Implementation of jailed shells (hestiacp#4052)

* feat: Initial implementation of jailed bash shell

* Remove error messages if jail is not installed

Jail not being installed is a expected default state. This way a
user that wants a non-jailed bash shell has the ability to keep
using those.

* Fix error with nologin chroot not being kept intact and add bash jail test

* Make sure the group and bash shell is added to the jail

* Make hestia depend on jailkit

* allow admin to enable jail for packages and users

* Make sure jail is created correctly

* Remove some duplicate calls and add some more of explanation

* Add more explanation on why changes can be reverted

* Move homedir in chroot and fix issues with add and remove

To make ssh jails work properly we need to move the homedir to the
same root of the jail as the original location. We also need php
and a user writable /tmp in the jail.

* fix tests to show the new mount location

* fix small issues with conf not being read properly

* install all server php versions in the user jail and remove fpm

* Add validation for some unwanted shell with jail combinations

* Add unzip, zip and zstd to jail

* remove cli docs reference

* fix spacing in v-list-user

* make default jail enabled no

* change way ssl certificates are handled

* fixed jail errors for groups and added node and npm

Author: rjd22

bin/v-add-sys-ssh-jail

@@ -0,0 +1,111 @@
+#!/bin/bash
+# info: add system ssh jail
+# options: [RESTART]
+#
+# example: v-add-sys-ssh-jail yes
+#
+# This function enables ssh jailed environment.
+
+#----------------------------------------------------------#
+#                Variables & Functions                     #
+#----------------------------------------------------------#
+
+# Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
+# shellcheck source=/usr/local/hestia/func/main.sh
+source $HESTIA/func/main.sh
+# load config file
+source_conf "$HESTIA/conf/hestia.conf"
+
+restart=$1
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+# Checking if jailkit is installed
+if [ ! -x /sbin/jk_init ]; then
+	exit
+fi
+
+# Perform verification if read-only mode is enabled
+check_hestia_demo_mode
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Checking sshd directives
+config='/etc/ssh/sshd_config'
+ssh_i=$(grep -n "^# Hestia SSH Chroot" $config)
+
+# Enabling jailed ssh
+if [ -z "$ssh_i" ]; then
+	echo " " >> $config
+	echo "# Hestia SSH Chroot" >> $config
+	echo "Match Group ssh-jailed" >> $config
+	echo "    ChrootDirectory /srv/jail/%u" >> $config
+	echo "    X11Forwarding no" >> $config
+	echo "    AllowTCPForwarding no" >> $config
+	restart='yes'
+fi
+
+# Validating opensshd config
+if [ "$restart" = 'yes' ]; then
+	subj="OpenSSH restart failed"
+	email=$(grep CONTACT "$HESTIA/data/users/$ROOT_USER/user.conf" | cut -f 2 -d \')
+	/usr/sbin/sshd -t > /dev/null 2>&1
+	if [ "$?" -ne 0 ]; then
+		mail_text="OpenSSH can not be restarted. Please check config:
+            \n\n$(/usr/sbin/sshd -t)"
+		echo -e "$mail_text" | $SENDMAIL -s "$subj" $email
+	else
+		service sshd restart > /dev/null 2>&1
+	fi
+fi
+
+# Adding group
+groupadd ssh-jailed 2> /dev/null
+
+# Checking jailkit init
+jk_init='/etc/jailkit/jk_init.ini'
+jk_php_i=$(grep -n "^# Hestia Jail Settings" $jk_init)
+
+# Add PHP to jailkit init to allow usage of it within jail
+if [ -z "$jk_php_i" ]; then
+	cp -f $HESTIA_COMMON_DIR/jailkit/jk_init.ini /etc/jailkit
+fi
+
+# Restart ssh service
+if [ "$restart" = 'no' ]; then
+	# Skip restart of SSH daemon
+	echo "" > /dev/null 2>&1
+else
+	service ssh restart > /dev/null 2>&1
+fi
+
+# Jails need maintenance to update the binaries within the jail. To do so we just reset the chroot
+# and reapply the jail
+for user in $("$BIN/v-list-users" list); do
+	check_jail_enabled=$(grep "SHELL_JAIL_ENABLED='yes'" $HESTIA/data/users/$user/user.conf)
+
+	# If jail enabled try to jail the user
+	if [ -n "$check_jail_enabled" ]; then
+		$BIN/v-add-user-ssh-jail "$user" "no"
+	fi
+done
+
+# Add v-add-sys-ssh-jail to startup
+if [ ! -e "/etc/cron.d/hestia-ssh-jail" ]; then
+	echo "@reboot root sleep 60 && /usr/local/hestia/bin/v-add-sys-ssh-jail > /dev/null" > /etc/cron.d/hestia-ssh-jail
+fi
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$ARGUMENTS"
+
+exit

bin/v-add-user

@@ -69,7 +69,7 @@ check_hestia_demo_mode
 pkg_data=$(cat $HESTIA/data/packages/$package.pkg | egrep -v "TIME|DATE")
 
 # Checking shell
-shell_conf=$(echo "$pkg_data" | grep 'SHELL' | cut -f 2 -d \')
+shell_conf=$(echo "$pkg_data" | grep -m1 'SHELL' | cut -f 2 -d \')
 shell=$(grep -w "$shell_conf" /etc/shells | head -n1)
 
 # Adding user
@@ -274,6 +274,11 @@ fi
 # Adding jailed sftp env
 $BIN/v-add-user-sftp-jail $user
 
+# Adding jailed ssh env
+if [ "$SHELL_JAIL_ENABLED" = 'yes' ]; then
+	$BIN/v-add-user-ssh-jail $user
+fi
+
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#

bin/v-add-user-package

@@ -81,6 +81,7 @@ is_package_consistent() {
 	fi
 
 	is_format_valid_shell "$SHELL"
+	is_boolean_format_valid "$SHELL_JAIL_ENABLED" 'SHELL_JAIL_ENABLED'
 }
 
 #----------------------------------------------------------#
@@ -132,6 +133,7 @@ DISK_QUOTA='$DISK_QUOTA'
 BANDWIDTH='$BANDWIDTH'
 NS='$NS'
 SHELL='$SHELL'
+SHELL_JAIL_ENABLED='$SHELL_JAIL_ENABLED'
 BACKUPS='$BACKUPS'
 TIME='$time'
 DATE='$date'

bin/v-add-user-ssh-jail

@@ -0,0 +1,96 @@
+#!/bin/bash
+# info: add user ssh jail
+# options: USER [RESTART]
+#
+# example: v-add-user-ssh-jail admin
+#
+# This function enables ssh jailed environment
+
+#----------------------------------------------------------#
+#                Variables & Functions                     #
+#----------------------------------------------------------#
+
+# Argument definition
+user=$1
+restart=$3
+
+# Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
+# shellcheck source=/usr/local/hestia/func/main.sh
+source $HESTIA/func/main.sh
+# load config file
+source_conf "$HESTIA/conf/hestia.conf"
+
+chroot="/srv/jail/$user"
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+# Checking if jailkit is installed
+if [ ! -x /sbin/jk_init ]; then
+	exit
+fi
+
+check_args '1' "$#" 'USER'
+is_format_valid 'user'
+
+# Perform verification if read-only mode is enabled
+check_hestia_demo_mode
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Get shell full path
+shell_path=$(grep "^$user:" /etc/passwd | cut -f 7 -d :)
+
+# Set home folder permission to root
+if [ -d "/home/$user" ]; then
+	chown root:root /home/$user
+fi
+
+add_chroot_jail "$user"
+
+# Add user to the ssh-jailed group to allow jailed ssh
+# This needs to be done first to make sure these groups are made available in the jail
+usermod -a -G ssh-jailed $user
+
+# Installing shell files into the user chroot directory
+# - IMPORTANT - MODIFY THE FOLLOWING LINES AND THE FILE jk_init.ini ACCORDING TO YOUR SYSTEM AND YOUR PREFERENCES
+/sbin/jk_init -f -j $chroot extendedshell netutils ssh sftp scp git php php5_6 php7_0 php7_1 php7_2 php7_3 php7_4 php8_0 php8_1 php8_2 > /dev/null 2>&1
+/sbin/jk_cp -f -j $chroot /bin/id > /dev/null 2>&1
+
+# Jailing user to make sure passwd and groups are set correctly within the jail.
+# This command also does a little too much by changing the users homedir and
+# shell in /etc/passwd. The next commands reverts those changes for compatibility
+# with hestia.
+/sbin/jk_jailuser -n -s $shell_path -j $chroot $user
+
+# Reset home directory and shell again for hestiacp because jailkit changes these.
+# Normally these are needed to redirect the ssh user to it's chroot but because we
+# use a custom sshd_config to redirect the user to it's chroot we don't need it to be
+# changed in /etc/passwd for the user.
+usermod -d /home/$user $user
+usermod -s $shell_path $user
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+# Enabling user jail
+update_user_value "$user" '$SHELL_JAIL_ENABLED' "yes"
+
+# Restart ssh service
+if [ "$restart" = 'no' ]; then
+	# Skip restart of SSH daemon
+	echo "" > /dev/null 2>&1
+else
+	service sshd restart > /dev/null 2>&1
+fi
+
+# Logging
+log_event "$OK" "$ARGUMENTS"
+
+exit

bin/v-change-user-package

@@ -99,6 +99,7 @@ DISK_QUOTA='$DISK_QUOTA'
 BANDWIDTH='$BANDWIDTH'
 NS='$NS'
 SHELL='$SHELL'
+SHELL_JAIL_ENABLED='$SHELL_JAIL_ENABLED'
 BACKUPS='$BACKUPS'
 CONTACT='$CONTACT'
 CRON_REPORTS='$CRON_REPORTS'
@@ -169,8 +170,9 @@ check_hestia_demo_mode
 change_user_package
 
 # Update user shell
-shell_conf=$(cat "$HESTIA/data/packages/$package.pkg" | grep 'SHELL' | cut -f 2 -d \')
-$BIN/v-change-user-shell "$user" "$shell_conf"
+shell_conf=$(cat "$HESTIA/data/packages/$package.pkg" | grep -m1 'SHELL' | cut -f 2 -d \')
+shell_jail_enabled_conf=$(cat "$HESTIA/data/packages/$package.pkg" | grep 'SHELL_JAIL_ENABLED' | cut -f 2 -d \')
+$BIN/v-change-user-shell "$user" "$shell_conf" "$shell_jail_enabled_conf"
 
 # Run template trigger
 if [ -x "$HESTIA/data/packages/$package.sh" ]; then

bin/v-change-user-shell

@@ -1,8 +1,8 @@
 #!/bin/bash
 # info: change user shell
-# options: USER SHELL
+# options: USER SHELL JAIL_ENABLED
 #
-# example: v-change-user-shell admin nologin
+# example: v-change-user-shell admin nologin no
 #
 # This function changes system shell of a user. Shell gives ability to use ssh.
 
@@ -13,6 +13,7 @@
 # Argument definition
 user=$1
 shell=$2
+shell_jail_enabled=${3-no}
 
 # Includes
 # shellcheck source=/etc/hestiacp/hestia.conf
@@ -26,8 +27,8 @@ source $HESTIA/conf/hestia.conf
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '2' "$#" 'USER SHELL'
-is_format_valid 'user' 'shell'
+check_args '3' "$#" 'USER SHELL SHELL_JAIL_ENABLED'
+is_format_valid 'user' 'shell shell_jail_enabled'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 
@@ -52,6 +53,13 @@ else
 	$BIN/v-delete-user-sftp-jail "$user" > /dev/null 2>&1
 fi
 
+# Adding jailed ssh env
+if [[ "$shell_jail_enabled" =~ yes ]]; then
+	$BIN/v-add-user-ssh-jail "$user" > /dev/null 2>&1
+else
+	$BIN/v-delete-user-ssh-jail "$user" > /dev/null 2>&1
+fi
+
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#

bin/v-delete-sys-ssh-jail

@@ -0,0 +1,72 @@
+#!/bin/bash
+# info: delete system ssh jail
+# options: NONE
+#
+# example: v-delete-sys-ssh-jail
+#
+# This function disables ssh jailed environment
+
+#----------------------------------------------------------#
+#                Variables & Functions                     #
+#----------------------------------------------------------#
+
+# Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
+# shellcheck source=/usr/local/hestia/func/main.sh
+source $HESTIA/func/main.sh
+# load config file
+source_conf "$HESTIA/conf/hestia.conf"
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+# Perform verification if read-only mode is enabled
+check_hestia_demo_mode
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Checking sshd directives
+config='/etc/ssh/sshd_config'
+ssh_i=$(grep -n "^# Hestia SSH Chroot" $config)
+
+# Backing up config
+cp $config $config.bak
+
+# Disabling jailed ssh
+if [ -n "$ssh_i" ]; then
+	fline=$(echo "$ssh_i" | cut -f 1 -d :)
+	lline=$((fline + 4))
+	sed -i "${fline},${lline}d" $config
+	restart='yes'
+fi
+
+# Validating opensshd config
+if [ "$restart" = 'yes' ]; then
+	subj="OpenSSH restart failed"
+	email=$(grep CONTACT "$HESTIA/data/users/$ROOT_USER/user.conf" | cut -f 2 -d \')
+	/usr/sbin/sshd -t > /dev/null 2>&1
+	if [ "$?" -ne 0 ]; then
+		mail_text="OpenSSH can not be restarted. Please check config:
+            \n\n$(/usr/sbin/sshd -t)"
+		echo -e "$mail_text" | $SENDMAIL -s "$subj" $email
+	else
+		service sshd restart > /dev/null 2>&1
+	fi
+fi
+
+# Remove group ssh-jailed
+groupdel ssh-jailed 2> /dev/null
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+# Logging
+$BIN/v-log-action "system" "Warning" "Plugins" "SSH Chroot Jail disabled."
+log_event "$OK" "$ARGUMENTS"
+
+exit

bin/v-delete-user

@@ -89,6 +89,9 @@ sed -i "/ $user$/d" "$HESTIA/data/queue/traffic.pipe"
 # Deleting sftp jail
 $BIN/v-delete-user-sftp-jail "$user"
 
+# Deleting ssh jail
+$BIN/v-delete-user-ssh-jail "$user"
+
 # Deleting system user
 /usr/sbin/userdel -f "$user" >> /dev/null 2>&1
 if [ $? -ne 0 ]; then