Allow customer to activate lxjailshell on their own

[Spacedust]

This should not harm us and it will reduce number of tickets to activate SSH.

[chrisf]

This should not harm us and it will reduce number of tickets to activate SSH.

In my test lxjailshell is not a true chroot environment.  If you allowing vim or other editors they can break out easily.  I have been securing a server that i paid to have audited.  Perl was a nightmare.  Lxjailshell is better off than on!  You have to restrict it so much it makes it useless.  And a true jail requires the commands to be copied to the /home of the user.

I have abandoned apache and proxies.  I am moving forward with just hiawatha.  I have setup individual jails using the cgi-wrapper in hiawatha, at the cost of 50 mb per customer.  No real biggie.

Next is to change php session directory to /home/{user}/sessions - that was another security concern from my audit (shared hosting)

I can jailshell bash, but, again, all files must be copied to a users directory.

But, i am a security freak, and paranoid.

[MRatWork]

Instead using 'copy', try using 'hardlink' or 'mount'.

[chrisf]

Yes, considering hardlinks.  Just don't want anyone to be able to find a way to hack the file, as it would happen across the entire server if every client is hardlinked to say, perl.

But chattr +i and keeping it root:root with world execute, no write should handle that.  I had to chattr +i so on cleanup and fix scripts the ownership and permissions don't get changed.