Welcome Guest. Please Login or Register  


You are here: Index > Softaculous Auto Installer > General Support > Topic : How to add Softaculous to ISPConfig shell user Jailkit chroot, in order to avoid backup hanging



Threaded Mode | Print  

 How to add Softaculous to ISPConfig shell user Jailkit chroot, in order to avoid backup hanging (12 Replies, Read 1470 times)
EuroDomenii
Group: Member
Post Group: Newbie
Posts: 13
Status:
Running a Softaculous backup, for a website with shell user jailkit in ISPConfig, hangs at 95%.

In order to workaround this, we should add Softaculous to Jailkit.

Some tips would be welcome regarding executables, regularfiles, directories, includesections setup in /etc/jailkit/jk_init.ini ( see https://themerevel.com/tutorials/ispconfig-add-more-applications-to-shell-user-jailkit-chroot/ )

On the other hand, chrooted php-fpm, without shell user jailkit , works out of the box with Softaculous backups https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3220

Thanks!
IP: --   

How to add Softaculous to ISPConfig shell user Jailkit chroot, in order to avoid backup hanging
EuroDomenii
Group: Member
Post Group: Newbie
Posts: 13
Status:
Comparing softaculous backup with versus without jailkit user, I’ve noticed the diff running process /usr/bin/php -n -c /usr/local/softaculous/php.ini -d auto_prepend_file …

Trying to add php in jail, according to https://www.faqforge.com/linux/add-php-in-ssh-jail-ispconfig-3/, but backup still fails

/etc/jailkit/jk_init.ini

Code
[php]
comment = the php interpreter and libraries
executables = /usr/bin/php, /usr/bin/php7.2
directories = /usr/lib/php, /usr/share/php, /usr/share/php, /etc/php,/usr/share/zoneinfo
includesections = env

[env]
comment = environment variables
executables = /usr/bin/env




jk_init -c /etc/jailkit/jk_init.ini -f -k -j /var/www/clients/client1/web1 php
IP: --   

How to add Softaculous to ISPConfig shell user Jailkit chroot, in order to avoid backup hanging
EuroDomenii
Group: Member
Post Group: Newbie
Posts: 13
Status:
Maybe /usr/local/softaculous/php.ini should be added to the jail too
IP: --   

How to add Softaculous to ISPConfig shell user Jailkit chroot, in order to avoid backup hanging
EuroDomenii
Group: Member
Post Group: Newbie
Posts: 13
Status:
Temporary, adding all /user/local/softaculous to the jail

During backup for a non jailed user, this is the command.

Code
root@awx:~# ps -aux | grep softaculous
root     10464  0.0  0.0   4508   756 ?        S    02:56   0:00 /usr/local/softaculous/bin/soft cli 02435647083cce95752714093ce62990

web2     10465  100  0.5 221404 44244 ?        R    02:56   0:30 /usr/bin/php -n -c /usr/local/softaculous/php.ini -d auto_prepend_file=none -d auto_append_file=none /usr/local/softaculous/cli.php 02435647083cce95752714093ce62990

root     10515  0.0  0.0  13136  1008 pts/0    S+   02:57   0:00 grep --color=auto softaculous

Tried this, from a ssh session with restricted jailkit shell user

Code
defaultjk3@jk3.awx.debu.eu:/usr/local/softaculous$ php -n -c /usr/local/softaculous/php.ini -d auto_prepend_file=none -d auto_append_file=none /usr/local/softaculous/cli.php 02435647083cce95752714093ce62990

PHP Warning:  PHP Startup: Unable to load dynamic library 'mysql.so' (tried: /usr/lib/php/20170718/mysql.so (/usr/lib/php/20170718/mysql.so: cannot open shared object file: No such file or directory), /usr/lib/php/20170718/mysql.so.so (/usr/lib/php/20170718/mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0

PHP Warning:  PHP Startup: Unable to load dynamic library 'mcrypt.so' (tried: /usr/lib/php/20170718/mcrypt.so (/usr/lib/php/20170718/mcrypt.so: cannot open shared object file: No such file or directory), /usr/lib/php/20170718/mcrypt.so.so (/usr/lib/php/20170718/mcrypt.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0

Nothing to do. Please provide proper arguments.
IP: --   

How to add Softaculous to ISPConfig shell user Jailkit chroot, in order to avoid backup hanging
Brijesh
Group: Softaculous Team
Post Group: Super Member
Posts: 4573
Status:
Hi,

Unfortunately we are not sure about the jailkit or chroot config.

We will try to setup this configuration on our server and try to replicate.

Try to add the following file and check if it works :
/usr/local/ispconfig/interface/web/softaculous.php

-----------------------
SitePad Website Builder
Follow us on Twitter
IP: --   

How to add Softaculous to ISPConfig shell user Jailkit chroot, in order to avoid backup hanging
EuroDomenii
Group: Member
Post Group: Newbie
Posts: 13
Status:
Quote From : Brijesh April 27, 2020, 1:06 pm
Hi,

Unfortunately we are not sure about the jailkit or chroot config.

We will try to setup this configuration on our server and try to replicate.

Try to add the following file and check if it works :
/usr/local/ispconfig/interface/web/softaculous.php

Tried, not working.
IP: --   

How to add Softaculous to ISPConfig shell user Jailkit chroot, in order to avoid backup hanging
EuroDomenii
Group: Member
Post Group: Newbie
Posts: 13
Status:
Quote From : EuroDomenii April 26, 2020, 12:39 am


Code
defaultjk3@jk3.awx.debu.eu:/usr/local/softaculous$ php -n -c /usr/local/softaculous/php.ini -d auto_prepend_file=none -d auto_append_file=none /usr/local/softaculous/cli.php 02435647083cce95752714093ce62990

PHP Warning:  PHP Startup: Unable to load dynamic library 'mysql.so' (tried: /usr/lib/php/20170718/mysql.so (/usr/lib/php/20170718/mysql.so: cannot open shared object file: No such file or directory), /usr/lib/php/20170718/mysql.so.so (/usr/lib/php/20170718/mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0

I'm using php7.  The(very) old style MySQL functions in PHP like mysql_connect() or mysql_query() have been deprecated for years and years, and have finally been removed in PHP 7. https://askubuntu.com/questions/858165/mysql-extension-is-missing-in-php7-installation-ubuntu-16-04

Maybe this won't fix the issue, since they are only warnings, but I guess they should be corrected anyway.
IP: --   

How to add Softaculous to ISPConfig shell user Jailkit chroot, in order to avoid backup hanging
Brijesh
Group: Softaculous Team
Post Group: Super Member
Posts: 4573
Status:
Hi,

You can remove the line with mysql.so from :
/usr/local/softaculous/php.ini

-----------------------
SitePad Website Builder
Follow us on Twitter
IP: --   

How to add Softaculous to ISPConfig shell user Jailkit chroot, in order to avoid backup hanging
EuroDomenii
Group: Member
Post Group: Newbie
Posts: 13
Status:
Quote From : Brijesh April 30, 2020, 10:54 am
Hi,

You can remove the line with mysql.so from :
/usr/local/softaculous/php.ini

It works!
IP: --   

How to add Softaculous to ISPConfig shell user Jailkit chroot, in order to avoid backup hanging
EuroDomenii
Group: Member
Post Group: Newbie
Posts: 13
Status:
Quote From : EuroDomenii May 1, 2020, 10:59 am
Quote From : Brijesh April 30, 2020, 10:54 am
Hi,

You can remove the line with mysql.so from :
/usr/local/softaculous/php.ini

It works!

I mean that php warnings are gone, but the backup workflow still doesn't work
IP: --   

How to add Softaculous to ISPConfig shell user Jailkit chroot, in order to avoid backup hanging
EuroDomenii
Group: Member
Post Group: Newbie
Posts: 13
Status:
Doing a further comparison between root and jailed shell user, I get the  “Unauthorised web access”

Code
root@awx:~# /usr/local/softaculous/bin/soft cli 02435647083cce95752714093ce62990
Nothing to do. Please provide proper arguments.

defaultjk4@jk4.awx.debu.eu:~$ /usr/local/softaculous/bin/soft cli 02435647083cce95752714093ce62990
Unauthorised web access

Searching for a similar issues, I get  https://www.softaculous.com/board/index.php?tid=15399  “[Bug Fix] : Softaculous was giving “Unauthorised web access” error in Centos Web Panel server for fresh user account. This is fixed Now. “

Can you give me a clue, regarding the web access that needs to be granted?
IP: --   

How to add Softaculous to ISPConfig shell user Jailkit chroot, in order to avoid backup hanging
Brijesh
Group: Softaculous Team
Post Group: Super Member
Posts: 4573
Status:
Hi,

The command above i.e. /usr/local/softaculous/bin/soft will not work directly from CLI. This should be invoked by Softaculous interface or via CLI utility in Softaculous i.e. /usr/local/softaculous/cli.php

You can refer to the following guide on how to perform backup via CLI :
https://www.softaculous.com/docs/cli/backup-installation-from-cli/

-----------------------
SitePad Website Builder
Follow us on Twitter
IP: --   

How to add Softaculous to ISPConfig shell user Jailkit chroot, in order to avoid backup hanging
EuroDomenii
Group: Member
Post Group: Newbie
Posts: 13
Status:
I was trying to debug chroot, with strace, according to https://olivier.sessink.nl/jailkit/howtos_debug_jails.html , running commands from https://www.softaculous.com/docs/cli/backup-installation-from-cli/

“ENOENT (No such file or directory)” could be a “false positive”, so I’ve compared running this backup script as root and as a restricted shell user.
Here are the results attached.

Some  diffs refers to :
/etc/httpd/conf/sites-available/ispconfig.vhost
/usr/local/ispconfig/server
/usr/lib/ssl/openssl.cnf
/var/softaculous

The chrooted user is trying to access to many sensitive things, and adding all those to chroot, would defeat the security purpose of chroot, also being space consuming. This would increase the risk of privilege escalation, the attacker being served with so much dangerous tools.

The built in ISPConfig backup functionality, has a better security design, triggering the backup later with cron cli under root, instead of trying to do it under a restricted shell user.

At the moment ISPConfig backup lacks some features of Softaculous backup, but there’s a promising merge request pending. https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/980

For the moment, a workaround would be to “Disable Backup/Restore Function for Endusers This will turn off the backup and restore function for endusers" from Softaculous, like other cPanel providers do.

On the other hand, putting myself in Softaculous shoes, I doubt it's worth the effort to change the overall general backup architecture, just for the sake of this use case in ISPConfig. 

Anyway, recently I’ve submitted AppArmor integration feature request in ISPConfig, with with some in depth analysis and proof-of-concept unpolished code,  https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5617, that would make ISPCONFIG jailkit feature obsolete. So we might talk in the future about Softaculous backup compatibility with AppArmor.
IP: --   

« Previous    Next »

Threaded Mode | Print  



Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is May 25, 2020, 11:51 pm.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 10  |  Page Created In:1.330