LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Looking for a way to jail a process/user in directory (http://www.linuxquestions.org/questions/linux-security-4/looking-for-a-way-to-jail-a-process-user-in-directory-4175461003/)

gm33 05-07-2013 07:06 AM

Looking for a way to jail a process/user in directory
 
Hello,

I'm creating a game hosting control panel,
It makes people able to manage their gameservers wich is hosted on dedicated servers threw a simple php made control panel.
The communication between the control panel and the dedicated servers is all managed, but i'm stuck at 1 big problem!
And as i looked at another game hoster (with custom panel)
I seen he was able to start his gameserver process in a jailed directory, and when i tried to execute shell by using the gameserver process, it just returned nothing on everything i executed!

Example:
Gameserver path: /home/servers/12345/
Gameserver executable: /home/servers/12345/gameserver
This user has to be jailed within the Gameserver path, but must be able to have the process started on his name.

Thanks in advance.

pan64 05-07-2013 09:08 AM

are you looking for restricted shell?
https://www.gnu.org/software/bash/ma...ted-Shell.html

gm33 05-07-2013 09:11 AM

I tried that out! rbash, but if you just type bash, you are able to use bash...

pan64 05-07-2013 09:15 AM

so in that case the environment is not ok. You need to set up an environment (especially PATH) before executing rbash. It will ensure that the user will not have access to "illegal" tools.
I would suggest you to collect your apps into /usr/local/restricted/bin and set PATH to there and remove /usr/bin and /bin
there can be other solution

unSpawn 05-08-2013 02:05 AM

See http://www.linuxquestions.org/questi...tempts-340366/

gm33 05-08-2013 11:06 AM

Quote:

Originally Posted by unSpawn (Post 4947028)

Do you mean the AllowUsers variable in the sshd_config?

i still have no clue how to do this the best way!

Quote:

Originally Posted by pan64
so in that case the environment is not ok. You need to set up an environment (especially PATH) before executing rbash. It will ensure that the user will not have access to "illegal" tools.
I would suggest you to collect your apps into /usr/local/restricted/bin and set PATH to there and remove /usr/bin and /bin
there can be other solution

the user should not have access to execute any ssh command at all! BUT it needs to be able to run the gameserver!

unSpawn 05-09-2013 01:55 AM

Quote:

Originally Posted by gm33 (Post 4947259)
Do you mean the AllowUsers variable in the sshd_config?

Sorry, wrong link, please ignore.


Quote:

Originally Posted by gm33 (Post 4947259)
i still have no clue how to do this the best way!
the user should not have access to execute any ssh command at all! BUT it needs to be able to run the gameserver!

Any form of virtualization in which a user runs processes inside its own container obviously offers a stronger form of isolation. So IMHO it depends on the specific capabilities of your platform, or phrased differently: how generic the solution should be. The strongest compartmentalization solutions are definitely invasive and not generic. The most generic one is chroot, possibly followed by lXC / cgroups (but only on more recent kernels).


@pan64: could you please stop pimping rbash usage everywhere? In this day and age rbash is the most inefficient, weakest option possible. In fact I would mark it a non-solution in almost all cases. Thanks in advance.

pan64 05-09-2013 02:13 AM

Quote:

Originally Posted by unSpawn (Post 4947636)

@pan64: could you please stop pimping rbash usage everywhere? In this day and age rbash is the most inefficient, weakest option possible. In fact I would mark it a non-solution in almost all cases. Thanks in advance.

No I do not want them to use rbash, just asked them.....

sundialsvcs 05-09-2013 08:40 AM

It sounds like you are referring to a chroot jail.

gm33 05-09-2013 11:58 AM

Someone told me this:
Quote:

Chrooted sftp, look it up.
You just create a group for sftp users, create the users and set the directory in sshd_config.
That would work great! but i just need to know how i can let that user start the gameserver,
Any ideas?

unSpawn 05-09-2013 12:34 PM

As I said before:
Quote:

Originally Posted by unSpawn (Post 4947636)
chroot

Do some research, get some examples, experiment.


All times are GMT -5. The time now is 06:14 AM.