Stock jailkit config from ISPconfig3. When login to jailed user and executing "mysql", receiving error: Already set MySQL server to bind on 127.0.0.1. Strange observation: when I use this command: mysql -h 127.0.0.1 -u ... it connects. Is there any way to make default connection to 127.0.0.1?
This is normal and to be expected when using jails on Linux when a program tries to access a file or socket outside of his jail. Using mysql without -h 127.0.0.1 option instructs the mysql client to connect to the mysql socket file /run/mysqld/mysqld.sock, but when you are inside a jail, you can not reach that file. Making a hard link to the socket file does not work as well, as it changes on every MySQL restart, so the hard link would only work until the next MySQL restart. Therefore, you must connect to MySQL over the (internal) network of the host, which means you must use 127.0.0.1. Also using localhost with the -h parameter can not work as mysql translates localhost to the socket file and not 127.0.0.1. You might be able to set the default in client section of the mysql config file, but you will have to do that in a config file inside the jail. https://dev.mysql.com/doc/refman/8.0/en/connecting.html see emd of that page.
Got it, now it is clear. One more quesrion: is it possible to chroot user to his home dir? Because now, .ssh/authorized_keys are copied with all content, which has other users keys. I would like to restrain user going outside his web dir. This also applies for SFTP - user can wonder outside his web directory and inspect other users.
A user is a website, the users home dir is e.g. /var/www/clients/clientX/webY so the user is already jailed to its home dir. He can not leave that, so he can not go to other user's websites. SSH accounts of a website are aliases for this web user to allow management of this website by multiple users. For that reason, they share the same UIDD and jail, they are not individual users, they are just name aliases of the web user. If they were not aliases, then these users could not be used to access the website as they would have a different user ID.
It is very as it securely encapsulates each website without allowing users to see other sites or users from other sites and this allows a customer to have multiple users for their site. This menas they do not have to share the password from a single user when working with multiple employees on the same site, which is a big security bonus. If you would jail each website alias and not the website, none of the ssh users would be able to upload data or manage the website then as they would not be able to access it from their jail plus they would have a wrong user ID. ISPConfig is a hosting control panel, which means a system to provide website hosting services, and the setup used by ISPConfig allows you to do this by being website-centric. What you are probably searching for is a home login server to provide shell accounts to users not belonging to a website or a customer, but that's not what a hosting panel is intended for and that#s why ISPConfig does not provide such services when they do not belong to any website.
