MRatWork Forum by Mustafa Ramadhan

Sawo Project - Kloxo-MR Discussions => Kloxo-MR Development => Topic started by: MRatWork on 2014-02-03, 06:26:33

Title: [INFO] Jailkit for Kloxo-MR
Post by: MRatWork on 2014-02-03, 06:26:33
To make Kloxo-MR very secure, possible implementing Jailkit in Kloxo-MR.

Two options for Jailkit:

1. Always use Jailkit, or
2. Jailkit as options - enable/disable in panel

Implementing Jailkit will be ready in next release and I will inform if ready in this thread.

I hope in 2-3 days will be ready!.

Becuase very importance, other options/bugfixes temporary pending.
Title: Re: [INFO] Jailkit for Kloxo-MR
Post by: chrisf on 2014-02-03, 17:19:16
Great!  Will we be able to re-enable perl and cron?
Title: Re: [INFO] Jailkit for Kloxo-MR
Post by: MRatWork on 2014-02-03, 17:20:35
Maybe not for cron. But, sure perl will be enable.
Title: Re: [INFO] Jailkit for Kloxo-MR
Post by: chrisf on 2014-02-03, 17:24:38
:)
Title: Re: [INFO] Jailkit for Kloxo-MR
Post by: MRatWork on 2014-02-03, 17:42:07
It's because cron possible execute ssh and execute from /var/spool/cron. It's different with perl where perl file execute only from /home/<user> and with jailkit this /home/<user> will chrooted.
Title: Re: [INFO] Jailkit for Kloxo-MR
Post by: insanity on 2014-02-03, 18:03:38
Mustafa,
Why not change cron in kloxo to be able to set only php or curl, for example php -q /cront/path/ or curl -I /cron/path/. If you try to add cron with ssh or other cmd error will be displayed ?
Title: Re: [INFO] Jailkit for Kloxo-MR
Post by: MRatWork on 2014-02-03, 18:08:09
Mustafa,
Why not change cron in kloxo to be able to set only php or curl, for example php -q /cront/path/ or curl -I /cron/path/. If you try to add cron with ssh or other cmd error will be displayed ?
Yes, still thinking for limiting cron task for user.
Title: Re: [INFO] Jailkit for Kloxo-MR
Post by: insanity on 2014-02-03, 18:22:22
open: /usr/local/lxlabs/kloxo/httpdocs/driver/pserver/cronlib.php

find:
Code: [Select]
static function add($parent, $class, $param)

{
if (!($parent->isClass('pserver') || $parent->priv->isOn('cron_minute_flag'))) {
if (!is_numeric($param['minute'])) {
$param['minute'] = 0;
}
}
$param['username'] = $parent->username;
/*
if ($parent->is__table('pserver')) {
$param['syncserver'] = $parent->nname;
} else {
$param['syncserver'] = $parent->syncserver;
}
*/

change it to:

Code: [Select]
static function add($parent, $class, $param)

{
if (!($parent->isClass('pserver') || $parent->priv->isOn('cron_minute_flag'))) {
if (!is_numeric($param['minute'])) {
$param['minute'] = 0;
}
}
if (strpos($param['command'], 'ssh') !== false) {
throw new lxexception("ssh_is_not_allowed_cmd_for_cron", '', '');
}
$param['username'] = $parent->username;
/*
if ($parent->is__table('pserver')) {
$param['syncserver'] = $parent->nname;
} else {
$param['syncserver'] = $parent->syncserver;
}
*/

and voala. ssh cmd is disabled

if you want to disable more cmd it must be:

Code: [Select]
if (strpos($param['command'], 'cmd1', 'cmd2', 'cmd3') !== false) {
Title: Re: [INFO] Jailkit for Kloxo-MR
Post by: vpsbox on 2014-03-06, 04:18:54
is that ready ? is it for 6.5.1 only?
Title: Re: [INFO] Jailkit for Kloxo-MR
Post by: MRatWork on 2014-03-06, 06:04:43
Jailkit only for 6.5.1 because it's not easy to implementing and I don't want broke 6.5.0 code.

Jailkit ready since 6.5.1.c (aka candidate release) and at this moment 6.5.1 still in b (aka beta).
Title: Re: [INFO] Jailkit for Kloxo-MR
Post by: vpsbox on 2014-03-08, 03:27:29
I saw that not too long ago we 6.5.1 become beta, when to expect candidate release version? Is it any timing on that

that will change kloxo security for good
Title: Re: [INFO] Jailkit for Kloxo-MR
Post by: chrisf on 2014-04-25, 05:51:31
When will jailkit be implemented for us to test Mustafa?  I would like to allow perl scripts again for clients.
Title: Re: [INFO] Jailkit for Kloxo-MR
Post by: MRatWork on 2014-04-25, 06:30:15
Implementing after c (candidate) release. C will be release after 'multiple php' implementing.
Title: Re: [INFO] Jailkit for Kloxo-MR
Post by: mvillanueva on 2014-06-11, 06:24:42
Why not to try with jailshell. I know it sounds very cPanel, but in fact, jailshell had a free software fork (somewhere). If you jailshell a user, user will be still able to execute jail rooted commands, with the benefit to stay in their own directory all the time.
Title: Re: [INFO] Jailkit for Kloxo-MR
Post by: MRatWork on 2014-06-11, 06:44:56
Kloxo/Kloxo-MR already exists lxjailshell (as the same jailshell in CPanel). Jailkit not only jailed for shell (aka jail_lsh) but also other features (read http://olivier.sessink.nl/jailkit/).