Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 18th July 2011, 14:51
tspau tspau is offline
Junior Member
 
Join Date: Jun 2010
Location: Spain
Posts: 11
Thanks: 4
Thanked 0 Times in 0 Posts
Default problem creating jailed shell users

hello

i have an ispconfig 3 installed following the guide at:

http://www.howtoforge.com/perfect-se...nny-ispconfig3

i have setup in a client:

Max. number of Shell users: 5
SSH-Chroot Options: Jailkit

and then i've created a shell user for this client, setting:

Chroot Shell: Jailkit

but i can't access to shell with that user, and in my /etc/passwd i've got:

testshell:x:5030:5029::/var/www/clients/client32/web62/./home/testshell:/bin/false

why is the shell configured to /bin/false? i did something wrong?
Reply With Quote
Sponsored Links
  #2  
Old 18th July 2011, 16:49
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,413
Thanks: 834
Thanked 5,498 Times in 4,328 Posts
Default

It may take a few minutes until the shell user gets created and activated. Please check the jobqueue in the monitor if there are any pending jobs and the syslog in the monitor for errors.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 19th July 2011, 09:52
tspau tspau is offline
Junior Member
 
Join Date: Jun 2010
Location: Spain
Posts: 11
Thanks: 4
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
It may take a few minutes until the shell user gets created and activated. Please check the jobqueue in the monitor if there are any pending jobs and the syslog in the monitor for errors.
hello.

i've noticed it takes a while to create the users, but now there's nothing on the job queue, and the user is added to /etc/passwd.

the funny thing is that is added with a /bin/false shell:

satsh:x:5037:5035::/var/www/clients/client49/web84/./home/satsh:/bin/false

if i create another user without been jailed (chroot shell: none), it's created with a /bin/bash shell:

satrt:x:5037:5035::/var/www/clients/client49/web84:/bin/bash

and i can login with this user, with access to all file system
Reply With Quote
  #4  
Old 19th July 2011, 15:01
tspau tspau is offline
Junior Member
 
Join Date: Jun 2010
Location: Spain
Posts: 11
Thanks: 4
Thanked 0 Times in 0 Posts
Default

i have installed ispconfig in another server, and jailkit works fine.

i think the only differences between the testing server and my production site are this:

-in the production server, where didn't work jailkit, /home is a soft link to /usr/home:

lrwxrwxrwx 1 root root 10 abr 16 2010 home -> /usr/home/

-in production server, quota is not enabled (don't have the /quota.user and /quota.group files).


maybe one of these differences could be the reason to fail jailkit?
Reply With Quote
  #5  
Old 19th July 2011, 15:35
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,413
Thanks: 834
Thanked 5,498 Times in 4,328 Posts
Default

You can try to debug the creaztion of jailed users on your server:

1) disable the server.sh cronjob in the root crontab.
2) Create a new jailed ssh user in ispconfig.
3) Enable loglevel debug in ISPConfig under System > server config
4) run this script as root un the shell:

/usr/local/ispconfig/server/server.sh
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 19th July 2011, 16:13
tspau tspau is offline
Junior Member
 
Join Date: Jun 2010
Location: Spain
Posts: 11
Thanks: 4
Thanked 0 Times in 0 Posts
Default

i keep working on it:

in my production server, when i create a jailed shell user, no jailed /bin carpet is created, only an /etc carpet whit a void passwd.

i've copied the /bin and /etc from a jailed user from my testing server, editing etc/group and etc/passwd with the data of the local user.

also i've changed the shell of the jailed user from /bin/false to /usr/sbin/jk_chrootsh

when i've tried to login, in auth.log i get:

Jul 19 15:18:11 mysite su[11866]: Successful su for satsh by root
Jul 19 15:18:11 mysite su[11866]: + pts/0 root:satsh
Jul 19 15:18:11 mysite su[11866]: pam_unix(su:session): session opened for user satsh by sshuser(uid=0)
Jul 19 15:18:11 mysite jk_chrootsh[11867]: abort, the current dir is /usr/var/www/clients/client49/web84 after chdir(/var/www/clients/client49/web84), but it should be /var/www/clients/client49/web84
Jul 19 15:18:11 mysite su[11866]: pam_unix(su:session): session closed for user satsh

ok, my /var is a softlink to /usr/var, so in ispconfig panel, i've changed at system -> server config -> web: all references from /var/... to /usr/var/...

i try to create a new user, site and shell user, but still is not created the jailed /bin neither /etc and in /etc/passwd the shell is still /bin/false

:-(

i try again to copy the bin and etc from a jail of my test server (editig /etc/group and /etc/passwd) and if i try to log now, auth.log shows:


Jul 19 16:09:03 mysite su[18609]: Successful su for tssatshell by root
Jul 19 16:09:03 mysite su[18609]: + pts/1 root:tssatshell
Jul 19 16:09:03 mysite su[18609]: pam_unix(su:session): session opened for user tssatshell by sshuser(uid=0)
Jul 19 16:09:03 mysite jk_chrootsh[18610]: now entering jail /usr/var/www/clients/client50/web85 for user tssatshell (5037)
Jul 19 16:09:03 mysite jk_chrootsh[18610]: ERROR: failed to execute shell /bin/bash for user tssatshell (5037), check the permissions and libraries of /usr/var/www/clients/client50/web85//bin/bash
Jul 19 16:09:03 mysite su[18609]: pam_unix(su:session): session closed for user tssatshell

any help?
Reply With Quote
  #7  
Old 19th July 2011, 16:22
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,413
Thanks: 834
Thanked 5,498 Times in 4,328 Posts
Default

Please do what I suggested to you in #5 if you want to debug the problem.

I guess the problem is that var/www is a symlink to /usr/var/www (and not only /home as you mentioned above) which is a security breach for jailkit so jailkit disables the user.

I recommend that you reinstall the server if you want to use jailkit so that /var/www and /home/www are no symlinks, they have to be real directorys or partitions. As alternative you can try to mount /var/www instead of using a symlink.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 19th July 2011 at 16:39.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
tspau (19th July 2011)
  #8  
Old 19th July 2011, 16:29
tspau tspau is offline
Junior Member
 
Join Date: Jun 2010
Location: Spain
Posts: 11
Thanks: 4
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
You can try to debug the creaztion of jailed users on your server:

1) disable the server.sh cronjob in the root crontab.
2) Create a new jailed ssh user in ispconfig.
3) Enable loglevel debug in ISPConfig under System > server config
4) run this script as root un the shell:

/usr/local/ispconfig/server/server.sh
hello

i don't understand where i have to disable the cronjob server.sh, is not in my cron.d

running that script (without disablen the cronjob) only shows:

19.07.2011-16:24 - DEBUG - Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
19.07.2011-16:24 - DEBUG - No Updated records found, starting only the core.
19.07.2011-16:24 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
finished.
Reply With Quote
  #9  
Old 19th July 2011, 16:40
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,413
Thanks: 834
Thanked 5,498 Times in 4,328 Posts
Default

Quote:
i don't understand where i have to disable the cronjob server.sh, is not in my cron.d
The root crontab can be edited with the command:

crontab -e
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
tspau (25th July 2011)
  #10  
Old 25th July 2011, 16:17
tspau tspau is offline
Junior Member
 
Join Date: Jun 2010
Location: Spain
Posts: 11
Thanks: 4
Thanked 0 Times in 0 Posts
 
Default

Quote:
Originally Posted by tspau View Post
hello

i don't understand where i have to disable the cronjob server.sh, is not in my cron.d

running that script (without disablen the cronjob) only shows:

19.07.2011-16:24 - DEBUG - Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
19.07.2011-16:24 - DEBUG - No Updated records found, starting only the core.
19.07.2011-16:24 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
finished.
hello.

this is the output:
# /usr/local/ispconfig/server/server.sh
25.07.2011-16:09 - DEBUG - Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
25.07.2011-16:09 - DEBUG - Found 1 changes, starting update process.
25.07.2011-16:09 - DEBUG - Call function 'insert' in plugin 'shelluser_base_plugin' raised by event 'shell_user_insert'.
25.07.2011-16:09 - DEBUG - Executed command: useradd -d /usr/var/www/clients/client50/web85 -g client50 -o -p \$1\$98v/TGom\$qbB.4U/S2CwJwjFe4hKYn0 -s /bin/bash -u 5037 tssatxell
25.07.2011-16:09 - DEBUG - Added shelluser: tssatxell
25.07.2011-16:09 - DEBUG - Disabling shelluser temporarily: usermod -s /bin/false -L tssatxell
25.07.2011-16:09 - DEBUG - Call function 'insert' in plugin 'shelluser_jailkit_plugin' raised by event 'shell_user_insert'.
25.07.2011-16:09 - DEBUG - exec: chmod 755 /usr/var/www/clients/client50/web85
25.07.2011-16:09 - DEBUG - exec: chown root:root /usr/var/www/clients/client50/web85
usermod: sin cambios
25.07.2011-16:09 - DEBUG - Added jailkit user to chroot with command: /usr/local/ispconfig/server/scripts/create_jailkit_user.sh tssatxell /usr/var/www/clients/client50/web85 /home/tssatxell /bin/bash web85 /home/web85
25.07.2011-16:09 - DEBUG - Added created jailkit user home in : /usr/var/www/clients/client50/web85/home/tssatxell
25.07.2011-16:09 - DEBUG - Added created jailkit parent user home in : /usr/var/www/clients/client50/web85/home/web85
25.07.2011-16:09 - DEBUG - exec: chmod 755 /usr/var/www/clients/client50/web85
25.07.2011-16:09 - DEBUG - exec: chown root:root /usr/var/www/clients/client50/web85
25.07.2011-16:09 - DEBUG - Jailkit Plugin -> insert username:tssatxell
25.07.2011-16:09 - DEBUG - Processed datalog_id 2054
25.07.2011-16:09 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
finished.


and now in /etc/passwd:

tssatxell:x:5037:5036::/usr/var/www/clients/client50/web85/./home/tssatxell:/usr/sbin/jk_chrootsh

but if i run su tssatxell it doesn't log, and in /var/log/auth.log:

Jul 25 16:12:27 myserver su[4295]: Successful su for tssatxell by root
Jul 25 16:12:27 myserver su[4295]: + pts/0 root:tssatxell
Jul 25 16:12:27 myserver su[4295]: pam_unix(su:session): session opened for user tssatxell by sshuser(uid=0)
Jul 25 16:12:27 myserver jk_chrootsh[4296]: now entering jail /usr/var/www/clients/client50/web85 for user tssatxell (5037)
Jul 25 16:12:27 myserver jk_chrootsh[4296]: ERROR: failed to execute shell /bin/bash for user tssatxell (5037), check the permissions and libraries of /usr/var/www/clients/client50/web85//bin/bash
Jul 25 16:12:27 myserver su[4295]: pam_unix(su:session): session closed for user tssatxell
Reply With Quote
Reply

Bookmarks

Tags
jailkit

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Confusion: Shell Users / Disappearing Logs demortes Installation/Configuration 2 18th July 2010 20:26
ISPConfig3 Mail Warn Errors reason8 General 3 25th November 2009 13:58
Squid users related problem mrtornado Server Operation 3 30th March 2009 04:29
Why Does This Happen With Creating New Users Meads General 2 25th December 2008 19:11
Virtual Users + Mysql + Squirrelmail + ChangePass Plugins Problem JEU Installation/Configuration 10 27th November 2008 16:55


All times are GMT +2. The time now is 10:39.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.