Laravel and SSH access advice required

Nico · March 31, 2021, 11:09am

I would like to have some advice if possible for the situation that a customer has his website developed in Laravel and his developer insist he needs SSH access. I do know that it is best for security to have the laravel outside the /html folder. I do understand he might want to make symlink to the folder. My question:

Which shell to give to because there are 5 to choose from, so which one would be workable but with least possible damage]

/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
/usr/bin/jk_chrootsh

Kind regards,
Nico

Keegan · March 31, 2021, 11:35am

Hi - no expert here but I wanted to reply to show you someone was listening and wanted to help.

My experience (1997 - *) says to use a jail shell for your users.

Nico · March 31, 2021, 12:04pm

@Keegan, thank you very much, yes there are 5 of them, i will mention them in my question.

found this: https://linux.die.net/man/8/jk_chrootsh that looks like a jail

Keegan · March 31, 2021, 1:19pm

How to: Set Jailed User

A jailed user will have a very limited view of the file system and available Linux commands when logged in.

It is recommended you exercise discretion when giving out shell access, even jailed shell access, to end users in shared hosting environments.

Click the SiteWorx menu item if it is not already open.
Click the Shell Users menu item.
Enable the shell user if it’s not enabled already.
Change a Shell User’s Shell to /usr/sbin/jk_chrootsh

From https://www.interworx.com/support/faq/troubleshooting-how-to/manage-ssh-shell-users/

d2d4j · April 1, 2021, 6:49am

Hi

@Nico we do not allow ssh but we undertake requests to complete ssh actions on behalf of client whom requests ssh actions after we have reviewed the requested actions

Many thanks

John

Nico · April 1, 2021, 11:01am

@d2d4j Hi John, I understand, sadly this customers ‘Developer’ insist in getting SSH access, so hoping all goes well. Reading the jk_chrootsh man page it should be jailed to their own home folder and if all the configuration is in place from reading that man page, I hope it goes fine… Perhaps I should test it on a new VPS and see if I can do really harm to the system, hence I asked for some advice here so others might find it an useful discussion.
Kind regards, Nico

Nico · April 6, 2021, 10:21am

@d2d4j @Keegan
I am testing this as an user with the jailed shell, I am getting these messages when login, why is that?

bash: /usr/bin/id: No such file or directory
bash: /usr/bin/id: No such file or directory
bash: /opt/remi/php74/enable: No such file or directory

Kind regards
Nico

Keegan · April 6, 2021, 11:10am

Is this after a reboot?

Nico · April 6, 2021, 11:29am

@Keegan
Hi, sorry, I have not rebooted, shouldn’t need after you enable SSH access, right?

hmm, a php -v command errors as well…

php -v
bash: php: command not found
echo $PATH
/usr/local/bin:/usr/bin

Kind regards,
Nico

d2d4j · April 6, 2021, 2:40pm

Hi

Please could you try setting the php version to ph07.3 or php7.2 saving then change it back to current php version

Does this resolve the issue

Many thanks

John

Nico · April 6, 2021, 3:04pm

Hi @d2d4j John,
I looged out swapped to HP7.2 instead of 7.4, then same result it just can’t find the PHP, is this jk_chrootsh to restricted that it can’t find the PHP I did echo $PATH

bash: /usr/bin/id: No such file or directory
bash: /usr/bin/id: No such file or directory
bash: /opt/remi/php74/enable: No such file or directory
bash: /opt/remi/php74/enable: No such file or directory
echo $PATH
/usr/local/bin:/usr/bin
php -v
bash: php: command not found

Kind regards,
Nico

Nico · April 6, 2021, 6:21pm

@d2d4j Hi John, when changing the shell to /usr/bin/bash the command works.

php -v
PHP 7.4.16 (cli) (built: Mar 2 2021 10:35:17) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with the ionCube PHP Loader + ionCube24 v10.4.5, Copyright (c) 2002-2020, by ionCube Ltd.
with Zend OPcache v7.4.16, Copyright (c), by Zend Technologies

Bug? as I can imagine in the jailed one you should be able to use the php command?

d2d4j · April 6, 2021, 8:04pm

Hi @Nico

Sorry for the delay, Its been a busy day…

Not a bug I think, more an oversight as the jail I suspect does not have the PHP links/symlynk to PHP and also, it woudl need the libraries as well I believe

You can check from here /etc/jailkit but I would open a support ticket with IW and let IW confirm, as I am tired

Many thanks and hope that helps a little

John

iworx-brandon · April 6, 2021, 8:29pm

Hi @Nico,

What @d2d4j said is correct. InterWorx allows you to setup jailshell for your users, but InterWorx does not manage the jailshell itself, thus it doesn’t automatically enable/disable things you may want to provide access to. As such, the default jk_init.conf does not provide any options for php access:

[root@uther jailkit]# grep php /etc/jailkit/jk_init.ini
[root@uther jailkit]#

Because this isn’t something managed by InterWorx, adding PHP to the allowed options is not something we have documented. Having said that, I’ll work on reproducing locally and we’ll try to get you where you are going.

Thank you,
Brandon

Nico · April 6, 2021, 9:41pm

Hi Brandon @iworx-brandon, @d2d4j
Thanks I see, I really thought it was all done by Interworx as in the manual referred by @Keegan there is no mention about that the jailed shell needs to be configured by the server manager. Reading again both links the jk_chrootsh(8) - Linux man page it let me think that indeed the errors I got are related to have it not configured at all. What I don’t understand is that it works in the other shell environment I mentioned. How to proceed for the moment as my user wants shell access and I have no idea which one to give now…

Kind regards,
Nico

iworx-brandon · April 6, 2021, 11:15pm

Hello–

I’ve managed to get php (and all versions like php54, php71, etc) added to the jailshell with the following:

Add the following to /etc/jailkit/jk_init.ini:

[php]
comment = php executables
executables = /usr/bin/php, /usr/bin/php74, /usr/bin/php54, /usr/bin/php55, /usr/bin/php56, /usr/bin/php70, /usr/bin/php71, /usr/bin/php72, /usr/bin/php73, /usr/bin/php74, /usr/bin/php80
includesections = env

[env]
comment = environment variables
executables = /usr/bin/env

Remove the symlink for bin in the current chroot environment:

rm /chroot/bin

Rebuild your jailshell with the following command:

jk_init -v -k -f -j /chroot/ uidbasics netbasics logbasics jk_lsh limitedshell ssh basicshell extendedshell terminfo editors php env

All the entries after /chroot/ correspond to headers in the /etc/jailkit/jk_init.ini file. Please make sure you understand what they grant access to before allowing them. Just because I listed it above does not mean its inclusion is considered best security practice or the most secure set of options. The jailkit documentation is the best place to gain an understanding of all the options available to you in jailkit.

After that, php* is available in a jailshell:

[primary@iw7 ~]$ php -v
PHP 7.3.27 (cli) (built: Feb  2 2021 10:32:50) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.27, Copyright (c) 1998-2018 Zend Technologies
[primary@iw7 ~]$ php55 -v
PHP 5.5.38 (cli) (built: Oct 22 2019 14:10:44) 
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
[primary@iw7 ~]$ php74 -v
PHP 7.4.16 (cli) (built: Mar  2 2021 10:35:17) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies

@Nico, the other bash shell allows you access to php because it’s not locked to a chroot like chroot shell is. Once you enable chroot shell, if you go to /chroot you’ll see bin, etc, usr, etc. folders. The chroot is essentially a copy of only the commands/options you allow the user access to. The jk_init command copies these commands to the /chroot folder and then locks the user to only allow them to use the commands in that folder. In a jailshell, when you run php -v you’re actually running /chroot/usr/bin/php, in bash shell, you’re just running /usr/bin/php. I hope that makes sense.

Brandon

d2d4j · April 7, 2021, 7:23am

Hi

@iworx-brandon - Kudos to you but CLI may not be an issue if all php versions have CLI on, if not, it needs scripting to test. I now other control panels have same issues and some use code to test for CLI.

@Nico - I was thinking after reading last night, and I think best practice is to install their own PHP-FPM version for client in jail. That way, if they compromise or break PHP, it only should affect them and not shared hosts using shared PHP-FPM versions

Also, and this is outdated but gives insight into best practices, have you read this

Linux 25 PHP Security Best Practices For Sys Admins - nixCraft (cyberciti.biz)

I would only give jail to client full time myself, and I think I may be correct, as MYSQL if needed for CLI in jail needs adding in. Apologies in advance if I am wrong

Many thanks

John

Nico · April 7, 2021, 8:56am

Hi Brandon,
@iworx-brandon many thanks for your help and explanation, really much appreciated. I have it applied to the server and I am able now to use the php, but the php.ini is missing, any idea how to fix that?

php composer-setup.php
Some settings on your machine make Composer unable to work properly.
Make sure that you fix the issues listed below and run this script again:

The json extension is missing.
Install it or recompile php without --disable-json

The phar extension is missing.
Install it or recompile php without --disable-phar

The iconv OR mbstring extension is required and both are missing.
Install either of them or recompile php without --disable-iconv

php --ini
Configuration File (php.ini) Path: /etc
Loaded Configuration File: (none)
Scan for additional .ini files in: /etc/php.d
Additional .ini files parsed: (none)

php -v
PHP 7.4.16 (cli) (built: Mar 2 2021 10:35:17) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies

php -m
[PHP Modules]
Core
date
filter
hash
libxml
openssl
pcntl
pcre
readline
Reflection
session
SPL
standard
zlib

[Zend Modules]

@d2d4j
Kind regards,
Nico

iworx-brandon · April 7, 2021, 2:04pm

I’d imagine you would need to add the files/directories for the php.ini, etc. to the [php] section of jk_init.ini and rebuild. Perhaps something like:

[php]
comment = php executables
executables = /usr/bin/php, /usr/bin/php74, /usr/bin/php54, /usr/bin/php55, /usr/bin/php56, /usr/bin/php70, /usr/bin/php71, /usr/bin/php72, /usr/bin/php73, /usr/bin/php74, /usr/bin/php80
paths = /etc/php.ini, /etc/opt/remi/php70/php.ini, /etc/opt/remi/php71/php.ini, <path to more php.inis here>
includesections = env

Though, I’m not entirely sure that is the correct syntax or if that would correct all of your issues with php. You could drop the entire contents of /etc into the jailshell, but I assume that makes the jailshell only slightly more secure than a normal shell as the jailshell user now has access to all configs in /etc (though normal permissions still apply).

Nico · April 7, 2021, 2:55pm

@iworx-brandon Hi Brandon,
Yes, I am trying to find more about this on the internet, I see we can add directories and perhaps path as well. If I find some concrete config I will update it here, many thanks for your time spending on this, I hope it will be useful for future reference.

kind regards,
Nico