Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 19th June 2013, 15:38
jaypabs jaypabs is offline
Member
 
Join Date: Jun 2013
Posts: 69
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by ItsDom View Post
Look in your /etc/passwd file and find out what shell the web user is loading - somewhere near the end, it should say something along the lines of:

Code:
web31:x:5004:5006::/path/to/clients/client27/web31/./home/shellusername:/usr/sbin/jk_chrootsh
The key part there is the last bit /usr/sbin/jk_chrootsh which dictates what shell the user is presented with when they login. If it's not setup correctly, it will probably say /bin/bash or similar which basically means it's loading the normal unrestricted shell.

Regarding the "Jailkit Chroot Home" folder, I think that is the home folder INSIDE the chroot jail that the shell user will be taken to when they first login.

Also, turn on debugging then delete and recreate the client, the website, and the shell user. Then look in the logs and see if there are any errors when creating the jail.
Thanks for the reply.

Here's the line in /etc/passwd:

web5:x:5004:5005::/var/www/clients/client1/web5/./home/jaypabs_qn:/usr/sbin/jk_chrootsh
jaypabs_qn:x:5004:5005::/var/www/clients/client1/web5/./home/jaypabs_qn:/usr/sbin/jk_chrootsh

After creating a website and a shell-user I cannot login to sftp or even sshing...

What's the problem with this? And also how can I turn on debugging? I'm really figuring out several hours ago on where can I find the error log. I tried auth.log without luck.

Please help.
Reply With Quote
Sponsored Links
  #12  
Old 19th June 2013, 17:14
jaypabs jaypabs is offline
Member
 
Join Date: Jun 2013
Posts: 69
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by till View Post
Are you sure that you can go outside of this directory? In the jail, there are copies of directories like /home and /usr, so the jail looks very similar to a real / directory.
Yes I am sure. Because after I login using sftp, I can navigate to /etc, /var and other folder.
Reply With Quote
  #13  
Old 19th June 2013, 18:39
ItsDom ItsDom is offline
Member
 
Join Date: Dec 2012
Posts: 41
Thanks: 2
Thanked 5 Times in 5 Posts
Default

To turn on debug, login as admin, go to system > server config > yourserver.domain and change "log level" to debug. Then go to monitor then show system log to view the log file through ispconfig.

Are you SURE you can go outside the directory? jailkit makes a chroot jail. A chroot jail effectively changes what is considered as root. However, if you were to just chroot to /your/clients/folder/clientx/webx/ with just your website stuff in there, nothing would work, because as far as the shell is concerned, that's all there is, your web stuff. So even basic things like the ls commands wouldn't work because that's located in /bin/ls which the jail doesn't know about because it only knows of everything below /your/clients/clientx/webx. So what jailkit does is create a copy of all the required applications (the ones listed under "chroot jail applications") and puts them in /your/clients/folder/clientx/webx/, replicating the folder structure. (This is 1 of the reasons why if you install jailkit after creating your client or website, it wont work, as it's when the client/website is created that the chroot jail is populated by jailkit)

So when you login to a chroot jail, you will see /etc /var, but they are not the /etc or /var that your whole system uses, they are a copy, located in /your/clients/folder/clientx/webx

One way to demonstrate this: log in as root, go to /etc and create a blank file with a notable name "imaGLOBALtestfile" or something, then navigate to /path/to/your/clients/clientx/webx/etc and create another blank file with a different notable file, e.g. "imaJAILEDtestfile". Now, connect via SSH, and login with your jailed user. Go to the /etc and see which file you can see. If you see "imaJAILEDtestfile" then jailkit is setup and working fine.

The /etc and /var things visible in the jail shouldn't be able to actually be used or modified when logged in as the jailed user (as their typically root:root) But even if somehow they could be modified or tampered with, it wouldn't affect anything outside of the jail anyway, because it's just a copy of the system stuff used only in that jail.
Reply With Quote
  #14  
Old 20th June 2013, 04:21
jaypabs jaypabs is offline
Member
 
Join Date: Jun 2013
Posts: 69
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by ItsDom View Post
To turn on debug, login as admin, go to system > server config > yourserver.domain and change "log level" to debug. Then go to monitor then show system log to view the log file through ispconfig.

Are you SURE you can go outside the directory? jailkit makes a chroot jail. A chroot jail effectively changes what is considered as root. However, if you were to just chroot to /your/clients/folder/clientx/webx/ with just your website stuff in there, nothing would work, because as far as the shell is concerned, that's all there is, your web stuff. So even basic things like the ls commands wouldn't work because that's located in /bin/ls which the jail doesn't know about because it only knows of everything below /your/clients/clientx/webx. So what jailkit does is create a copy of all the required applications (the ones listed under "chroot jail applications") and puts them in /your/clients/folder/clientx/webx/, replicating the folder structure. (This is 1 of the reasons why if you install jailkit after creating your client or website, it wont work, as it's when the client/website is created that the chroot jail is populated by jailkit)

So when you login to a chroot jail, you will see /etc /var, but they are not the /etc or /var that your whole system uses, they are a copy, located in /your/clients/folder/clientx/webx

One way to demonstrate this: log in as root, go to /etc and create a blank file with a notable name "imaGLOBALtestfile" or something, then navigate to /path/to/your/clients/clientx/webx/etc and create another blank file with a different notable file, e.g. "imaJAILEDtestfile". Now, connect via SSH, and login with your jailed user. Go to the /etc and see which file you can see. If you see "imaJAILEDtestfile" then jailkit is setup and working fine.

The /etc and /var things visible in the jail shouldn't be able to actually be used or modified when logged in as the jailed user (as their typically root:root) But even if somehow they could be modified or tampered with, it wouldn't affect anything outside of the jail anyway, because it's just a copy of the system stuff used only in that jail.
Thanks for the reply. It seems it is working fine now, except that it creates another /home folder inside the /var/www/clients/client3/web2 folder like: /var/www/clients/client3/web2/home/web2.

Is it possible to iliminate the creation of a home folder and make the "/var/www/clients/clientx/webx/" as the home folder?
Reply With Quote
  #15  
Old 20th June 2013, 09:27
ItsDom ItsDom is offline
Member
 
Join Date: Dec 2012
Posts: 41
Thanks: 2
Thanked 5 Times in 5 Posts
Default

Try changing the "jailkit chroot home" to "/"
Reply With Quote
  #16  
Old 20th June 2013, 09:59
jaypabs jaypabs is offline
Member
 
Join Date: Jun 2013
Posts: 69
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by ItsDom View Post
Try changing the "jailkit chroot home" to "/"
Thanks. That's what I am looking for. It should not create another home under the webX folder as it is unnecessary.

I hope ISPConfig will remove /home/[username] in the next update.
Reply With Quote
  #17  
Old 20th June 2013, 10:15
jaypabs jaypabs is offline
Member
 
Join Date: Jun 2013
Posts: 69
Thanks: 0
Thanked 1 Time in 1 Post
Default

BTW, how to remove this autogenerated home folder inside the webx folder?

It's saying permission denied.:

root@server:/var/www/clients/client3/web2# rm -rf home
rm: cannot remove `home': Permission denied
root@server:/var/www/clients/client3/web2#
Reply With Quote
  #18  
Old 21st June 2013, 07:27
tiemnethcm01 tiemnethcm01 is offline
Junior Member
 
Join Date: Jun 2013
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Ôi B?n th?t sáng t?o

th?c t? vô cùng
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPconfig 3 Bastille Firewall sheshes Installation/Configuration 1 27th March 2013 17:26
Can't receive mails baicunko Server Operation 12 3rd August 2011 22:02
add web site serr57 Installation/Configuration 18 13th April 2008 11:40
Chroot SSH + ISPConfig Norman Installation/Configuration 27 26th March 2007 03:40
setup fails on debian 3.1 dtrumbower Installation/Configuration 7 7th March 2006 13:42


All times are GMT +2. The time now is 17:03.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.