jails Seamless login non-root user into jail

DenisVS

DenisVS

I want that one of regular (non-root) user has access from outside to jail as regular user inside it.
For example, I have a jail "apache" where I want to user "webmaster" could work inside as www.
I thought it possible to create user "webmaster" on the host system and assign him command on logon like "jexec -U www apache", but it threw an error "jexec: jail_attach(2): Operation not permitted"
Any suggestions?
 
jexec(8) uses jail_attach(2) (in short, fork a new process and then "attach" it to the jail) to do its job. See the manpage:
Code: 
     The jail_attach() and jail_remove() system calls will fail if:

     [EPERM]            A user other than the super-user attempted to attach
                        to or remove a jail.

In short, this is "root-only" functionality. You might be able to add your own suid-helper, but even without that, I'd be worried about security (you actually enable a login on your host).

One possible option: Make it a VNET jail and run sshd(8) inside.
 
Not so secure method may look like this:

permit webmaster as root cmd jexec args "-U www apache"

in /usr/local/etc/doas.conf

//dont remember, does args need quotes?
 
DenisVS said:
Any suggestions?
Click to expand...
In my opinion, it is a better way to enable sshd inside of a jail, and allow remote ssh login as a webmaster directly into the jail.
Of course, you can set UID 80 for webmaster to make an easy solution.
It is a good idea to reduce amount of ssh users on the host to protect the host.
 
For me,it works like this :

Code: 
/usr/local/etc/doas.conf :

permit nopass marietto cmd jexec

and :

Code: 
doas jexec -u marietto noble /bin/bash
 
So,for you it could work like this one :

Code: 
/usr/local/etc/doas.conf :

permit nopass webmaster cmd jexec

and :

Code: 
doas jexec -u webmaster apache sudo - u www apache

For sure you should to add the user www to the /etc/sudoers file like this :

Code: 
www    ALL=(ALL:ALL) ALL

sources :

unix.stackexchange.com

How to switch between users on one terminal?

I'd like to log in as a different user without logging out of the current one (on the same terminal). How do I do that?
unix.stackexchange.com unix.stackexchange.com

How To Edit the Sudoers File Safely | DigitalOcean

Edit the sudoers file safely with visudo. Validate syntax, grant least-privilege with fragments, recover from errors, and harden Linux.
www.digitalocean.com www.digitalocean.com
 
DenisVS said:
I want that one of regular (non-root) user has access from outside to jail as regular user inside it.
For example, I have a jail "apache" where I want to user "webmaster" could work inside as www.
I thought it possible to create user "webmaster" on the host system and assign him command on logon like "jexec -U www apache", but it threw an error "jexec: jail_attach(2): Operation not permitted"
Any suggestions?
Click to expand...
* security/pam_jail
* sysutils/jailme
 
You must log in or register to reply here.
Back
Top