jSYS (or Jail SYSTEM) is a software developed by Izysoftware to create virtualized jails in user-space.
In this article a simple script is analyzed. The script of this example consists in a working bash script to create new jSYS users with a skeleton directory tree to use from jSYS.
When this script runs, you’ll be asked to add a new system user to be used from jSYS shells. The added user will have its home directory initialized with some folders and configuration files. The home directory of the added user will contain an automatically created XML configuration file to use with jSYS. Also, the same file will be used directly from the login shell as this file is going to be set as login configuration file for the added user.
This script will replicate some files existing in
/proc with dummy files containing wrong but structurally valid values. This is done to increase the privacy of the other system users, by limiting the resources available to see form the added user.
When you run the script you’ll only have to enter an username for a new system account to create and to confirm its creation:
# bash jsys-adduser
You can automatically specify an account name from the command line:
# bash jsys-adduser jstest
Once the account has been added (in the example above, an user named
jstest will be created), it’ll be useable from SSH if a password has been set to the user after its creation (and if a SSH server is running.)
You can also test the account locally by typing:
$ su jstest
You can start a SSHd server on a non-standard port 7777 by typing:
# sshd -p 7777 -D -e -f /tmp/sshd_config
(note that i placed the
sshd_config file in
Now, you can login with the added user from another terminal:
$ ssh firstname.lastname@example.org -p 7777
From the shell you can enter any command. You can note that the user is ruining inside a jail created by jSYS using the script given in this example and that some options of the configuration file will limit the ability of the logged user to execute commands.
1 2 3
$ ssh email@example.com -p 7777 firstname.lastname@example.org's password: jstest@localhost:~$
Now that a remote shell is here, you can read some system files:
1 2 3 4 5
jstest@localhost:~$ cat /etc/passwd jstest:x:1200:1200:jstest,,,,:/home/jstest:/bin/bash jstest@localhost:~$ cat /etc/group jstest:x:1200: jstest@localhost:~$
And as you can see, jSYS intercepted the requests and returned some crafted files in order to hide the real content of those files.
Listing the users from
/home won’t work either:
1 2 3
jstest@localhost:~$ ls /home jstest jstest@localhost:~$
Also the directory
/tmp is now actually a redirect to
/home/jstest/tmp so that all temporary files will be private and it won’t be possible for another user to read the temp files of jstest (as well as the opposite).
jstest@localhost:~$ ls /tmp jstest@localhost:~$
/tmp is empty. Remember the
sshd_config file placed in the
/tmp folder of the host system? Indeed, the jstest user doesn’t see it.
top” won’t give a list of processes owned by other users:
1 2 3 4 5 6 7
top - 17:25:45 up 7:44, 0 users, load average: 0.10, 0.09, 0.09 Tasks: 2 total, 0 running, 2 sleeping, 0 stopped, 0 zombie Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 5979 jstest 20 0 17708 1076 604 S 0 0.0 0:00.01 bash 6037 jstest 20 0 18940 1220 996 D 0 0.0 0:00.01 top
It’s easy to understand why, many files in
/proc have been hidden and blocked by jSYS:
1 2 3
jstest@localhost:~$ ls /proc 5974 5979 6046 loadavg meminfo self stat uptime version jstest@localhost:~$
Only some files have been forged and left available to be read. In other to allow programs that read them from
/proc (such as “
top” or “
ps“) to run:
1 2 3 4 5
jstest@localhost:~$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND jstest 5979 0.0 0.0 17708 1152 ? S 16:09 0:00 bash jstest 6276 0.0 0.0 14820 1020 ? R+ 16:36 0:00 ps aux jstest@localhost:~$
readdir function is blocked in some directories. Look at the consequence of this configuration by executing
1 2 3 4 5
jstest@localhost:~$ ls /bin /etc /var ls: cannot access /var: Permission denied ls: cannot open directory /bin: Permission denied ls: cannot open directory /etc: Permission denied jstest@localhost:~$
The error message for the directory
/var is different, because the access to this directory has been totally blocked.
Indeed, it’s not possible to list files. From the XML configuration file it’s possible to block various hooks on a per-directory (and per-file) basis, you can have a list of the known hooks by running the command
$ jsys ctypes hooks
However, even if the listing of files has been blocked, it’s possible to access the files in these directories as the access to the contained files by path hasn’t be blocked:
1 2 3
jstest@localhost:~$ /bin/cat /etc/hosts 127.0.0.1 localhost jstest@localhost:~$
Both files (
/etc/hosts) are located in directories where the listing has been disabled, but they can be found by path.
The same doesn’t apply to
/var as the access here is fully blocked as previously said:
1 2 3 4 5
jstest@localhost:~$ cat /var/www/index.html cat: /var/www/index.html: Permission denied jstest@localhost:~$ cat /var/www/aasasdd-i-dont-even-exist-on-the-filesystem cat: /var/www/aasasdd-i-dont-even-exist-on-the-filesystem: Permission denied jstest@localhost:~$
The command “
tree” gives a good view of the result of this configuration of jSYS:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
$ tree -L 2 . |-- bin [error opening dir] |-- dev [error opening dir] |-- etc [error opening dir] |-- home | `-- jstest |-- lib [error opening dir] |-- lib32 [error opening dir] |-- lib64 -> /lib |-- lost+found [error opening dir] |-- opt [error opening dir] |-- proc | |-- 5974 | |-- 5979 | |-- 6151 | |-- loadavg | |-- meminfo | |-- self | |-- stat | |-- uptime | `-- version |-- root [error opening dir] |-- sbin [error opening dir] |-- selinux [error opening dir] |-- srv |-- sys [error opening dir] |-- tmp |-- usr [error opening dir] 22 directories, 8 files jstest@localhost:/$
The only writable directories are
/tmp. Both directories will write files into the user’s home, so that deleting the user’s home folder will automatically remove all of his files.
jSYS can be used with SSH and SCP. The usage of SCP can be blocked from the configuration file of jSYS, but there is no reason to do so: a user will be only able to copy (download/upload) his files in his writable directories.
$ scp -P 7777 foo.txt email@example.com:/home/jstest
(and from the SSH connection)
1 2 3
jstest@localhost:~$ ls foo.txt jstest@localhost:~$
jSYS is a program fully working in user-space and doesn’t require any change to the kernel. The software works out of the box, the script used in this example can be used to automatize the creation of new users with a predefined set of common directory trees as built by the script itself.
You can edit the source code of the script to personalize it, to add files and folders or to change the predefined XML configuration file (this file is embedded and encoded in the shell script, you’ve to decode it and re-encode it from base64 in order to change it).
From the XML configuration file it’s possible to limit the concurrent logins of a user to one. By editing the resource limits section of the configuration file it’s possible to limit the concurrent amount of processes, in order to limit the ability of the user to abuse of the resources of the server. Also, it’s possible to set the maximum size of a file and the maximum CPU time a process can consume. The XML configuration files gives you many options to tune the settings of any user account. You can find all XML configuration keys in the documentation of jSYS at the main website of izysoftware.