JSH is an easy-to-use jailed shell tool that supports home jail for SSH / SFTP and does not require complicated docker or chroot configurations.
License: GNU General Public License v3.0
Hi @diggerwoo
Make many test
Open vi
after type :e we have access to full file system /
is there options to block to have access only to Home dir
Having issue when sftp is used to jail users, the cli is working correctly as it should be.
Debug information from the user 'jailed' where the only allowed folder is /home/jailed
Jan 8 11:09:31 server01 sshd[2138]: Accepted password for jailed from 192.168.235.9 port 55079 ssh2
Jan 8 11:09:31 server01 sshd[2138]: pam_unix(sshd:session): session opened for user jailed by (uid=0)
Jan 8 11:09:31 server01 jsh[2144]: setenv: SCPEXEC=1
Jan 8 11:09:31 server01 jsh[2144]: setenv: SCPDIR=/home/public:/etc/crypto-policies/back-ends
Jan 8 11:09:31 server01 jsh[2144]: setenv: SFTP_SERVER=/usr/libexec/openssh/sftp-server
Jan 8 11:09:31 server01 jsh[2144]: setenv: alias_ls=ls -a --color=auto
Jan 8 11:09:31 server01 jsh[2144]: setenv: alias_grep=grep --color=auto
Jan 8 11:09:31 server01 jsh[2144]: HOMEJAIL enabled on /home/jailed
Jan 8 11:09:31 server01 jsh[2144]: get SSH_CLIENT = 192.168.235.9 55079 22
Jan 8 11:09:31 server01 jsh[2144]: get SSH_PORT = 22
Jan 8 11:09:31 server01 jsh[2144]: -c '/usr/libexec/openssh/sftp-server'
Jan 8 11:09:31 server01 jsh[2144]: exec [/usr/libexec/openssh/sftp-server] mode [2]
Jan 8 11:09:31 server01 jsh[2144]: Start tracing /usr/libexec/openssh/sftp-server
Jan 8 11:09:31 server01 jsh[2144]: injail triggered by openat("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/lib64/libutil.so.1", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/lib64/libutil.so.1", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/lib64/libz.so.1", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/lib64/libz.so.1", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/lib64/libcrypt.so.1", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/lib64/libcrypt.so.1", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/lib64/libpcre2-8.so.0", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/lib64/libpcre2-8.so.0", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: '/proc/' is not any subdir of '/home/jailed'
Jan 8 11:09:31 server01 jsh[2144]: '/proc/' is not any subdir of '/home/public:/etc/crypto-policies/back-ends'
Jan 8 11:09:31 server01 jsh[2144]: deny openat("/proc/filesystems", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: redirect: openat("/proc/filesystems", O_RDONLY|O_CLOEXEC <0x80000>) = -13
Jan 8 11:09:31 server01 jsh[2144]: '/proc/' is not any subdir of '/home/jailed'
Jan 8 11:09:31 server01 jsh[2144]: '/proc/' is not any subdir of '/home/public:/etc/crypto-policies/back-ends'
Jan 8 11:09:31 server01 jsh[2144]: deny openat("/proc/mounts", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: redirect: openat("/proc/mounts", O_RDONLY|O_CLOEXEC <0x80000>) = -13
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/proc/sys/crypto/fips_enabled", O_RDONLY <0x0>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/proc/sys/crypto/fips_enabled", O_RDONLY <0x0>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/dev/null", O_RDWR <0x2>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/dev/null", O_RDWR <0x2>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/etc/pki/tls/openssl.cnf", O_RDONLY <0x0>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/etc/pki/tls/openssl.cnf", O_RDONLY <0x0>) = 3
Jan 8 11:09:31 server01 jsh[2144]: get abs full '/etc/crypto-policies/back-ends/opensslcnf.config'=>'/etc/crypto-policies/back-ends/opensslcnf.config'
Jan 8 11:09:31 server01 jsh[2144]: stat("/etc/crypto-policies/back-ends/opensslcnf.config") = 0
Jan 8 11:09:31 server01 jsh[2144]: '/etc/crypto-policies/back-ends/' is not any subdir of '/home/jailed'
Jan 8 11:09:31 server01 jsh[2144]: '/etc/crypto-policies/back-ends/' is subdir of '/etc/crypto-policies/back-ends/'
Jan 8 11:09:31 server01 jsh[2144]: openat("/etc/crypto-policies/back-ends/opensslcnf.config", O_RDONLY <0x0>) = 4
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: bypass openat("/etc/passwd", O_RDONLY|O_CLOEXEC <0x80000>)
Jan 8 11:09:31 server01 jsh[2144]: openat("/etc/passwd", O_RDONLY|O_CLOEXEC <0x80000>) = 3
Jan 8 11:09:31 server01 jsh[2144]: get abs full 'ÿÿÿÿÿÿÿÿ'=>'/home/jailed/ÿÿÿÿÿÿÿÿ'
Jan 8 11:09:31 server01 jsh[2144]: stat("ÿÿÿÿÿÿÿÿ") = 0
Jan 8 11:09:31 server01 jsh[2144]: get abs full 'ÿÿÿÿÿÿÿÿ'=>'/home/jailed/ÿÿÿÿÿÿÿÿ'
Jan 8 11:09:31 server01 jsh[2144]: openat("ÿÿÿÿÿÿÿÿ", O_RDONLY|O_CLOEXEC|O_DIRECTORY <0x90800>) = 3
Jan 8 11:09:31 server01 jsh[2144]: get abs full 'ÿÿÿÿÿÿÿÿ'=>'/home/jailed/ÿÿÿÿÿÿÿÿ'
Jan 8 11:09:31 server01 jsh[2144]: lstat("ÿÿÿÿÿÿÿÿ") = 0
Jan 8 11:09:31 server01 jsh[2144]: '/home/jailed/' is subdir of '/home/jailed/'
Jan 8 11:09:31 server01 jsh[2144]: openat("ÿÿÿÿÿÿÿÿ", O_RDONLY|O_CLOEXEC <0x80000>) = 4
Jan 8 11:09:31 server01 jsh[2144]: '/home/jailed/' is subdir of '/home/jailed/'
Jan 8 11:09:31 server01 jsh[2144]: openat("ÿÿÿÿÿÿÿÿ", O_RDONLY|O_CLOEXEC <0x80000>) = 4
Jan 8 11:09:31 server01 jsh[2144]: '/home/jailed/' is subdir of '/home/jailed/'
Jan 8 11:09:31 server01 jsh[2144]: openat("ÿÿÿÿÿÿÿÿ", O_RDONLY|O_CLOEXEC <0x80000>) = 4
Jan 8 11:09:31 server01 jsh[2144]: get abs full 'ÿÿÿÿÿÿÿÿ'=>'/home/jailed/ÿÿÿÿÿÿÿÿ'
Jan 8 11:09:31 server01 jsh[2144]: lstat("ÿÿÿÿÿÿÿÿ") = 0
Jan 8 11:09:31 server01 jsh[2144]: get abs full 'ÿÿÿÿÿÿÿÿ'=>'/home/jailed/ÿÿÿÿÿÿÿÿ'
Jan 8 11:09:31 server01 jsh[2144]: stat("ÿÿÿÿÿÿÿÿ") = 0
Jan 8 11:09:31 server01 jsh[2144]: get abs full 'ÿÿÿÿÿÿÿÿ'=>'/home/jailed/ÿÿÿÿÿÿÿÿ'
Jan 8 11:09:31 server01 jsh[2144]: lstat("ÿÿÿÿÿÿÿÿ") = 0
Jan 8 11:09:31 server01 jsh[2144]: get abs full 'ÿÿÿÿÿÿÿÿ'=>'/home/jailed/ÿÿÿÿÿÿÿÿ'
Jan 8 11:09:31 server01 jsh[2144]: stat("ÿÿÿÿÿÿÿÿ") = 0
Jan 8 11:09:31 server01 jsh[2144]: '/home/jailed/' is subdir of '/home/jailed/'
Jan 8 11:09:31 server01 jsh[2144]: openat("ÿÿÿÿÿÿÿÿ", O_RDONLY|O_CLOEXEC <0x80000>) = 4
Jan 8 11:09:31 server01 jsh[2144]: '/home/jailed/' is subdir of '/home/jailed/'
Any idea how to fix this?
We are using Oracle Linux Server release 8.9
Hi @diggerwoo
your jail look very good i try to add this but not work , do have options to add :
in group.jailed.conf
alias show config "cat /etc/config"
alias show interface ips "ip address list"
show config
show interface ips
and after that in man.conf :
show
config "List config"
interface ips "List interface ips"
now problem is set for all show command same info like :
command
show - "Shows various information"
interface show - "Shows various information"
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.