MRatWork Forum by Mustafa Ramadhan
Sawo Project - Kloxo-MR Discussions => Kloxo-MR Development => Topic started by: MRatWork on 2014-02-03, 06:26:33
-
To make Kloxo-MR very secure, possible implementing Jailkit in Kloxo-MR.
Two options for Jailkit:
1. Always use Jailkit, or
2. Jailkit as options - enable/disable in panel
Implementing Jailkit will be ready in next release and I will inform if ready in this thread.
I hope in 2-3 days will be ready!.
Becuase very importance, other options/bugfixes temporary pending.
-
Great! Will we be able to re-enable perl and cron?
-
Maybe not for cron. But, sure perl will be enable.
-
:)
-
It's because cron possible execute ssh and execute from /var/spool/cron. It's different with perl where perl file execute only from /home/<user> and with jailkit this /home/<user> will chrooted.
-
Mustafa,
Why not change cron in kloxo to be able to set only php or curl, for example php -q /cront/path/ or curl -I /cron/path/. If you try to add cron with ssh or other cmd error will be displayed ?
-
Mustafa,
Why not change cron in kloxo to be able to set only php or curl, for example php -q /cront/path/ or curl -I /cron/path/. If you try to add cron with ssh or other cmd error will be displayed ?
Yes, still thinking for limiting cron task for user.
-
open: /usr/local/lxlabs/kloxo/httpdocs/driver/pserver/cronlib.php
find:
static function add($parent, $class, $param)
{
if (!($parent->isClass('pserver') || $parent->priv->isOn('cron_minute_flag'))) {
if (!is_numeric($param['minute'])) {
$param['minute'] = 0;
}
}
$param['username'] = $parent->username;
/*
if ($parent->is__table('pserver')) {
$param['syncserver'] = $parent->nname;
} else {
$param['syncserver'] = $parent->syncserver;
}
*/
change it to:
static function add($parent, $class, $param)
{
if (!($parent->isClass('pserver') || $parent->priv->isOn('cron_minute_flag'))) {
if (!is_numeric($param['minute'])) {
$param['minute'] = 0;
}
}
if (strpos($param['command'], 'ssh') !== false) {
throw new lxexception("ssh_is_not_allowed_cmd_for_cron", '', '');
}
$param['username'] = $parent->username;
/*
if ($parent->is__table('pserver')) {
$param['syncserver'] = $parent->nname;
} else {
$param['syncserver'] = $parent->syncserver;
}
*/
and voala. ssh cmd is disabled
if you want to disable more cmd it must be:
if (strpos($param['command'], 'cmd1', 'cmd2', 'cmd3') !== false) {
-
is that ready ? is it for 6.5.1 only?
-
Jailkit only for 6.5.1 because it's not easy to implementing and I don't want broke 6.5.0 code.
Jailkit ready since 6.5.1.c (aka candidate release) and at this moment 6.5.1 still in b (aka beta).
-
I saw that not too long ago we 6.5.1 become beta, when to expect candidate release version? Is it any timing on that
that will change kloxo security for good
-
When will jailkit be implemented for us to test Mustafa? I would like to allow perl scripts again for clients.
-
Implementing after c (candidate) release. C will be release after 'multiple php' implementing.
-
Why not to try with jailshell. I know it sounds very cPanel, but in fact, jailshell had a free software fork (somewhere). If you jailshell a user, user will be still able to execute jail rooted commands, with the benefit to stay in their own directory all the time.
-
Kloxo/Kloxo-MR already exists lxjailshell (as the same jailshell in CPanel). Jailkit not only jailed for shell (aka jail_lsh) but also other features (read http://olivier.sessink.nl/jailkit/).