My KeyHelp Q/A

[Radi]

HI guys,

Any idea how to accomplish any user isolation with KeyHelp (eg. like CloudLinux's CageFS)? For SFTP/SSH access, I suppose I can buy the pro version but what's the best way to do it for PHP/CGI scripts or anything the user wants to run?

Or in layman's terms how to prevent a hacked Wordpress website from messing with the whole server?

Question 2: For some reason, on my test machine I added a user and everything went fine. Few minutes later, I refresh the "User Administration" page and the "S" next to the "Username" in the user's row shows a red warning sign, which when hovered over with the mouse: "An error has occured". The KeyHelp event log only says "Error occurred while adding system user <myusername>". How do I get more info to find out what happened?

[24unix]

Question 2: For some reason, on my test machine I added a user and everything went fine. Few minutes later, I refresh the "User Administration" page and the "S" next to the "Username" in the user's row shows a red warning sign, which when hovered over with the mouse: "An error has occured". The KeyHelp event log only says "Error occurred while adding system user <myusername>". How do I get more info to find out what happened?

What username did you use?
The user is created as a real system user, so the username must be valid for a Linux useraccount.
What does

Code: Select all

grep '<myusername>' /etc/passwd

show?

[Radi]

one word username - eg. 'username'

[technotravel]

"An error has occured". The KeyHelp event log only says "Error occurred while adding system user <myusername>".

I was once confronted with this error message after a fresh install, where the quota had not been installed correctly.

Did your installation go through without any errors?

[Radi]

Ah yes, quota failed to install. I forgot to mention it.

All the rest was fine. Do I need to run any modprobe before reinstall? Btw, this is on Debian 12.

[technotravel]

Keyhelp won't ever work without the quota functioning.

You can find a few threads on this topic here in the forum.

[Jolinar]

Btw, this is on Debian 12.

There is a quota problem with OpenVZ/Virtuozzo.
Which virtualization solution is used (e.g. OpenVZ, Virtuozzo, KVM, XEN, etc.)?

You can find a few threads on this topic here in the forum.

That is completely correct.

[Radi]

Btw, this is on Debian 12.

There is a quota problem with OpenVZ/Virtuozzo.
Which virtualization solution is used (e.g. OpenVZ, Virtuozzo, KVM, XEN, etc.)?

KVM VPS for testing. The real server will be bare metal dedicated.

[Alexander]

Any idea how to accomplish any user isolation with KeyHelp (eg. like CloudLinux's CageFS)? For SFTP/SSH access, I suppose I can buy the pro version but what's the best way to do it for PHP/CGI scripts or anything the user wants to run?

Generally, all KeyHelp users are system users, so on your server the regular Linux file systems permissions are in place.
A user can only access their own files and folders, which system permissions will allow him to.

Example:

Code: Select all

-rw-r----- 1 root root  4017 Mar 20  2024 this_is_a_secret
-rw-r--r-- 1 root root  4017 Mar 20  2024 this_is_not_a_secret

Users will not be able to look into other users folders, here a typical home directory of a user. An other user won't be able to look into these files and folders.

Code: Select all

-rw-------  1 alex alex      385 Mär  1 13:08 .bash_history
drwx------  2 alex alex     4096 Okt 24 14:36 .cache
drwx------  2 alex alex     4096 Mär 22  2023 .config
drwxr-x---  3 alex www-data 4096 Dez 13 09:53 files
drwx------  2 alex alex     4096 Mär 22  2023 .local
dr-xr-x--- 67 alex www-data 4096 Mär  8 15:25 logs
drwx------  2 alex alex     4096 Jun  7  2023 .ssh
drwxr-x---  3 alex www-data 4096 Feb 28 12:22 tmp
drwxr-x--- 12 alex www-data 4096 Mär  8 15:25 www

For SFTP: Users may traverse up the directory tree and may see files/folders. However, by default all relevant files protected with restrictive permissions (see above).
If you do not want the users to see anything else that their home directory, you will need KeyHelp Pro, as this will enable you to let KeyHelp create a "restricted SSH environment" for the users you want.

For PHP: PHP uses open_basedir, with this and the default settings in KeyHelp, PHP scripts are locked into the their home directory.
However, this will not affect Cronjobs.

Or in layman's terms how to prevent a hacked Wordpress website from messing with the whole server?

This should not be possible, because of the open_basedir settings. A hacked Wordpress will only affect the client owning this Wordpress.
(For the sake of completeness - it will affect the server, if the hacked Wordpress page will send spam across the internet, as this will affect the reputation of the server.)

Question 2: For some reason, on my test machine I added a user and everything went fine. Few minutes later, I refresh the "User Administration" page and the "S" next to the "Username" in the user's row shows a red warning sign, which when hovered over with the mouse: "An error has occured". The KeyHelp event log only says "Error occurred while adding system user <myusername>". How do I get more info to find out what happened?

You may want to have a look unto "System status" -> "Logs" -> "Process tasks | update.log". Here you can look for the user name and can look up some more error details.

But as others have pointed out, if you want a fully working system, make sure there are no errors during KeyHelp installation.