HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   problem creating jailed shell users (http://www.howtoforge.com/forums/showthread.php?t=53438)

tspau 18th July 2011 15:51

problem creating jailed shell users
 
hello

i have an ispconfig 3 installed following the guide at:

http://www.howtoforge.com/perfect-se...nny-ispconfig3

i have setup in a client:

Max. number of Shell users: 5
SSH-Chroot Options: Jailkit

and then i've created a shell user for this client, setting:

Chroot Shell: Jailkit

but i can't access to shell with that user, and in my /etc/passwd i've got:

testshell:x:5030:5029::/var/www/clients/client32/web62/./home/testshell:/bin/false

why is the shell configured to /bin/false? i did something wrong?

till 18th July 2011 17:49

It may take a few minutes until the shell user gets created and activated. Please check the jobqueue in the monitor if there are any pending jobs and the syslog in the monitor for errors.

tspau 19th July 2011 10:52

Quote:

Originally Posted by till (Post 259972)
It may take a few minutes until the shell user gets created and activated. Please check the jobqueue in the monitor if there are any pending jobs and the syslog in the monitor for errors.

hello.

i've noticed it takes a while to create the users, but now there's nothing on the job queue, and the user is added to /etc/passwd.

the funny thing is that is added with a /bin/false shell:

satsh:x:5037:5035::/var/www/clients/client49/web84/./home/satsh:/bin/false

if i create another user without been jailed (chroot shell: none), it's created with a /bin/bash shell:

satrt:x:5037:5035::/var/www/clients/client49/web84:/bin/bash

and i can login with this user, with access to all file system

tspau 19th July 2011 16:01

i have installed ispconfig in another server, and jailkit works fine.

i think the only differences between the testing server and my production site are this:

-in the production server, where didn't work jailkit, /home is a soft link to /usr/home:

lrwxrwxrwx 1 root root 10 abr 16 2010 home -> /usr/home/

-in production server, quota is not enabled (don't have the /quota.user and /quota.group files).


maybe one of these differences could be the reason to fail jailkit?

till 19th July 2011 16:35

You can try to debug the creaztion of jailed users on your server:

1) disable the server.sh cronjob in the root crontab.
2) Create a new jailed ssh user in ispconfig.
3) Enable loglevel debug in ISPConfig under System > server config
4) run this script as root un the shell:

/usr/local/ispconfig/server/server.sh

tspau 19th July 2011 17:13

i keep working on it:

in my production server, when i create a jailed shell user, no jailed /bin carpet is created, only an /etc carpet whit a void passwd.

i've copied the /bin and /etc from a jailed user from my testing server, editing etc/group and etc/passwd with the data of the local user.

also i've changed the shell of the jailed user from /bin/false to /usr/sbin/jk_chrootsh

when i've tried to login, in auth.log i get:

Jul 19 15:18:11 mysite su[11866]: Successful su for satsh by root
Jul 19 15:18:11 mysite su[11866]: + pts/0 root:satsh
Jul 19 15:18:11 mysite su[11866]: pam_unix(su:session): session opened for user satsh by sshuser(uid=0)
Jul 19 15:18:11 mysite jk_chrootsh[11867]: abort, the current dir is /usr/var/www/clients/client49/web84 after chdir(/var/www/clients/client49/web84), but it should be /var/www/clients/client49/web84
Jul 19 15:18:11 mysite su[11866]: pam_unix(su:session): session closed for user satsh

ok, my /var is a softlink to /usr/var, so in ispconfig panel, i've changed at system -> server config -> web: all references from /var/... to /usr/var/...

i try to create a new user, site and shell user, but still is not created the jailed /bin neither /etc and in /etc/passwd the shell is still /bin/false

:-(

i try again to copy the bin and etc from a jail of my test server (editig /etc/group and /etc/passwd) and if i try to log now, auth.log shows:


Jul 19 16:09:03 mysite su[18609]: Successful su for tssatshell by root
Jul 19 16:09:03 mysite su[18609]: + pts/1 root:tssatshell
Jul 19 16:09:03 mysite su[18609]: pam_unix(su:session): session opened for user tssatshell by sshuser(uid=0)
Jul 19 16:09:03 mysite jk_chrootsh[18610]: now entering jail /usr/var/www/clients/client50/web85 for user tssatshell (5037)
Jul 19 16:09:03 mysite jk_chrootsh[18610]: ERROR: failed to execute shell /bin/bash for user tssatshell (5037), check the permissions and libraries of /usr/var/www/clients/client50/web85//bin/bash
Jul 19 16:09:03 mysite su[18609]: pam_unix(su:session): session closed for user tssatshell

any help?

till 19th July 2011 17:22

Please do what I suggested to you in #5 if you want to debug the problem.

I guess the problem is that var/www is a symlink to /usr/var/www (and not only /home as you mentioned above) which is a security breach for jailkit so jailkit disables the user.

I recommend that you reinstall the server if you want to use jailkit so that /var/www and /home/www are no symlinks, they have to be real directorys or partitions. As alternative you can try to mount /var/www instead of using a symlink.

tspau 19th July 2011 17:29

Quote:

Originally Posted by till (Post 260049)
You can try to debug the creaztion of jailed users on your server:

1) disable the server.sh cronjob in the root crontab.
2) Create a new jailed ssh user in ispconfig.
3) Enable loglevel debug in ISPConfig under System > server config
4) run this script as root un the shell:

/usr/local/ispconfig/server/server.sh

hello

i don't understand where i have to disable the cronjob server.sh, is not in my cron.d :confused:

running that script (without disablen the cronjob) only shows:

19.07.2011-16:24 - DEBUG - Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
19.07.2011-16:24 - DEBUG - No Updated records found, starting only the core.
19.07.2011-16:24 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
finished.

till 19th July 2011 17:40

Quote:

i don't understand where i have to disable the cronjob server.sh, is not in my cron.d
The root crontab can be edited with the command:

crontab -e

tspau 25th July 2011 17:17

Quote:

Originally Posted by tspau (Post 260055)
hello

i don't understand where i have to disable the cronjob server.sh, is not in my cron.d :confused:

running that script (without disablen the cronjob) only shows:

19.07.2011-16:24 - DEBUG - Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
19.07.2011-16:24 - DEBUG - No Updated records found, starting only the core.
19.07.2011-16:24 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
finished.

hello.

this is the output:
# /usr/local/ispconfig/server/server.sh
25.07.2011-16:09 - DEBUG - Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
25.07.2011-16:09 - DEBUG - Found 1 changes, starting update process.
25.07.2011-16:09 - DEBUG - Call function 'insert' in plugin 'shelluser_base_plugin' raised by event 'shell_user_insert'.
25.07.2011-16:09 - DEBUG - Executed command: useradd -d /usr/var/www/clients/client50/web85 -g client50 -o -p \$1\$98v/TGom\$qbB.4U/S2CwJwjFe4hKYn0 -s /bin/bash -u 5037 tssatxell
25.07.2011-16:09 - DEBUG - Added shelluser: tssatxell
25.07.2011-16:09 - DEBUG - Disabling shelluser temporarily: usermod -s /bin/false -L tssatxell
25.07.2011-16:09 - DEBUG - Call function 'insert' in plugin 'shelluser_jailkit_plugin' raised by event 'shell_user_insert'.
25.07.2011-16:09 - DEBUG - exec: chmod 755 /usr/var/www/clients/client50/web85
25.07.2011-16:09 - DEBUG - exec: chown root:root /usr/var/www/clients/client50/web85
usermod: sin cambios
25.07.2011-16:09 - DEBUG - Added jailkit user to chroot with command: /usr/local/ispconfig/server/scripts/create_jailkit_user.sh tssatxell /usr/var/www/clients/client50/web85 /home/tssatxell /bin/bash web85 /home/web85
25.07.2011-16:09 - DEBUG - Added created jailkit user home in : /usr/var/www/clients/client50/web85/home/tssatxell
25.07.2011-16:09 - DEBUG - Added created jailkit parent user home in : /usr/var/www/clients/client50/web85/home/web85
25.07.2011-16:09 - DEBUG - exec: chmod 755 /usr/var/www/clients/client50/web85
25.07.2011-16:09 - DEBUG - exec: chown root:root /usr/var/www/clients/client50/web85
25.07.2011-16:09 - DEBUG - Jailkit Plugin -> insert username:tssatxell
25.07.2011-16:09 - DEBUG - Processed datalog_id 2054
25.07.2011-16:09 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
finished.


and now in /etc/passwd:

tssatxell:x:5037:5036::/usr/var/www/clients/client50/web85/./home/tssatxell:/usr/sbin/jk_chrootsh

but if i run su tssatxell it doesn't log, and in /var/log/auth.log:

Jul 25 16:12:27 myserver su[4295]: Successful su for tssatxell by root
Jul 25 16:12:27 myserver su[4295]: + pts/0 root:tssatxell
Jul 25 16:12:27 myserver su[4295]: pam_unix(su:session): session opened for user tssatxell by sshuser(uid=0)
Jul 25 16:12:27 myserver jk_chrootsh[4296]: now entering jail /usr/var/www/clients/client50/web85 for user tssatxell (5037)
Jul 25 16:12:27 myserver jk_chrootsh[4296]: ERROR: failed to execute shell /bin/bash for user tssatxell (5037), check the permissions and libraries of /usr/var/www/clients/client50/web85//bin/bash
Jul 25 16:12:27 myserver su[4295]: pam_unix(su:session): session closed for user tssatxell


All times are GMT +2. The time now is 05:16.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.