Create failsafe SSH access for customers with CageFS and without
  1. Forums
  2. CloudLinux and Control Panels
  3. CloudLinux and Plesk
  1. Stéphan Schamp
  2. Friday, 08 August 2014
  3.  Subscribe via email
mkdir -p /usr/share/cagefs-skeleton/usr/local/psa/bin/
cp -a /bin/bash /usr/share/cagefs-skeleton/usr/local/psa/bin/chrootsh
cagefsctl --force-update

This copies /bin/bash to /usr/local/psa/bin/chrootsh inside CageFS.
If a user gets excluded from CageFS his shell will still be chrooted, because it will default to /usr/local/psa/bin/chrootsh outside of CageFS.

sed -i 's#;shell = /usr/local/psa/bin/chrootsh#shell = /usr/local/psa/bin/chrootsh#' /usr/local/psa/admin/conf/site_isolation_settings.ini

This makes sure that customers can only select a chrooted shell, wether they are inside CageFS or not.
Rate this post:
  1. 09.08.2014 11:08:42
  2. # 1
Igor Seletskiy Accepted Answer
Posts: 1194
Joined: 09.02.2010
You need to use file system templates to add things like this:
  1. 09.08.2014 11:08:26
  2. # 2
Stéphan Schamp Accepted Answer
Posts: 4
Joined: 31.07.2014
Hi Igor,

I know, I have already created a template for git.

But the issue here is that I want to create either:

a copy of ( /bin/bash or /usr/share/cagefs-skeleton/bin/bash ) or symlink /usr/share/cagefs-skeleton/bin/bash to /usr/share/cagefs-skeleton/usr/local/psa/bin/chrootsh

So that inside CageFS /usr/local/psa/bin/chrootsh is actually /bin/bash

These conditions may only be valid inside CageFS and will not exist outside of CageFS.
Outside of CageFS the /usr/local/psa/bin/chrootsh has to be the actual chroot shell binary.

I can't seem to find how to do this via templating. (symlinking or providing an alternative 'destination name / path'
Any clues?

  1. 09.08.2014 11:08:39
  2. # 3
Igor Seletskiy Accepted Answer
Posts: 1194
Joined: 09.02.2010
You cannot, and it will brake on CageFS update. CageFS was meant to create safe image that is virtually identical to real binaries. What you are dong was \'never meant to be\'.
  • Page :
  • 1

There are no replies made for this post yet.
Be one of the first to reply to this post!
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.

EU e-Privacy Directive

We use cookies to ensure you get the best experience using our website and services. Read more about it in our Privacy Policy. Please agree to the use of cookies to proceed. Alternatively, you may disable cookies in your browser at any time.

You have declined cookies. This decision can be reversed.

You have allowed cookies to be placed on your computer. This decision can be reversed.