Git inside jailed environment

Git inside jailed environment

Obviously, the server must have Git installed:

sudo apt-get update ; sudo apt-get install git

We must add Git as a possible command for chroot-ed shell users.

If we have ISPConfig control panel, we can do that for all the future shell users by setting - appending /usr/bin/git to the field Server Config -> Jailkit -> Jailkit chrooted applications.

That proved to be enough only for basic operation of cloning, and only under git:// protocol.

Note: Please note that adding Jailkit chrooted applications in ISPConfig must be done prior to creating first Jailkit user for a website. If you want to copy files into a jail later, use the jailkit jk_cp command.

Warning: If you want a valid SSH user in ISPConfig, you must generate any password even if you don’t use one and login only with key authentication. So please, always specify password.

Problems & solutions

warning: templates not found /usr/share/git-core/templates

Just creating empty file will do:

mkdir -p $HOME/usr/share/git-core/templates
touch $HOME/usr/share/git-core/templates/description

And execute this to append to ~/.bashrc file:

cat << EOF >> ~/.bashrc
# fix Git warning
export GIT_TEMPLATE_DIR=$HOME/usr/share/git-core/templates
EOF

or type git every time with switch --template like this:

git clone --template=$HOME/usr/share/git-core/templates

This solution is valid and most minimalistic. But below is more elegant and faster jk_cp solution.

fatal: Unable to find remote helper for ‘https’

We can avoid this error by using different protocol.

Happens on cloning:

git clone https://github.com/example.git

Simplest solution is to use git:// transport instead of https:// and that will solve the problem. You can also use ssh:// transport, but then you have to setup authentication keys.

Not sure really, but I think that on server I must have this libraries installed:

sudo apt-get install libcurl4-openssl-dev

fatal: Problem with the SSL CA cert (path? access rights?)

The complete error is:

fatal: unable to access 'https://...': Problem with the SSL CA cert (path? access rights?)

To permanently fix this, just type as jailed user:

git config --global http.sslverify false

If you want just temporary fix, one of the ways is this:

export GIT_SSL_NO_VERIFY=true

Source: How can I make git accept a self signed certificate?

The best setup

First, you need to find out the jail for ssh user. The jail is your jailed directory (/var/www/clients/client0/web5).

How we can detect it? Well, on ISPConfig, if you log in as jailed user, you can read it with jk_list command on other console as root.

JAILDIR=/var/www/clients/client0/web2
jk_cp -v -j $JAILDIR /usr/bin/git*
jk_cp -j $JAILDIR /usr/lib/git-core/*
jk_cp -j $JAILDIR /usr/bin/ssh-keygen
jk_cp -j $JAILDIR /bin/uname
jk_cp -j $JAILDIR /usr/share/git-core

# Also add the curl command
jk_cp -j $JAILDIR /usr/bin/curl

I added the last one so we don’t need manually to fix templates not found warning.

We can also add curl or any other command with:

jk_cp -j $JAILDIR /usr/bin/curl

This will copy not only command, but all the dependencies of that command. Great!

Source: Allowing GIT in JailKit on ISPConfig


MySQL dump inside Jail

Jailkit und mysqld.sock FIX*** | Howtoforge - Linux Howtos und Tutorials

Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’

Must be connected via TCP, and to force that, we can do this:

cat <<'EOF' > ~/.my.cnf
[client]
protocol=TCP
EOF

[client] user=mysqluser password=mysqlpass


How to add PHP support for jailed SSH users in ISPConfig 3


Java inside Jailkit

JAILDIR=/var/www/clients/client0/web1

jk_cp -j $JAILDIR /usr/bin/java jk_cp -j $JAILDIR /usr/lib/jvm/default-java jk_cp -j $JAILDIR /usr/lib/jvm/default-java

paths = /usr/lib/jdk1.6.0_22/bin/java, /lib/libpthread.so.0, /lib/libdl.so.2, /lib/libc.so.6, /usr/lib/jdk1.6.0_22/jre/lib, /lib/libm.so.6, /lib/libm-2.5.so, /proc/meminfo

As that user:

nano ~/.bash_profile

export JAVA_HOME=/usr/lib/jvm/default-java
export PATH=$PATH:$JAVA_HOME/bin
export LD_LIBRARY_PATH=/usr/lib/jvm/default-java/jre/lib/amd64/jli/

Must relogin to test this: echo $JAVA_HOME

Ali mora prvo ono da se isključi - ISPConfig’s folder protection.

chattr -i $JAILDIR
mkdir $JAILDIR/proc
chattr +i $JAILDIR

And then:

mount --bind /proc $JAILDIR/proc

Sources:

date 01. Jan 0001 | modified 28. May 2021
filename: Problem - Git inside jail