Learn how to configure BubbleWrap Jail in DirectAdmin. Our DirectAdmin Support team is here to help you with your questions and concerns.

How to Set Up BubbleWrap Jail in DirectAdmin

Did you know that BubbleWrap is a powerful tool that runs applications in a sandbox?
In fact, it restricts access to critical parts of the operating system and user data.

By creating an isolated environment, BubbleWrap boosts security and makes sure that applications only have access to the resources they need.

BubbleWrap operates by creating a new, empty, mount namespace where the root directory resides on a `tmpfs`.

This temporary file system is invisible from the host and is automatically cleaned up when the last process exits. Users can specify which parts of the filesystem is accessible within the sandbox. This offers better control over application permissions.

How to Install BubbleWrap Jail on CentOS 7 and Up

1. First, run these steps to install BubbleWrap jail:

   cd /usr/local/directadmin/custombuild
2. Then, update custombuild and install BubbleWrap:

   ./build update
./build bubblewrap
./build jailshell

   This will install `jailshell` at `/usr/bin/jailshell`.

Here is how the option will look like once it is added:

How to Enable BubbleWrap Jail in DirectAdmin

DirectAdmin uses BubbleWrap with a new configuration value “jail” (set to 0 by default). We can enable this feature as seen here:

1. First, enable jail globally:

   /usr/local/directadmin/directadmin set jail 1 restart
service directadmin restart

   This command enables the package/reseller/user.conf options for “jail=ON/OFF”. SSH does not need to be enabled to enable jail for a user. Changes related to SSH and cron will automatically save `/usr/bin/jailshell` in that user’s configuration files.
2. Alternatively, we can enable jail for all users:

   /usr/local/directadmin/directadmin set jail 2 restart
service directadmin restart

   By setting the value to 2, we can force jail to be enabled for all users, regardless of individual package/reseller/user.conf settings.

How to Fix PHP Mail Issues with BubbleWrap Jail

If we run into issues with PHP mail after enabling BubbleWrap jail, our experts recommend these steps:

1. First, go to the custombuild directory:

   cd /usr/local/directadmin/custombuild
2. Then, update custombuild and rebuild necessary components:

   ./build update
./build bubblewrap
./build jailshell
./build set eximconf yes
./build exim_conf
./build jailshell
echo "action=rewrite&value=jail" > /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d
./build exim
./build rewrite_confs

3. After that, we can opt to rebuild PHP and other components:

   ./build php
./build all

Verify User Restrictions

In order to verify that user restrictions are properly configured, we need to check the `/etc/passwd` file:

cat /etc/passwd | grep [username]
cat /etc/passwd | grep jailshell

Alternatively, we can use this command:

grep -e "[username]" -e "jailshell" /etc/passwd

This ensures that the DirectAdmin user permission limitations are in place.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

With the above steps, we can easily use BubbleWrap to boost the security of our applications on CentOS 7.

In brief, our Support Experts demonstrated how to configure BubbleWrap Jail in DirectAdmin.