SOLVED - Extending chroot jail or removing it
AnsweredI discovered that on a new server that PHP is in "chroot jail". I tested the command stat -c %i /
and according to one website I was found while doing some research discovered that the programming language was indeed in "chroot jail" (it returned a 2
). I had checked whoami
via PHP shell_exec()
, permissions, checked the file manually in the FTP and PuTTY/terminal, permissions, etc and there was absolutely no other explanation.
I would like to continue to use the "chroot jail" only if I can use the Linux root user to allow the programming language access to specific files. No, PHP is run under a different user, not root. No: I do not want to blindly grant access to entire directories because then the point of it becomes null and void. In example I need PHP to have access to the /etc/os-release
file, not a copy of it. If the original is updated then the copy isn't and that negates the point of access. I do not want to grant access to literally all of /etc/. If granting individual file access is possible I would then like to know:
- I have not been able to find a list of chroot commands with basic descriptions.
- I want to know how to list an index of all chroot jails and their respective users to avoid repeat the "discovery" of them.
- I want to know how to list the "walls" of each "chroot jail" e.g. what files/directories they have access to.
- I want to know how to grant read access to a file like the /etc/os-release file (read as in just read, not write or execute).
- For contrast to the read option, I want to know how to grant write access to a file.
- Chroot only matters as long as I can extend access to specific files and not a copy of the file that does not get updated when the original is updated.
If I can not grant chroot access to direct files (not copies of them) then, by using the Linux root user I need to know how to bust PHP out of the "chroot jail".
So either: how do I extend the "chroot jail" to allow access to read only specific files (not entire directories and not merely copies of those files) or if that is not possible how do I properly dismantle the "chroot jail" without causing damage to the file system?
For any answers please do not presume or infer that I know the involved syntax as that is a large part of my question. I reference absolute paths instead of relative paths for example. Thank you.
* Edit 1: I found a command that lists "chroot jails" however since PHP is not always running the caveat is that I have to have PHP do something to run long enough for the command to see it running. So it's not a proper chroot index function. It is possible with a basic script:<?php
echo 1;
sleep(30);
echo 2;
?>
So then running the command in the terminal as root:for file in `find /proc/ -type l -name "root" -print 2> /dev/null | grep -Eiv /task/ 2> /dev/null`; do PID=`ls -d $file 2> /dev/null| awk -F "/" '{print $3}'` && printf "%s = %s = %s\n" "$PID" `ps -p "$PID" 2> /dev/null | tail -n1 | awk '{print $4}'` `readlink $file 2> /dev/null` | grep -Eiv "(= /$|^\s*=\s*$|^.*?=\s*$)";done
...resulted in listing several processes including:
4***** = php-cgi = /usr/share/cagefs-skeleton
So yes, I've got a better confirmation that PHP is stuck in "chroot jail". I'm now working to verify if adding a file is 1. possible and 2. updating the actual file results in the "copy" being updated or not.
** Edit 2:
So I want chroot removed outright or in the very least to know how to free a process held hostage by chroot. From what I can determine chroot is part of CageFS which itself is part of Imunify360. Using the command chroot --help only reveals commands for making more chroot jail messes, no showing the index of chroot jails and certainly no removing of chroot jails!
This cPanel page has the command to list chroot jailed processes:
...remember: since PHP is run on command and, by default, does not run all of the time it won't be listed unless you do something like use sleep(30); and then run that command.
But right now my only concern is figuring out how to cleanly remove the PHP process from the chroot jail. The command revealed PHP as the following chroot jail:
414964 = php-cgi = /usr/share/cagefs-skeleton
...hence why I went poking around looking at whatever cagefs is. So - can anyone please help me at least free PHP from chroot jail? Even better - can anyone help me purge it from existence?
-
SOLVED
Detecting chroot for PHP required running PHP's sleep(30) (30 seconds) as the command only detects chroot processes that are running by this command:
for file in `find /proc/ -type l -name "root" -print 2> /dev/null | grep -Eiv /task/ 2> /dev/null`; do PID=`ls -d $file 2> /dev/null| awk -F "/" '{print $3}'` && printf "%s = %s = %s\n" "$PID" `ps -p "$PID" 2> /dev/null | tail -n1 | awk '{print $4}'` `readlink $file 2> /dev/null` | grep -Eiv "(= /$|^\s*=\s*$|^.*?=\s*$)";done
Which is referenced at this cPanel URL:
https://support.cpanel.net/hc/en-us/articles/1500012454701-How-To-Find-The-List-Of-All-The-Chroot-ed-Processes-On-The-SystemTrying to figure out how chroot was integrated in SSH/PuTTY logged in as root I ran the following command:
find / -name '*chroot*'
Many of the results included file system paths like:
/usr/share/cagefs-skeleton/usr/
Eventually I went to WHM and looked specifically for cagefs which is listed under Plugins.
On the cagefs plugin page the jabcreat Linux user (used by PHP) was listed. I removed it and updated the cagefs plugin. I reloaded my custom built Control Panel and confirmed the chroot error was no longer occurring.
Please make note of PHP functions like shell_exec() and file_get_contents not working and not finding files can be a result of having chroot / cagefs installed and enabled for the Linux user PHP uses.
The idea of chroot is good but no function is worth jack-diddly unless it allows you to easily: index, create, edit and delete which it does not! This problem destroyed five of my work days so I hope this helps someone else out who is struggling with the same BS.
0 -
I'm glad you were able to find a good solution, and thanks for sharing it!
0
Please sign in to leave a comment.
Comments
2 comments