• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Allow Git command line access under chrooted bash?

Daniel Hendricks

New Pleskian
I'd like to allow some users git command-line use from a chrooted bash session so that they can link to and manage their Plesk git repo (or remote to any repo, if desired). I have to questions:
  1. How do I do this (correctly)? I saw this article re: adding SSH, and I assume that I would do similarly.
  2. Are there security implications that I'm not thinking of from allowing git binary access in chrooted bash?
Thank you,
Daniel

Plesk 17.5.3 Update #27
Ubuntu 16.04.3
 
I have done this using several howto's and some of my own creativity.
One of the howto's was this

GIT-client in Plesk 11.5 - LinQhost
How to add new programs to a chrooted shell environment template?

You can't do this verbatim on an Ubuntu server.
I have written down most of the commands in a Word document, but there is some trial and error stuff in it..
In the end I managed to have a decent prompt with even "vi" working properly, git and several other stuff that is crucial...

If I find time I will try and write down a better howto that also works for Ubuntu.

The problem is that I don't get feedback from the very few users that are using it.
I don't get complaints either.
One user, a webmaster, didn't really want to go on our platform as he preferred to have a VPS with root access.
The website owner forced him to use our Plesk environment.
For him I did my best to create a chrooted shell where he could use git.
He didn't understand why I didn't just give him normal access as a user (which would be easier for me).

A chrooted shell doesn't stop people with bad intentions and enough skill, so be careful to whom you give access.
It's still better (from a security perspective) to give users chrooted shells than to give them access to the normal environment as a user.
Just don't overestimate it.

BTW...
Did you install the Git extension for Plesk?
Are your users missing stuff on that for which they need shell access?
If so, maybe some feedback can improve the quality of that extension.

As a system administrator I don't know enough to anticipate on their needs.
 
Last edited:
Hi,

as You can read here:
How to add new programs to a chrooted shell environment template?

# wget https://plesk.zendesk.com/hc/article_attachments/115005093613/update_chroot.tar.gz
# tar -xvzf update_chroot.tar.gz
# ./update_chroot.sh --add git
# ./update_chroot.sh --apply customerdomain.com
or
# ./update_chroot.sh --apply all

Works like a charm.

Geets...

Yes, works like a charm...
But that's merely a beginning for a lot of tweaking and adding stuff.
There are some more tutorials to be found, but none of them will bring you to what I have so far.
Alas is this not something to do often so I have not documented it enough and can't deliver a tutorial.

Even then an Ubuntu will be very different to a a CentOS install.

I Will do this some day in the future....
 
Hi, I've been struggling with the same myself so I took the time to write a small tutorial on how add GIT to PLESK Chroot environment on Debian Jessie and it worked for me on Ubuntu too. I don't think it will work for CentOS without adjusting the core git paths though. Since this is the second result on google I'm posting here what I did as well.

The gist is to execute these commands

mkdir -p /var/www/vhosts/chroot/usr/share/git-core/templates
cp -raL /usr/share/git-core/templates/ /var/www/vhosts/chroot/usr/share/git-core/templates
~/update_chroot.sh --add /usr/bin/tr
~/update_chroot.sh --add /usr/bin/git
~/update_chroot.sh --add /usr/bin/dirname /usr/bin/wc /usr/bin/perl /usr/bin/tput /usr/bin/basename
~/update_chroot.sh --add /usr/bin/git*
~/update_chroot.sh --add /usr/lib/git-core/*
cp -raL /usr/lib/git-core/* /var/www/vhosts/chroot/usr/lib/git-core/

~/update_chroot.sh --apply <example.com>

You can read the full tutorial here
 
Last edited:
Confirmed the above on CentOS using the following adjusted paths:
Code:
mkdir -p /var/www/vhosts/chroot/usr/share/git-core/templates
cp -raL /usr/share/git-core/templates/ /var/www/vhosts/chroot/usr/share/git-core/templates
~/update_chroot.sh --add /bin/tr
~/update_chroot.sh --add /bin/git
~/update_chroot.sh --add /bin/dirname /bin/wc /bin/perl /bin/tput /bin/basename
~/update_chroot.sh --add /bin/git*
~/update_chroot.sh --add /usr/libexec/git-core/*
cp -raL /usr/libexec/git-core/* /var/www/vhosts/chroot/usr/libexec/git-core/
 
I've followed this and it's it's not working for me. What am I missing?

I'm getting the following error once commands are done:


git clone XX
Cloning into 'Project-Sample'...
fatal: unable to access 'xx: security library failure.

Which library is exactly missing? How to figure that out?
 
I get the following error:
Bash:
bash-4.4$ git clone https://github.com/github/testrepo
Cloning into 'testrepo'...
fatal: unable to access 'https://github.com/github/testrepo': error setting certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none

Anyone encountered and overcome this?

I ran:
Bash:
mkdir -p /var/www/vhosts/chroot/usr/share/git-core/
cp -raL /usr/share/git-core/* /var/www/vhosts/chroot/usr/share/git-core/
./update-chroot.sh --add /bin/tr
./update-chroot.sh --add /bin/git
./update-chroot.sh --add /bin/dirname /bin/wc /bin/perl /bin/tput /bin/basename
./update-chroot.sh --add /bin/git*
./update-chroot.sh --add /usr/libexec/git-core/*
mkdir -p /var/www/vhosts/chroot/usr/libexec/git-core/
cp -raL /usr/libexec/git-core/* /var/www/vhosts/chroot/usr/libexec/git-core/
./update-chroot.sh --apply all
 
Back
Top