5210R: Chrooted Jails via Jailkit

Posted by: mstauber Category: General

BlueOnyx 5210R got a couple of new features such as explicit FTP, true SFTP and Jailkit Chroot jails.

As anounced in the previous developer diary entry for BlueOnyx 5210R we just enhanced BlueOnyx 5210R with some new and interesting features. This article will explain the changes.

Explicit FTP and FTPS

The ProFTP server is now configured to provide both FTP and FTPS as "explicit FTP". This means: ProFTP now only answers on port 21 for both protocols: FTP and FTPS. A FTP-client that understands FTPS will therefore by default use the TLS to communicate with ProFTPd in an encrypted fashion. If the FTP client doesn't support TLS, then it can still fallback to regular FTP and the communication will commence unencrypted.

As we no longer use port 990 for FTPS you might need to inform your users or update your client instructions on how to use FTP.

The GUI page to manage the FTP service has also been moved and merge into the GUI page that previously handled SSH. This new consolidated GUI page is now labled "SSH & FTP" and it looks like above.

Jailkit: Chrooted SSH, SFTP, SCP, and RSYNC

We also integrated Jailkit into BlueOnyx 5210R and this allows us to allow fine tuned and limited access of individual Vsite users to services such as SFTP, SCP and RSYNC (all realized over the SSH-port) or even all the prior plus true SSH shell access. Both are set up to be served from a Chrooted jail that limits the logged in user to a small subset of commands and restricts him to a directory that is well within the Vsite file tree. Therefore: Even with "SFTP, SCP & RSYNC" active or the more generous "Chrooted SSH, SFTP, SCP & RSYNC" the user cannot see any files that aren't part of the Vsite that he belongs to.

In order to realize this several changes had to be made to BlueOnyx 5210R. For starters the directory structure of a Vsite had to be adjusted slightly to allow for room for the Chroot jails. Additionally the permissions of all directories had to be adjusted in a stricter fashion. The stricter permissions also made it necessary to remove the feature "User Owend Webs", where individual users had their own /web directory, that could be made available via http://<site>/~username/ - however: With the introduction of suPHP and PHP-FPM this feature started a slow deprecation process that now has come to an end.

The new directory structure of a Vsite now looks like this:

As you can see there: The /web folder of a Vsite now resides under /home/.sites/<group>/wwwroot/web and the change is that it got nested under the new /wwwroot directory.

User home directories now reside under /home/.sites/<group>/home/users/<username> and the change is the insertion of the new /home directory into the path.

A Vsite with Jailkit jails will have two distinct Chrooted jails:

Users with the siteAdmin privilege will get jailed into /home/.sites/<group>/ and can therefore see all the files that belong to their Vsite.

Users without the siteAdmin privilege will get jailed into /home/.sites/<group>/home/ instead. From within that directory they have no access to the Vsite /wwwroot directory and directory permissions are so restrictive that the only user related data they can access is those within their own user directory.

In the above screen you can see additional OS related directories such as /bin, /dev, /etc and so on. These get automatically created and populated when a Vsite is configured to provide any shell related services and they contain a stripped down minimal OS with a limited feature set. The additional space requirements for these are around 75-80 MB in total.

Related GUI changes:

Below you can see how the GUI now looks with these new features integrated. The first screenshot shows the view of the "Add Vsite" dialogue and that is where you can configure the "Shell Access" for a new Vsite:

The available options for Shell Access are:

  • None (default)
  • Chrooted SFTP, SCP and RSYNC
  • Chrooted Shell, SFTP, SCP and RSYNC
  • Full Shell Access

The option "Full Shell Access" is the old fashioned shell access that we could optionally provide before. It means what it says: A user has full shell access to the server - without Jail. That option should only be used for the most trustworthy of users or generally: Not at all.

The other chrooted options provide exactly what they say: Jailed access, with or without the ability to get an interactive shell via SSH.

Virtual Site List

To make it easy to see which Vsites have what level of access to the new features we also modified the Virtual Site List a little.

In this example the Vsite 5210r1.smd.net has the icon (#>), which indicates that the maximum level of shell access it allows for a siteAdmin to grant is 'Chrooted Shell, SFTP, SCP and RSYNC'.

The Vsite '5210r2.smd.net' has the icon SFTP, which indicates that it at the most grants a siteAdmin the ability to grant 'Chrooted SFTP, SCP and RSYNC' to users.

Finally there is the Vsite '5210r3.smd.net', which has the icon '#>'. This means the siteAdmin can grant users of that Vsite any level of shell access, including the 'Full Shell Access'.

Virtual Site User List

Likewise the User List in the Vsite itself also got the same set of icons to make it easier to see which user has which privileges.

It uses the same icons as the Virtual Site list for that purpose. So our user 'one_admin' is siteAdmin (indicated by the '<A>' icon) and enjoys the privileges of 'Chrooted Shell, SFTP, SCP and RSYNC'. As he is siteAdmin, his chrooted jail allows him to access the whole Vsite directory and everything within.

User 'one_john_doe' only has the SFTP icon and he is not a siteAdmin. That means John Doe can at best use 'Chrooted SFTP, SCP and RSYNC', but his jail is limited to see only the /home directory. That essentially locks him into a more restricted corner and he cannot see the files of the Vsite itself or those of any other users.

Finally the poor Jane Doe only has FTP access to her own user directory and no kind or form of shell access.

Conclusion

That wraps up our explanation of the new Jailkit chrooted jails for Virtual Sites and Users on BlueOnyx 5210R and we hope you enjoy the additions and changes once BlueOnyx 5210R comes out.


Return
General
Jul 11, 2019 Category: General Posted by: mstauber
Previous page: API Documentation Next page: Downloads