Hi sorry for the delay in replying i've been away below is the output from the log file when running that jail command
sh: usermod: comnd not found adding user unn_testjail5 to /var/www/vhosts/mydomain.com/web_users/etc/passwd with shell /usr/sbin/jk_lsh
adding group unn_testjail5 to /var/www/vhosts/mydomain.com/web_users/etc/group modify user unn_testjail5; dir /var/www/vhosts/mydomain.com/web_users/./home/unn_testjail5 and shell /usr/sbin/jk_chrootsh failed to execute usermod -d /var/www/vhosts/mydomain.com/web_users/./home/unn_testjail5 -s /usr/sbin/jk_chrootsh unn_testjail5
failed to modify user unn_testjail5 Moving files from /home/unn_testjail5 to /var/www/vhosts/mydomain.com/web_users/./home/unn_testjail5 Creating directory/var/www/vhosts/nummayspace.co.uk/web_users/./home/unn_testjail5
Copying /home/unn_testjail5/.bashrc to /var/www/vhosts/mydomain.com/web_users/./home/unn_testjail5/.bashrc Copying /home/unn_testjail5/.bash_profile to /var/www/vhosts/mydomain.com/web_users/./home/unn_testjail5/.bash_profile
On Oct 26, 2007 6:04 AM, <address@hidden> wrote: > Send Jailkit-users mailing list submissions to >
address@hidden > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.nongnu.org/mailman/listinfo/jailkit-users
> or, via email, send a message with subject or body 'help' to > address@hidden > > You can reach the person managing the list at
> address@hidden > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Jailkit-users digest..."
> > > Today's Topics: > > 1. Re: does not jail user when running through cron (Olivier Sessink) > 2. Prevent Fork Bombs on Jailed Python Interpreter ( Gregory Pi?ero )
> 3. Re: Prevent Fork Bombs on Jailed Python Interpreter > (Olivier Sessink) > 4. Re: Prevent Fork Bombs on Jailed Python Interpreter > ( Gregory Pi?ero ) > 5. Re: Prevent Fork Bombs on Jailed Python Interpreter
> (address@hidden) > 6. Re: Prevent Fork Bombs on Jailed Python Interpreter > ( Gregory Pi?ero ) > 7. Re: Prevent Fork Bombs on Jailed Python Interpreter
> ( Gregory Pi?ero ) > 8. Re: Prevent Fork Bombs on Jailed Python Interpreter > ( Gregory Pi?ero ) > 9. Re: Prevent Fork Bombs on Jailed Python Interpreter > (Olivier Sessink)
> > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 25 Oct 2007 18:16:12 +0200 > From: Olivier Sessink <
address@hidden> > Subject: Re: [Jailkit-users] does not jail user when running through > cron > To: address@hidden
> Message-ID: <address@hidden> > Content-Type: text/plain; charset=ISO-8859-1 > > Ross Linnett wrote: >
> > We created a script that runs through a cron that jails user that are > > registered in a mysql database.. If i run this script from command line > > it works fine.. if i run it on a cronjob it does all jobs necessary such
> > a create the system account etc.. but does not seem to jail the user > > properly.. > > what happens? do you see any log message? > > > i have checked the files jaildirectory/etc/passwd and the user details
> > have been inserted there > > > > if i run the jk_jailuser command for that user it will give me a message > > to say that user is already jailed.. > > > > Then if this user logs in again they are jailed
> > try running jk_jailuser with -v to see what is being changed. > > is the log message different now? > > Olivier > > > > > > ------------------------------
> > Message: 2 > Date: Thu, 25 Oct 2007 16:21:28 -0400 > From: " Gregory Pi?ero " <address@hidden> > Subject: [Jailkit-users] Prevent Fork Bombs on Jailed Python
> Interpreter > To: address@hidden > Message-ID: > <
address@hidden> > Content-Type: text/plain; charset=ISO-8859-1 > > I've set up a jailed Python interpreter. Now I'm wondering how to > prevent someone from running:
> > while 1: > os.fork() > > and freezing up my system. (A so called fork bomb.) Do you guys have > any advice? > > Thanks, > > Greg > >
> > > ------------------------------ > > Message: 3 > Date: Thu, 25 Oct 2007 22:52:04 +0200 > From: Olivier Sessink <address@hidden
> > Subject: Re: [Jailkit-users] Prevent Fork Bombs on Jailed Python > Interpreter > To: address@hidden > Message-ID: <
address@hidden> > Content-Type: text/plain; charset=ISO-8859-1 > > Gregory Piñero wrote: > > I've set up a jailed Python interpreter. Now I'm wondering how to
> > prevent someone from running: > > > > while 1: > > os.fork() > > > > and freezing up my system. (A so called fork bomb.) Do you guys have > > any advice?
> > the standard thing that works against fork bombs: limit the number of > processes. > > But you're never going to stop somebody who can install their own > executables who wants to bring your server to a grinding halt. There are
> much heavier attacks than fork bombs. > > For example fork bombs that also use a lot of memory and open a lot of > file descriptors. These are much heaver for your system per process, so > a small number of processes can stop your system from functioning.
> > So if you expect your users to do these kind of things, you'll have to > prevent user executables: mount both /tmp and /home (in the jail) with > noexec (these should be the only places where users have write access)
> > regards, > Olivier > > > > > ------------------------------ > > Message: 4 > Date: Thu, 25 Oct 2007 16:56:32 -0400 > From: " Gregory Pi?ero " <
address@hidden> > Subject: Re: [Jailkit-users] Prevent Fork Bombs on Jailed Python > Interpreter > To:
address@hidden > Message-ID: > <address@hidden> > Content-Type: text/plain; charset=ISO-8859-1
> > On 10/25/07, Olivier Sessink <address@hidden> wrote: > > Gregory Piñero wrote: > > > I've set up a jailed Python interpreter. Now I'm wondering how to
> > > prevent someone from running: > > > > > > while 1: > > > os.fork() > > > > > > and freezing up my system. (A so called fork bomb.) Do you guys have
> > > any advice? > > > > the standard thing that works against fork bombs: limit the number of > > processes. > > > > Thanks, that sounds like it would work. Any advice on how to do that on Linux?
> > > > But you're never going to stop somebody who can install their own > > executables who wants to bring your server to a grinding halt. There are > > much heavier attacks than fork bombs.
> > > > For example fork bombs that also use a lot of memory and open a lot of > > file descriptors. These are much heaver for your system per process, so > > a small number of processes can stop your system from functioning.
> > > > So if you expect your users to do these kind of things, you'll have to > > prevent user executables: mount both /tmp and /home (in the jail) with > > noexec (these should be the only places where users have write access)
> > > > I'm not expecting any of that. Should be ok. > > -Greg > > > > > ------------------------------ > > Message: 5 > Date: Thu, 25 Oct 2007 23:29:53 +0200
> From: address@hidden > Subject: Re: [Jailkit-users] Prevent Fork Bombs on Jailed Python > Interpreter > To:
address@hidden > Message-ID: <address@hidden> > Content-Type: text/plain; charset="utf-8"; format=flowed > > Hello Greg, > > >> the standard thing that works against fork bombs: limit the number of
> >> processes. > >> > > > > Thanks, that sounds like it would work. Any advice on how to do that on Linux? > > This is usually done by setting values in limits.conf
(to be found in /etc > or /etc/security). The file comes with good comments and a few examples. So > there is some basis there to work from. > Remember that a normal shell session via jailkit already uses a few
> processes, so don't go setting the number too strictly. On the other hand, > memory should probably be guarded more closely. > > Cheers, > Stephen > > > >
> ------------------------------ > > Message: 6 > Date: Thu, 25 Oct 2007 18:27:48 -0400 > From: " Gregory Pi?ero " <address@hidden>
> Subject: Re: [Jailkit-users] Prevent Fork Bombs on Jailed Python > Interpreter > To: address@hidden > Message-ID: > <
address@hidden> > Content-Type: text/plain; charset=ISO-8859-1 > > On 10/25/07,
address@hidden <address@hidden> wrote: > > Hello Greg, > > > > >> the standard thing that works against fork bombs: limit the number of
> > >> processes. > > >> > > > > > > Thanks, that sounds like it would work. Any advice on how to do that on Linux? > > > > This is usually done by setting values in
limits.conf (to be found in /etc > > or /etc/security). The file comes with good comments and a few examples. So > > there is some basis there to work from. > > Remember that a normal shell session via jailkit already uses a few
> > processes, so don't go setting the number too strictly. On the other hand, > > memory should probably be guarded more closely. > > > > Thanks. Is that a better approach than using ulimit?
> > -Greg > > > > > ------------------------------ > > Message: 7 > Date: Thu, 25 Oct 2007 22:50:54 -0400 > From: " Gregory Pi?ero " <
address@hidden> > Subject: Re: [Jailkit-users] Prevent Fork Bombs on Jailed Python > Interpreter > To: address@hidden > Message-ID:
> <address@hidden> > Content-Type: text/plain; charset=ISO-8859-1
> > On 10/25/07, Gregory Piñero <address@hidden> wrote: > > > This is usually done by setting values in limits.conf (to be found in /etc > > > or /etc/security). The file comes with good comments and a few examples. So
> > > there is some basis there to work from. > > > Remember that a normal shell session via jailkit already uses a few > > > processes, so don't go setting the number too strictly. On the other hand,
> > > memory should probably be guarded more closely. > > > > > I have a script run by root that launches six of these: > jk_chrootlaunch -u jailtest -g jailtest -j /srv/jail_for_python/ -x
> /srv/jail_for_python/usr/bin/python2.4 exec_worker.py > > So I tried adding this to limits.conf: > jailtest hard nproc 1 > > But I'm still allowed to start the 6 processes.
> > Any ideas? > > -Greg > > > > > ------------------------------ > > Message: 8 > Date: Fri, 26 Oct 2007 00:49:11 -0400 > From: " Gregory Pi?ero " <
address@hidden> > Subject: Re: [Jailkit-users] Prevent Fork Bombs on Jailed Python > Interpreter > To:
address@hidden > Message-ID: > <address@hidden> > Content-Type: text/plain; charset=ISO-8859-1
> > On 10/25/07, Gregory Piñero <address@hidden> wrote: > > I have a script run by root that launches six of these: > > jk_chrootlaunch -u jailtest -g jailtest -j /srv/jail_for_python/ -x
> > /srv/jail_for_python/usr/bin/python2.4 exec_worker.py > > > > So I tried adding this to limits.conf: > > jailtest hard nproc 1 > > > > But I'm still allowed to start the 6 processes.
> > > > Ok, here's the latest. I think limits.conf only works for logged in > users, not for my special jail user. > > So I found this nifty tool which seems to work >
http://cr.yp.to/daemontools/softlimit.html > > Here's how I call it: > sudo jk_chrootlaunch -u jailtest -g jailtest -j /srv/jail_for_python/
> --exec /srv/jail_for_python/softlimit -- -p 1 -m 12000000 > /usr/bin/python2.4 exec_worker.py > > I put softlimit in the jail with permissions root:root -rwx--x--x > > -Greg >
> > > > ------------------------------ > > Message: 9 > Date: Fri, 26 Oct 2007 08:04:17 +0200 > From: Olivier Sessink <address@hidden
> > Subject: Re: [Jailkit-users] Prevent Fork Bombs on Jailed Python > Interpreter > To: address@hidden > Message-ID: <
address@hidden> > Content-Type: text/plain; charset=ISO-8859-1 > > Gregory Piñero wrote: > > On 10/25/07, Gregory Piñero <
address@hidden> wrote: > >> I have a script run by root that launches six of these: > >> jk_chrootlaunch -u jailtest -g jailtest -j /srv/jail_for_python/ -x > >> /srv/jail_for_python/usr/bin/python2.4 exec_worker.py
> >> > >> So I tried adding this to limits.conf: > >> jailtest hard nproc 1 > >> > >> But I'm still allowed to start the 6 processes. > >>
> > > > Ok, here's the latest. I think limits.conf only works for logged in > > users, not for my special jail user. > > I might be 100% wrong here: but it might be that 'bash' is the program
> that actually sets the limits. So if you use another shell (jk_chrootsh) > the limits are not set. That could at least explain the behavior found. > But how do we find out which program sets the limits?
> > regards, > Olivier > > > > > ------------------------------ > > _______________________________________________ > Jailkit-users mailing list
> address@hidden > http://lists.nongnu.org/mailman/listinfo/jailkit-users >
> > End of Jailkit-users Digest, Vol 25, Issue 9 > ******************************************** >