steps below to enabled jailed shells.

Procedure - Initial Preparation

  1. SSH in to the server.

  2. su to the root user

  3. Stop all services that are using resources on /home. The list of services to be stopped will vary, depending on your server setup, but InterWorx-CP and Apache will need to be stopped: 

    [root@test-box ~]# service iworx stop
[root@test-box ~]# service httpd stop

  4. You can check to see what is using the /home directory by using the lsof command: 

    [root@test-box ~]# lsof /home

    If there is no output, that means no resources are using /home.

  5. Determine if /home is a directory or a mounted partition: 

    [root@test-box ~]# df -h | grep /home

    1. If /home is a directory, you will see this: 

      [root@test-box ~]# mount | grep /home
[root@test-box ~]#

      That is, you will not get any output, indicating /home is a directory.

    2. If /home is a partition, you will see something similar to this: 

      [root@test-box ~]# mount | grep /home
/dev/md5 on /home type ext3 (rw,noatime,usrquota,grpquota)
[root@test-box ~]#

      This indicates /home is a partition. Also, make note of the device as you will need it later. In the example above, the device is /dev/md5.

  6. Continue on to the corresponding section below.

Procedure - /home is a Directory

 If /home is a directory on your server, follow this procedure

  1. Create the /chroot directory: 

    [root@test-box ~]# mkdir /chroot

  2. Set the permissions on the /chroot directory: 

    [root@test-box ~]# chmod 711 /chroot

  3. Move the /home directory into the chroot directory: 

    [root@test-box ~]# cd /
[root@test-box ~]# mv /home /chroot
[root@test-box ~]# chmod 711 /chroot/home

  4. Symlink the /home directory to /chroot/home so all your paths to /home still work correctly: 

    [root@test-box ~]# ln -fs /chroot/home /home

  5. When you next access the ♦    Shell Users page in NodeWorx, InterWorx-CP will generate the rest of the needed jailing directories in /chroot. Navigate there now.

  6. There should now be the /usr/sbin/jk_chrootsh option in the Shell drop-down list.

Procedure - /home is a Partition

 If /home is a partition on your server, follow this procedure

  1. Unmount the /home partition: 

    [root@test-box ~]# cd /
[root@test-box ~]# umount /home

  2. Delete the /home directory: 

    [root@test-box ~]# rm -r /home

     Be sure that the /home directory is unmounted, otherwise this will delete all your data, including the InterWorx-CP installation

  3. Open /etc/fstab in your editor of choice. Look for a line similar to: 

    /dev/md5                /home                   ext3    defaults,noatime,usrquota,grpquota        1 2

    or 

    LABEL=/home             /home                   ext3    defaults,noatime,usrquota,grpquota        1 2

    Specifically, you are looking for /home in the second column.

  4. Replace /home in the second column with /chroot. If your /etc/fstab also has LABEL=/home in the first column, replace it with the device you found above. For example: 

    /dev/md5                /chroot                   ext3    defaults,noatime,usrquota,grpquota        1 2

  5. Save and exit the file.

  6. Make the /chroot directory, and chmod it 711: 

    [root@test-box ~]# mkdir -p /chroot
[root@test-box ~]# chmod 711 /chroot

  7. Mount the /chroot partition: 

    [root@test-box ~]# cd /
[root@test-box ~]# mount /chroot

  8. Make the /chroot/home directory and chmod it 711: 

    [root@test-box ~]# mkdir /chroot/home
[root@test-box ~]# chmod 711 /chroot/home

  9. Move everything in /chroot in to /home: 

    [root@test-box ~]# mv /chroot/* /chroot/home

  10. Symlink the /home directory to /chroot/home so all your paths to /home still work correctly: 

    [root@test-box ~]# ln -fs /chroot/home /home

  11. When you next access the ♦    Shell Users page in NodeWorx, InterWorx-CP will generate the rest of the needed jailing directories in /chroot. Navigate there now.

  12. There should now be the /usr/sbin/jk_chrootsh option in the Shell drop-down list.

  If you deem that your users need access to another command you use the jk_cp command from the root shell to add the command you want to enable e.g. jk_cp /chroot /usr/bin/command-you-want-to-install

COPYRIGHT © InterWorx L.L.C. 2004-2008 PRIVACY POLICYEULA