Announcement

Collapse
No announcement yet.

Create failsafe SSH access for customers with CageFS and without

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Create failsafe SSH access for customers with CageFS and without

    mkdir -p /usr/share/cagefs-skeleton/usr/local/psa/bin/
    cp -a /bin/bash /usr/share/cagefs-skeleton/usr/local/psa/bin/chrootsh
    cagefsctl --force-update

    This copies /bin/bash to /usr/local/psa/bin/chrootsh inside CageFS.
    If a user gets excluded from CageFS his shell will still be chrooted, because it will default to /usr/local/psa/bin/chrootsh outside of CageFS.

    sed -i s#;shell = /usr/local/psa/bin/chrootsh#shell = /usr/local/psa/bin/chrootsh# /usr/local/psa/admin/conf/site_isolation_settings.ini

    This makes sure that customers can only select a chrooted shell, wether they are inside CageFS or not.

  • #2
    You need to use file system templates to add things like this:

    Comment


    • #3
      Hi Igor,

      I know, I have already created a template for git.

      But the issue here is that I want to create either:

      a copy of ( /bin/bash or /usr/share/cagefs-skeleton/bin/bash ) or symlink /usr/share/cagefs-skeleton/bin/bash to /usr/share/cagefs-skeleton/usr/local/psa/bin/chrootsh

      So that inside CageFS /usr/local/psa/bin/chrootsh is actually /bin/bash

      These conditions may only be valid inside CageFS and will not exist outside of CageFS.
      Outside of CageFS the /usr/local/psa/bin/chrootsh has to be the actual chroot shell binary.

      I cant seem to find how to do this via templating. (symlinking or providing an alternative destination name / path
      Any clues?

      Thanks!

      Comment


      • #4
        You cannot, and it will brake on CageFS update. CageFS was meant to create safe image that is virtually identical to real binaries. What you are dong was
        ever meant to be.

        Comment

        Working...
        X