BubbleWrap jail for users on Directadmin servers

A jailed shell and jailed cron are supported since version 1.61.0 of DirectAdmin. This can be achieved with the help of unprivileged sandboxing tool Bubblewrap. On Linux servers this gives another layer of security, and restricts users.

What is Bubblewrap Gel?

The goal of BubbleWrap is to run an application in a sandbox, where it restricts access to certain parts of the operating system or to user data such as the home directory.

Bubblewrap jail works by creating a new, completely empty, mount namespace where root is on a tmpfs that is invisible from the host, and will be cleaned up automatically when the last process ends.

A user can specify which parts of the file system should be visible in the sandbox.

The maintainers of this tool believe that it does not allow privilege escalation even when used in conjunction with specific software installed on that distribution.

Setting up Bubblewrap Gel

For CentOS 7 and above run the following command as root:

cd /usr/local/directadmin/custombuild
./build update
./build bubblewrap
./build jailshell

/usr/bin/jailshell to install.

DirectAdmin can access it with a new value”Jail” (set to 0 by default)

/usr/local/directadmin/directadmin set jail 1 restart

which “enables the option for package/reseller/user.conf”Gel = On/Off,

will save any sshd related changes /usr/bin/jailshell (if present) /etc/passwd in that user’s shell:

will save any cron changes shell=/usr/bin/jailshell (if present) in that user’s crontab.

Enabling jail for a given user does not require ssh to be enabled.

Here’s what a new option looks like in the DirectAdmin interface:

Bubblewrap Gel for Users on Directadmin Servers

you can enable Jail For select users or for all users at once.

Enable Jail for All Users in DirectAdmin

Alternatively, you can set:

/usr/local/directadmin/directadmin set jail 2 restart

So that regardless of any package/reseller/user.conf settings, jail is always enabled, and will always be set to ssh/cron when saved.

What does all this mean?

In short, it’s a security measure to safely restrict users from using SSH to the server and allowing them to run cron-tasks.

Jailed users cannot access other users’ homedirs, either in an ssh session or in a script run with cron.

Jailed users can still run all necessary binaries and commands from the shell.

Related Links

Leave a Comment