I’m sure it’s some virtual copy, like a symbolic link or something like that, but not a duplicate copy. Don’t worry.
If you like to learn more, research “chroot” and how it creates a “contained space” for the user.
Also, I always like to point out that if you don’t know what you’re doing, jailed users are probably not more secure than unjailed ones.
In fact, the opposite can be true, though most of the security concerns with jails are resolved by use of capabilities (a Linux kernel feature that allows escalated privileges in a limited way). But, it is still almost certainly possible to give a user tools they need to elevate privileges, if you aren’t careful about how you setup the jail. The default jail configuration is believed to be secure, but once you start modifying what is in the jail…well, who knows?
Yes, I thought it was a symbolic link, but no. I also tried renaming the “home/five” directory to “home/five-back”, then I created a symbolic link to “/home/chroot/163102573011192/home/five”, good try but it crashes all.
But yes, for disk space, I confirm the data is indeed doubled.
Yes, that’s right, I don’t know exactly what I’m doing, I confirm .
The security strategy is to set up all the services with VirtualMin without touching the configuration without understanding. I am cautious. Then, we carry out tests to validate that the users are well separated. You should know that it is for websites that we manage and we want to protect these websites from each other but no one other than us has access to the sites.
In the case of PHP (not SSH, nor SFTP), the PHP CGI handler (FPM, etc) takes care of running the PHP code in the user’s name, so they cannot access other users’ files if permissions are set up properly (this is the default case).
Jails merely hide some details about the filesystem, they don’t really add much in the way of security (and can introduce security holes of their own, if you don’t understand how chroot works and put something dangerous into the chroot, though again, a capabilities-enabled jailkit package mitigates some of that risk). chroot jails give an illusion of more security, but it’s not a security feature.
Given OP is randomly moving files around and trying to consolidate jails to save disk space, I think they’re on a path to introducing security problems due to lack of understanding of how jails work.
@Jeff31, I used the jailkit too, in current state it’s more of a perception and you end up with false security - introducing potentially new issues already mentioned. I also had issues when restoring a jailed domain, didn’t always work as expected. Make sure php-fpm is used, best practice with domain owners/ what they have access to etc. but do disable the jailkit.
Jails should work, and backups/restores should also work when using jails (though there are potential compatibility issues when restoring jails across different distro/versions). We’ll fix bugs (but not OS/version compatibility issues) that are reported in those areas, and I don’t know of any outstanding issues.
I’m not telling anybody not to use jails because they’re buggy, I’m saying don’t assume you’re safer or more secure because you’re using them, and if you are using them you should spend an afternoon reading and understanding them and the security implications of using them.
Thanks @vending_makina and @Whoops . Yes, I also use php-FPM
But Chroot hallows me give ssh access just for one website at one developer of the team.
I realize that I have a complicated configuration. Before, i use virtualisation, it was more simply but the network layer was complicated. It’s like cars, we add a turbo, we add a lot of technology and after when you have a problem, it’s difficult and expensive for repairs. It’s efficiency that wants it.
Absolutely. Make things simple. The more stuff you add and the more features you apply - somebody will need to maintain this. If you are an expert, probably ok but if you are managing this at a ‘normal’ level, important to reduce risk of complications. I probably spend 10 hours on something that somebody else could fix in 10 minutes - therefore my approach would be tactical in terms of managing a server.
Same goes for fail2ban, you click here and there, enabling whatever - how many people do actually know what happens/impact it has. Or locking yourself out grin by accident. As Joe suggested, if you read/study the jail documentation and other improvements, might help to identify some challenges that you may experience.
No it doesn’t. It just hides some details of the filesystem from them. You can safely grant ssh access to users without chroot, as long as your filesystem permissions are correct. (They generally would be in a default Virtualmin configuration.)