We’ve found the Jailkit in CWP 7 to be a bit hit-and-miss with regard to whether it completes enabling or disabling jails for users.
The main components of the jail that you should check if you are having issues are:
- Has the jail structure been created under /home/jail?
- Is the user home directory bind mounted to the jail home directory?
- Is the /etc/fstab entry present and correct?
- Is the user entry in /etc/passwd correct?
The CWP Jailkit process approximately runs in the following order:
- The jail is created using jk_init
- The user’s shell is changed in /etc/passwd & home directory changed to the jail using jk_jailuser
- The user home directory is bind-mounted to the jail
- An entry is made in the /etc/fstab file for the bind mount
- Startup files are created to ensure the bind mount is performed on restart
- File and folder permissions are checked/updated for the user home directory via the jail path (this can be time consuming if the user has lots of data stored in their home directory)
We’ll go through each of these in more detail below. The marker [USERNAME] should be replaced with the actual user name in question.
Has the jail structure been created under /home/jail?
This should be in the format /home/jail/[USERNAME]
Under this there should be multiple directories with the following format and permissions:
lrwxrwxrwx 1 root root 7 Feb 20 07:45 bin -> usr/bin
drwxr-xr-x 2 root root 44 Feb 20 07:45 dev
drwxr-xr-x 3 root root 259 Feb 20 07:46 etc
drwxr-xr-x 3 root root 21 Feb 20 07:45 home
lrwxrwxrwx 1 root root 9 Feb 20 07:45 lib64 -> usr/lib64
drwxr-xr-x 2 [USERNAME] [USERNAME_GROUP] 6 Feb 20 07:46 tmp
drwxr-xr-x 7 root root 70 Feb 20 07:46 usr
The [JAIL]/home directory should have the following structure and permissions:
drwxr-xr-x 12 [USERNAME] [USERNAME_GROUP] 301 Feb 19 17:26 [USERNAME]
This is where the user’s current home directory /home/[USERNAME] is bind mounted to. So after enabling Jailkit access for a user /home/jail/[USERNAME]/home/[USERNAME]/ should list the exact same files and directories as the user’s home directory /home/[USERNAME].
Is the user home directory bind mounted to the jail home directory?
Run ‘mount’ from the command line as root, or ‘mount | grep [USERNAME].
You should see an entry like the one below for your user:
/dev/mapper/centos-home on /home/jail/[USERNAME]/home/[USERNAME] type xfs (rw,relatime,attr2,inode64,noquota)
Is the /etc/fstab entry present and correct?
During the jailing of a user their home directory (/home/[USERNAME]) is bind mounted to the jail at /home/jail/[USERNAME]/home/[USERNAME]/.
In order for this to persist through server reboots an entry is added to the /etc/fstab file like:
/home/[USERNAME] /home/jail/[USERNAME]/home/[USERNAME] none bind,nobootwait 0 0
Is the user entry in /etc/passwd correct?
The user entry in this file determines what shell the user can access and where the user’s home directory is located. Enabling a jail for the user in CWP changes both of these settings.
After successfully enabling a jail the user entry should look similar to this:
[USERNAME]:x:1000:1000::/home/jail/[USERNAME]/./home/[USERNAME]:/usr/sbin/jk_chrootsh
The /home/jail/[USERNAME]/./home/[USERNAME] part specifies the user’s home directory. As you can see, Jailkit this uses a special format for the home directory path that has a period (.) denoting where the actual root of the home directory should start for the jailed.
The jailed user is also restricted to using the Jailkit interactive shell /usr/sbin/jk_chrootsh.
What to do if any of these are incorrect?
If any of the above are incorrect you can try manually correcting them (e.g. editing /etc/passwd, etc.). However, sometimes this can be more time-consuming and complex than it’s worth and starting again is the best option.
To start again, either use the GUI to change the user shell access back to disabled, or use the script /scripts/chroot_remove from the command line.
Once CWP has made its changes, recheck that all the points mentioned above have been reverted to what they should be:
- \etc\fstab – entry should have been removed
- \etc\passwd – home directory should be \home[USERNAME] and shell set to /sbin/nologin
- mount – should no longer show an entry for the user
- /home/jail/[USERANAME] – should no longer exist
VERY IMPORTANT: do not manually delete the /home/jail/[USERNAME] directory without first making sure that /home/[USERNAME] is no longer mounted. If the jail is still mounted to the users home directory, deleting the jail files structure will also delete all the users files and folders.
Always double check the mounts before manually deleting a jail directory (e.g. mount | grep [USERNAME])!
How Do I Update An Existing Jail?
If you’ve added a new section to your /etc/jailkit/jk_init.ini file (e.g. [php]) and CWP has already set up the jail for a user you can add additional sections to the existing jail by rerunning the jk_init application specifying the new section to add to the jail.
For example, you define the following new sections in your /etc/jailkit/jk_init.ini:
[php]
comment = the php interpreter and libraries
executables = /usr/bin/php
directories = /usr/lib/php, /usr/share/php, /usr/share/php*, /etc/php, /usr/share/zoneinfo, /usr/share/ca-certificates$
includesections = env, netbasic
[env]
comment = environment variables
executables = /usr/bin/env
You would then need to run the following to add PHP functionality to an existing user jail:
jk_init -f -j /home/jail/[USERNAME] php
This will add the section defined in the jk_init.ini file named [php] to the existing jail.