Search Results

Search found 369 results on 15 pages for 'chroot jail'.

Page 5/15 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >

  • Trying to run chrooted suPHP with UserDir, getting 500 server error

    - by Greg Antowski
    I've managed to get suPHP working fine with UserDir (i.e. PHP files run from the /home/$username/public_html) directory, but I can't get it to work when I chroot it to the user's home directory. I've been following this guide: http://compilefailure.blogspot.co.nz/2011/09/suphp-chroot-gotchas.html And adapting it to my needs. I'm not creating vhosts, I just want PHP scripts to be jailed to the user's home directory. I've gotten to the part where you use makejail and set up a symlink. However even with the symlink set up correctly, PHP scripts won't run. This is what's shown in the Apache error log: SoftException in Application.cpp:537: Could not execute script "/home/jimmy/public_html/test.php" [error] [client 127.0.0.1] Caused by SystemException in API_Linux.cpp:444: execve() for program "/usr/bin/php-cgi" failed: No such file or directory The thing is, if I try running either of the following commands in the terminal it works without any issues: /home/jimmy/usr/bin/php-cgi /home/jimmy/public_html/test.php /usr/bin/php-cgi /home/jimmy/public_html/test.php I've been trying for hours to get this going and documentation for this kind of stuff is almost non-existent. If anyone could help me out with this, I'd be extremely grateful.

    Read the article

  • Vserver: secure mails from a hacked webservice

    - by lukas
    I plan to rent and setup a vServer with Debian xor CentOS. I know from my host, that the vServers are virtualized with linux-vserver. Assume there is a lighthttpd and some mail transfer agent running and we have to assure that if the lighthttpd will be hacked, the stored e-mails are not readable easily. For me, this sounds impossible but may I missed something or at least you guys can validate the impossibility... :) I think basically there are three obvious approaches. The first is to encrypt all the data. Nevertheless, the server would have to store the key somewhere so an attacker (w|c)ould figure that out. Secondly one could isolate the critical services like lighthttpd. Since I am not allowed to do 'mknod' or remount /dev in a linux-vserver, it is not possible to setup a nested vServer with lxc or similar techniques. The last approach would be to do a chroot but I am not sure if it would provide enough security. Further I have not tried yet, if I am able to do a chroot in a linux-vserver...? Thanks in advance!

    Read the article

  • vsftpd restrict local users to home and group directories

    - by wag2639
    i've got vsftpd install on an ubuntu server 9.10 i can use chroot to restrict users to their own home directories but i also want to give them access to a group shared folder for example, users foo1 and foo2 are local users in the group foos i want foo1 to have access to /home/foo1 and /svr/foos and foo2 to have access to /home/foo2 and /svr/foos other notes: using pam and enforce local user ssl already tried mount --bind but it does weird permissions when you try to mount bind multiple users to the same

    Read the article

  • Yum install in chroot directory

    - by pulegium
    I'm trying to install the Base group on a mounted volume. Here's the custom yum.conf that I'm using: [main] cachedir=/var/cache/yum/ debuglevel=2 logfile=/var/log/yum.log exclude=*-debuginfo obsoletes=1 gpgcheck=0 reposdir=/dev/null [base] name=Fedora 13 - i386 baseurl=file:///media/Fedora\ 13\ i386\ DVD/ enabled=1 [updates] name=Fedora 13 - i386 - Updates baseurl=http://mirror.sov.uk.goscomb.net/fedora/linux/updates/13/i386/ enabled=1 When I run # yum -c yum.conf --installroot=/mnt groupinstall Base I would expect yum to install everything under /mnt But it keeps on saying: [...] Package irda-utils-0.9.18-10.fc12.i686 already installed and latest version Package time-1.7-37.fc12.i686 already installed and latest version Package man-pages-3.23-6.fc13.noarch already installed and latest version Package talk-0.17-33.2.4.i686 already installed and latest version Package pam_passwdqc-1.0.5-6.fc13.i686 already installed and latest version [...] I tried rpm --base=/mnt --initdb and then use rpm to install fedora-release (which worked and installed the package under /mnt) But yum keeps on saying that all packages are installed. Any ideas?...

    Read the article

  • OpenSSH SFTP server with chroot()

    - by HannesFostie
    I am currently setting up an SFTP server but there is one detail I can't seem to figure out. When I add a user, I would like him to connect using his client and be able to write in his "root dir" right away. My Match case for the SFTP-users group currently has ChrootDirectory set as "/home/%u", and inside that directory I have to have a subdirectory owned by the user, while /home/%u itself is owned by root. Next to that, the "root dir" also has a couple files, .bashrc to name one. Is it possible to put these files somewhere else, remove them, or at least make them invisible to the user? Thanks

    Read the article

  • OpenSSH SFTP server with chroot() + File Permissions

    - by HannesFostie
    I am currently setting up an SFTP server but there is one detail I can't seem to figure out. When I add a user, I would like him to connect using his client and be able to write in his "root dir" right away. My Match case for the SFTP-users group currently has ChrootDirectory set as "/home/%u", and inside that directory I have to have a subdirectory owned by the user, while /home/%u itself is owned by root. Next to that, the "root dir" also has a couple files, .bashrc to name one. Is it possible to put these files somewhere else, remove them, or at least make them invisible to the user? Thanks EDIT: One more little thing I'd like to implement is for one account to have read (or rw, not sure yet) access to all other users' home directories. What is the easiest way to implement this?

    Read the article

  • SFTP is not connecting to remote server

    - by Crono15
    $ sftp -vvv Remote_IP Connecting to Remote_IP... OpenSSH_5.2p1, OpenSSL 0.9.8r 8 Feb 2011 debug1: Reading configuration data /etc/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to Remote_IP [Remote_IP] port 22. debug1: connect to address Remote_IP port 22: Operation timed out ssh: connect to host Remote_IP port 22: Operation timed out Connection closed I set up an account for SFTP only access with a chroot. I tested that on the server and it works fine. The problem is, I could not get remote SFTP access to the server to work right. The example above is what I keep on running into. I have been trying to figure out how to solve this problem for 2 days now. I am not sure if it have to do with /etc/ssh/sshd_config. Is it something that I am not aware of? I am hoping that you could help point me to the right place for this issue.

    Read the article

  • How to disable PHP's ini_set for specific configuration options?

    - by Dunedan
    I'm running a setup with PHP 5.3.8 and use php-fpm with it's chroot functionality to separate multiple customers. So each customer has it's own chrooted PHP-environment, which is quite fine. I now want to disallow that a customer can change the *memory_limit* of his PHP-instance by using *ini_set*. On the other hand I don't want to disable *ini_set* completely. So I'm searching for a possibility to disable the possibility to set specific PHP configuration options (like *memory_limit*) via *ini_set*. Does somebody know how to achieve that?

    Read the article

  • Apache Error Log - "Web Path" instead of Filesystem Path

    - by Craconia
    Hello everyone, I'm running Apache on Linux and I'm using OpenSSH to provide SFTP access to some customers so they can upload their pages and also look at their respective site logs (access & error). I'm using the new feature in OpenSSH to chroot their SFTP access and so far so good. My problem is that on the error_log, every reference for "File not found..." is given using the OS filesystem path as opposed to the "Web" path. I'd rather have the web path on the error log in order not to reveal the OS path. Since I'm already chrooting the users, I don't want to reveal WHERE on the OS their files are actually located... Is it possible to change this behaviour via any directive? I tried looking for it but couldn't find anything :( Thanks, Craconia

    Read the article

  • Set Users as chrooted for sftp, but allow user to login in SSH

    - by Eghes
    I have setup a ssh server on debian 7, to use sftp connection. I chrooted some user, with this config: Match Group sftpusers ChrootDirectory /sftp/%u ForceCommand internal-sftp But if i want login with one of this chrooted users in ssh console, they get logged, but autoclose the connection. In logs I see: Oct 17 13:39:32 xxxxxx sshd[31100]: Accepted password for yyyyyy from zzz.zzz.zzz.zzz port 7855 ssh2 Oct 17 13:39:32 xxxxxx[31100]: pam_unix(sshd:session): session opened for user yyyyyyyyyyyy by (uid=0) Oct 17 13:39:32 d00hyr-ea1 sshd[31100]: pam_unix(sshd:session): session closed for user yyyyyyyyyyyy How can I chroot a user only for sftp, and use it as a normal user for ssh?

    Read the article

  • How to (legitimately) access files after putting self into chrooted sandbox?

    - by unknown google user
    Changing a Linux C++ program which gives the user limited file access. Thus the program chroots itself to a sandbox with the files the user can get at. All worked well. Now, however, the program needs to access some files for its own needs (not the user's) but they are outside the sandbox. I know chroot allows access to files opened before the chroot but in this case the needed files could a few among many hundreds so it is obviously impractical to open them all just for the couple that might be required. Is there any way to get at the files?

    Read the article

  • Is there a way to jail in Javascript, so that the DOM isn't visible

    - by TiansHUo
    I would really like to provide the user some scripting capabilities, while not giving it access to the more powerful features, like altering the DOM. That is, all input/output is tunneled thru a given interface. Like a kind of restricted javacsript. Example: If the interface is checkanswer(func) this are allowed: checkanswer( function (x,y)={ return x+y; } but these are not allowed: alert(1) document.write("hello world") eval("alert()")

    Read the article

  • Custom initrd init script: how to create /dev/initctl

    - by Posco Grubb
    I have a virtual machine (VMM is Xen 3.3) equipped with two IDE HDD's (/dev/hda and /dev/hdb). The root file system is in /dev/hda1, where Scientific Linux 5.4 is installed. /dev/hdb contains an empty ext2 file system. I want to protect the root file system from writes by the VM by using aufs (AnotherUnionFS) to layer a writable file system on top of the root file system. The changes to / will be written to the file system located on /dev/hdb. (Furthermore, outside the VM, the file backing the /dev/hda will also be set to read-only permissions, so the VMM should also prevent the VM from modifying at that level.) (The purpose of this setup: be able to corrupt a virtual machine using software-implemented fault injection but preserve the file system image in order to quickly reboot the VM to a fault-free state.) How do I get an initrd init script to do the necessary mounts to create the union file system? I've tried 2 approaches: I've tried modifying the nash script that mkinitrd creates, but I don't know what setuproot and switchroot do and how to make them use my aufs as the new root. Apparently, nobody else here knows either. (EDIT: I take that back.) I've tried building a LiveCD (using linux-live-6.3.0) and then modifying the Bash /linuxrc script from the generated initrd, and I got the mounts correct, but the final /sbin/init complains about /dev/initctl. Specifically, my /linuxrc mounts the aufs at /union. The last few lines of /linuxrc effectively do the following: cd /union mkdir -p mnt/live pivot_root . mnt/live exec sbin/chroot . sbin/init </dev/console >/dev/console 2>&1 When init starts, it outputs something like init: /dev/initctl: No such file or directory. What is supposed to create this FIFO? I found no such filename in the original linuxrc and liblinuxlive scripts. I tried creating it via "mkfifo /dev/initctl", but then init complained about a timeout opening or writing to the FIFO. Would appreciate any help or pointers. Thanks.

    Read the article

  • chrooting user causes "connection closed" message when using sftp

    - by George Reith
    First off I am a linux newbie so please don't assume much knowledge. I am using CentOS 5.8 (final) and using OpenSSH version 5.8p1. I have made a user playwithbits and I am attempting to chroot them to the directory home/nginx/domains/playwithbits/public I am using the following match statement in my sshd_config file: Match group web-root-locked ChrootDirectory /home/nginx/domains/%u/public X11Forwarding no AllowTcpForwarding no ForceCommand /usr/libexec/openssh/sftp-server # id playwithbits returns: uid=504(playwithbits) gid=504(playwithbits) groups=504(playwithbits),507(web-root-locked) I have changed the user's home directory to: home/nginx/domains/playwithbits/public Now when I attempt to sftp in with this user I instantly get the message: connection closed Does anyone know what I am doing wrong? Edit: Following advice from @Dennis Williamson I have connected in debug mode (I think... correct me if I'm wrong). I have made a bit of progress by using chmod to set permissions recursively of all files in the directly to 700. Now I get the following messages when I attempt to log on (still connection refused): Connection from [My ip address] port 38737 debug1: Client protocol version 2.0; client software version OpenSSH_5.6 debug1: match: OpenSSH_5.6 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.8 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-ctr hmac-md5 none debug1: kex: server->client aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user playwithbits service ssh-connection method none debug1: attempt 0 failures 0 debug1: user playwithbits matched group list web-root-locked at line 91 debug1: PAM: initializing for "playwithbits" debug1: PAM: setting PAM_RHOST to [My host info] debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user playwithbits service ssh-connection method password debug1: attempt 1 failures 0 debug1: PAM: password authentication accepted for playwithbits debug1: do_pam_account: called Accepted password for playwithbits from [My ip address] port 38737 ssh2 debug1: monitor_child_preauth: playwithbits has been authenticated by privileged process debug1: SELinux support disabled debug1: PAM: establishing credentials User child is on pid 3942 debug1: PAM: establishing credentials Changed root directory to "/home/nginx/domains/playwithbits/public" debug1: permanently_set_uid: 504/504 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_global_request: rtype [email protected] want_reply 0 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request subsystem reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req subsystem subsystem request for sftp by user playwithbits debug1: subsystem: cannot stat /usr/libexec/openssh/sftp-server: Permission denied debug1: subsystem: exec() /usr/libexec/openssh/sftp-server debug1: Forced command (config) '/usr/libexec/openssh/sftp-server' debug1: session_new: session 0 debug1: Received SIGCHLD. debug1: session_by_pid: pid 3943 debug1: session_exit_message: session 0 channel 0 pid 3943 debug1: session_exit_message: release channel 0 debug1: session_by_channel: session 0 channel 0 debug1: session_close_by_channel: channel 0 child 0 debug1: session_close: session 0 pid 0 debug1: channel 0: free: server-session, nchannels 1 Received disconnect from [My ip address]: 11: disconnected by user debug1: do_cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: PAM: closing session debug1: PAM: deleting credentials

    Read the article

  • Potential issues to consider when using debootstrap for different Ubuntu distros

    - by BrainCore
    We currently run Lucid on top of Xen. Using debootstrap, we have created many jailed environments for Lucid (10.04), Maverick (10.10) and Natty (11.04). We're considering creating an Oneiric environment as well. However, we're beginning to wonder what the consequences of doing so are. What incompatibilities should we watch out for? The Lucid base runs on the 2.6.32 Kernel, and happens to be running on Amazon EC2 (Xen). We realize that Oneiric when installed from scratch comes with the 3.0 Kernel. Also, if we were to upgrade the Lucid base to Oneiric (including the Kernel), what would we have to watch out for to ensure that the Lucid, Maverick, and Natty jailed environments still work fine?

    Read the article

  • Secure PHP environments with PHP-FPM and SFTP

    - by pdd
    I'd like to set up secure environments for a small number of untrusted PHP websites on a Debian server. Right now everything runs on the same Apache2 with mod_php5 and vsftpd for administrative file access, so there is room for improvement. The idea is to use nginx instead of apache, SFTP through OpenSSH instead of vsftpd and chrooted (in sshd_config), individual users for each website with their own pool of PHP processes. All these users and nginx are part of the same group. Now in theory I can set 700 permissions on all PHP scripts and 750 on static files that nginx has to serve up. Theoretically, if a website is compromised all the other users' data is safe, right? Are there better solutions that require less setup time and memory per website? Cheers

    Read the article

  • Is there an equivalent to MySecureShell for Centos?

    - by benjisail
    Hi, I have some issue to install MySecureShell on CentOS 5.4 because I want to use Yum to install it (for maintainability). I get this error : yum install mysecureshell Error: Missing Dependency: libcrypto.so.10()(64bit) is needed by package mysecureshell-1.20-1.x86_64 (mysecureshell) I assume that the issue is that openSSL shipped with CentOS 5.4 is too old... I don't want to install everything manually so I would like to know if there is an equivalent to MySecureShell which would work with CentOS 5.4. Thanks!

    Read the article

  • A specific user is unable to log in to vsftpd

    - by HackToHell
    I am setting up a new user let his name be ftpguy. He has access to only one directory /var/www/xxx. I have already chowned the directory so that he has write and read privileges. The user is also unable to login via ssh as I have disabled that by changing his shell to /sbin/nologin. Also, in vsftpd config, I have enabled the chroot_local_user. Now whenever I log in from ftp, i get an auth error. Connect socket #1008 to xxxxxxxx, port 21... 220 Welcome to blah FTP service. USER ftpguy 331 Please specify the password. PASS ********** 530 Login incorrect. I changed the password to something different several times, using the passwd command, nothing happens, i still the above error. However I am able to log in with my ssh creditals to my ftp server without any problems.(I do not use a key).

    Read the article

  • Install full version of Unity on Chrome OS using crouton

    - by Sam Kong
    I have an Acer Chromebook. Using crouton, I installed Ubuntu (unity) on it. I am pretty familiar Ubuntu 12.04. But the installed one is very minimized package. My fonts are missing and I manually installed language pack for Korean but still browser can't display Korean characters. Is there a way to install the whole packages via crouton like when you install Ubuntu 12.04 with the CD? Or is there a script that installs the missing packages on the bare Ubuntu? Thanks. Sam

    Read the article

  • chrooted sftp user with write permissions to /var/www

    - by matthew
    I am getting confused about this setup that I am trying to deploy. I hope someone of you folks can lend me a hand: much much appreciated. Background info Server is Debian 6.0, ext3, with Apache2/SSL and Nginx at the front as reverse proxy. I need to provide sftp access to the Apache root directory (/var/www), making sure that the sftp user is chrooted to that path with RWX permissions. All this without modifying any default permission in /var/www. drwxr-xr-x 9 root root 4096 Nov 4 22:46 www Inside /var/www -rw-r----- 1 www-data www-data 177 Mar 11 2012 file1 drwxr-x--- 6 www-data www-data 4096 Sep 10 2012 dir1 drwxr-xr-x 7 www-data www-data 4096 Sep 28 2012 dir2 -rw------- 1 root root 19 Apr 6 2012 file2 -rw------- 1 root root 3548528 Sep 28 2012 file3 drwxr-x--- 6 www-data www-data 4096 Aug 22 00:11 dir3 drwxr-x--- 5 www-data www-data 4096 Jul 15 2012 dir4 drwxr-x--- 2 www-data www-data 536576 Nov 24 2012 dir5 drwxr-x--- 2 www-data www-data 4096 Nov 5 00:00 dir6 drwxr-x--- 2 www-data www-data 4096 Nov 4 13:24 dir7 What I have tried created a new group secureftp created a new sftp user, joined to secureftp and www-data groups also with nologin shell. Homedir is / edited sshd_config with Subsystem sftp internal-sftp AllowTcpForwarding no Match Group <secureftp> ChrootDirectory /var/www ForceCommand internal-sftp I can login with the sftp user, list files but no write action is allowed. Sftp user is in the www-data group but permissions in /var/www are read/read+x for the group bit so... It doesn't work. I've also tried with ACL, but as I apply ACL RWX permissions for the sftp user to /var/www (dirs and files recursively), it will change the unix permissions as well which is what I don't want. What can I do here? I was thinking I could enable the user www-data to login as sftp, so that it'll be able to modify files/dirs that www-data owns in /var/www. But for some reason I think this would be a stupid move securitywise.

    Read the article

  • Is there an available repository to update OpenSSH to 4.8+ on Centos 5.4?

    - by benjisail
    Hi, I need OpenSSH 4.8+ in order to do setup a clean chrooted SFTP on my Centos 5.4 with Remi and EPEL repositories. Is there a repository for Centos which contain an updated OpenSSH? Thanks! Extra info : I want OpenSSH 4.8+ in order to not install an extra library (RSSH) when OpenSSH can already handle it. However if you think that there is a cleaner and easier to maintain way to install a chrooted SFTP server let me know!

    Read the article

  • Proftpd: How to set default root to a users home directory without jailing the user?

    - by sacamano
    Hi there. I've installed proftpd on my debian box but I'm having having some trouble with the configuration. In my proftpd.conf I've added; DefaultRoot ~ !ftp_special This works fine in that all users except members of ftp-special are unable to navigate outside of their home folder. However, I want users that are members of ftp-special to enter a special home folder when logging on to the ftp server but at the same time I want them to be able to navigate the entire server. Right now, if a user that is a member of ftp-special logs on his entry-point is the root ( / ). Thanks in advance.

    Read the article

  • SSH - SFTP/SCP only + additional command running in background

    - by Chris
    there are many solutions described to get ur SSH-connection forced to only run SFTP by modifying the sshd_config by adding a new group match and give that new group a Forcecommand internal-sftp Well that works great but i would love to have a little more feature. My servers automatically ban IP's which try to connect often in a short time. So when you use any SFTP-Client, which opens multiple connections to work faster it can get banned instandly by the server for a long time. The servers have a script to whitelist users by administrator. I've modified this script to whitelist the user, which runs the script. All i need to do is now get the server to execute that script, when somebody logins. On SSH it's no problem, just put it in .bashrc or something like, but the Forcecommand don't runs these scripts on login. Is there any way to run such a shellscript before or at the same time as the Forcecommand get fired?

    Read the article

< Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >