Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd March 2010, 22:47
jwlinux jwlinux is offline
Junior Member
 
Join Date: Mar 2010
Posts: 27
Thanks: 5
Thanked 2 Times in 2 Posts
Default jailkit not working on ISPconfig v 3.0.2 Debian Lenny

As mentioned in other posts - I recently installed ISPConfig 3.0.2 on Debian Lenny. I used the Debian Lenny Perfect Setup instructions http://www.howtoforge.com/perfect-se...nny-ispconfig3 to the best of my knowledge I followed the instructions exactly.

I made a reseller, reseller make a client, client made a website and FTP user and shell user. So far so good except for the shell user:

In the reseller limits, SSH-Chroot Options I checked both "none" and "jailkit"
In turn, the reseller checked "none" and "jailkit" for the client (limit is set to -1 in each)
When the client made the "shell user" we set the "Chroot Shell" option to Jailkit

However the shell user cannot log in via sftp, I see errors like this in the system logs:

Mar 23 15:19:13 ccs090 sshd[27807]: pam_unix(sshd:session): session opened for user site1 by (uid=0)
Mar 23 15:19:13 ccs090 sshd[27809]: subsystem request for sftp
Mar 23 15:19:13 ccs090 snoopy[27810]: [unknown, uid:5004 sid:27810]: false -c /usr/lib/openssh/sftp-server
Mar 23 15:19:13 ccs090 sshd[27807]: pam_unix(sshd:session): session closed for user site1

I discovered that their shell was set to /bin/false.
So I changed it manually:
usermod -s /usr/sbin/jk_chrootsh site1

Then in the logs I saw errors like:

Mar 23 16:36:43 ccs090 sshd[28937]: Accepted password for site1 from 12.233.247.2 port 63729 ssh2
Mar 23 16:36:43 ccs090 sshd[28937]: pam_unix(sshd:session): session opened for user site1 by (uid=0)
Mar 23 16:36:43 ccs090 sshd[28939]: subsystem request for sftp
Mar 23 16:36:43 ccs090 snoopy[28940]: [unknown, uid:5004 sid:28940]: jk_chrootsh -c /usr/lib/openssh/sftp-server
Mar 23 16:36:43 ccs090 jk_chrootsh[28940]: path /var/www/clients/client5/web4/./home/web4 is group writable
Mar 23 16:36:43 ccs090 jk_chrootsh[28940]: abort, path /var/www/clients/client5/web4/./home/web4 is group writable, set option 'relax_home_group_permissions' to relax this check

So after some google research I set the following options in /etc/jailkit/jk_chrootsh.ini :

[DEFAULT]
relax_home_group=1
relax_home_group_permissions=1
relax_home_other_permissions=1


Now, I get errors that chroot cannot find bash:

Mar 23 16:38:31 ccs090 sshd[28957]: Accepted password for site1 from 12.233.247.2 port 60101 ssh2
Mar 23 16:38:31 ccs090 sshd[28957]: pam_unix(sshd:session): session opened for user site1 by (uid=0)
Mar 23 16:38:31 ccs090 sshd[28959]: subsystem request for sftp
Mar 23 16:38:31 ccs090 snoopy[28960]: [unknown, uid:5004 sid:28960]: jk_chrootsh -c /usr/lib/openssh/sftp-server
Mar 23 16:38:31 ccs090 jk_chrootsh[28960]: path /var/www/clients/client5/web4/./home/web4 is group writable
Mar 23 16:38:31 ccs090 jk_chrootsh[28960]: now entering jail /var/www/clients/client5/web4 for user web4 (5004)
Mar 23 16:38:31 ccs090 snoopy[28960]: [unknown, uid:5004 sid:28960]: /bin/bash -c /usr/lib/openssh/sftp-server
Mar 23 16:38:31 ccs090 snoopy[28960]: ERROR: failed to execute shell /bin/bash for user web4 (5004), check the permissions and libraries of /var/www/clients/client5/web4//bin/bash
Mar 23 16:38:31 ccs090 sshd[28957]: pam_unix(sshd:session): session closed for user site1


I also eventually changed the shell for user "web4":

usermod -s /usr/sbin/jk_chrootsh web4

All of the directories exist but bin/bash does not:

drwxrwxr-x 2 web4 client5 48 2010-03-22 16:21 /var/www/clients/client5/web4/./home/web4
drwxrwxr-x 4 root root 104 2010-03-23 15:19 /var/www/clients/client5/web4/./home/
drwxr-xr-x 9 root root 304 2010-03-22 16:21 /var/www/clients/client5/web4/

ls: cannot access /var/www/clients/client5/web4//bin/bash

And in fact there is no ./bin/ directory at all:

#ls /var/www/clients/client5/web4/
cgi-bin etc home log ssl tmp var web

I did not change any default setting for jailkit or for the user that I know of. It seems that jailkit/ISPConfig to not "create" the chroot jail correctly.

Can anyone tell me what I need to do to fix this?

Thank you,

JW

Last edited by jwlinux; 23rd March 2010 at 22:48. Reason: typo in Title
Reply With Quote
Sponsored Links
  #2  
Old 23rd March 2010, 22:51
jwlinux jwlinux is offline
Junior Member
 
Join Date: Mar 2010
Posts: 27
Thanks: 5
Thanked 2 Times in 2 Posts
Default

Just for testing I also tried having the client change the "shell user's" Chroot Shell option from "Jailkit" to "none".

The user is now able to log in, but of course they can see the entire host FS, which is certainly not desirable.

Thanks,

JW
Reply With Quote
  #3  
Old 23rd March 2010, 22:54
jwlinux jwlinux is offline
Junior Member
 
Join Date: Mar 2010
Posts: 27
Thanks: 5
Thanked 2 Times in 2 Posts
Default

Also in the Reseller's account, viewing the System > Server Config > Jailkit tab, everything is set to the defaults (I did not change them) and the defaults are these:


Jailkit chroot home
/home/[username]

Jailkit chroot app sections
basicshell editors extendedshell netutils ssh sftp scp groups jk_lsh

Jailkit chrooted applications
/usr/bin/groups /usr/bin/id /usr/bin/dircolors /usr/bin/lesspipe /usr/bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/pico

Jailkit cron chrooted applications
/usr/bin/php /usr/bin/perl /usr/share/perl /usr/share/php


Is there anything wrong with that?

JW
Reply With Quote
  #4  
Old 24th March 2010, 10:47
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Quote:
I discovered that their shell was set to /bin/false.
So I changed it manually:
usermod -s /usr/sbin/jk_chrootsh site1
Do not modify an ispconfig user manually. The only thing that you can achieve with that is to break your setup. Please delete the users and sites that you modified manually in ispconfig and recreate them afterwards in ispconfig.


Jailkit is working fine in ispconfig 3.0.2, so we have to find out whats wrong with your installation. Have you installed jailkit before you installed ispconfig or after you installed ispconfig.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
jwlinux (24th March 2010)
  #5  
Old 24th March 2010, 16:18
jwlinux jwlinux is offline
Junior Member
 
Join Date: Mar 2010
Posts: 27
Thanks: 5
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by till View Post
Do not modify an ispconfig user manually. The only thing that you can achieve with that is to break your setup. Please delete the users and sites that you modified manually in ispconfig and recreate them afterwards in ispconfig.

Jailkit is working fine in ispconfig 3.0.2, so we have to find out whats wrong with your installation. Have you installed jailkit before you installed ispconfig or after you installed ispconfig.
I used the Debian Lenny Perfect Setup instructions http://www.howtoforge.com/perfect-se...nny-ispconfig3, so yes I installed jailkit (on page 4 in Step 15 Install Jailkit) before ISPConfig, which is later, step 18 in those instructions.

I can delete and create as many users / sites as you would like me to. They all behave the same.

Here I have created a whole new client account and new shell user. On the client ssh/sftp side I see this:

ssh bvc1@myserver
bvc1@myserver's password:
Linux ccs089 2.6.26-2-amd64 #1 SMP Tue Mar 9 22:29:32 UTC 2010 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Connection to myserver closed.

sftp bvc1@myserver
Connecting to myserver...
bvc1@myserver's password:
Connection closed

On the server I see the following in the logs:


Mar 24 09:59:05 myserver snoopy[18200]: [unknown, uid:0 sid:18200]: /usr/sbin/sshd -R
Mar 24 09:59:13 myserver sshd[18200]: Accepted password for bvc1 from 2.123.123.123 port 61215 ssh2
Mar 24 09:59:13 myserver sshd[18200]: pam_unix(sshd:session): session opened for user bvc1 by (uid=0)
Mar 24 09:59:13 myserver snoopy[18203]: [bvc1, uid:5005 sid:18203]: -false
Mar 24 09:59:13 myserver sshd[18200]: pam_unix(sshd:session): session closed for user bvc1
Mar 24 09:59:39 myserver snoopy[18204]: [unknown, uid:0 sid:18204]: /usr/sbin/sshd -R
Mar 24 09:59:45 myserver sshd[18204]: Accepted password for bvc1 from 2.123.123.123 port 61218 ssh2
Mar 24 09:59:45 myserver sshd[18204]: pam_unix(sshd:session): session opened for user bvc1 by (uid=0)
Mar 24 09:59:45 myserver sshd[18206]: subsystem request for sftp
Mar 24 09:59:45 myserver snoopy[18207]: [unknown, uid:5005 sid:18207]: false -c /usr/lib/openssh/sftp-server
Mar 24 09:59:45 myserver sshd[18204]: pam_unix(sshd:session): session closed for user bvc1


I have not edited or changed this user in anyway.
By default, these new users are being created with /bin/false for a shell. If this correct behavior?

What other information can I provide to debug this problem?

These are 2 new Debian Lenny installs. The only difference I can think of is that I did install some additional packages and perl modules on the system before installing ISPConfig (not after). Does ISPConfig use any perl modules?

Here's a list of all my extra debian packages (aside from perl):

emacs22-nox less bzip2 vim wget ncftp w3m lynx wajig sudo ntp apt-show-versions cvs firehol ulogd screen psmisc openssl rsync iproute logwatch snoopy sysstat mysql-client
gcc make automake autoconf bison flex libc6-dev

Thanks,

JW
Reply With Quote
  #6  
Old 24th March 2010, 17:19
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

ISPConfig itself does not use perl. But it is possible that external packages like jailkit use it. The shell /bin/false is the correct shell for the main user of a website. Then you create a shell user with jailkit enabled and jailkit the changes the shell for this new user ti the jailkit shell.

Which jailkit version did you install?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 24th March 2010, 17:43
jwlinux jwlinux is offline
Junior Member
 
Join Date: Mar 2010
Posts: 27
Thanks: 5
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by till View Post
Then you create a shell user with jailkit enabled and jailkit the changes the shell for this new user to the jailkit shell.
jailkit is not actually doing this, then.

Quote:
Originally Posted by till View Post
Which jailkit version did you install?
jailkit 2.5-1
Reply With Quote
  #8  
Old 24th March 2010, 17:48
jwlinux jwlinux is offline
Junior Member
 
Join Date: Mar 2010
Posts: 27
Thanks: 5
Thanked 2 Times in 2 Posts
Default

Also for clarification, I did delete the old site & user as you asked. After recreating it - it's still the same.
Reply With Quote
  #9  
Old 24th March 2010, 19:13
BorderAmigos BorderAmigos is offline
Senior Member
 
Join Date: Apr 2008
Location: San Diego & Tijuana
Posts: 302
Thanks: 26
Thanked 33 Times in 31 Posts
Send a message via MSN to BorderAmigos Send a message via Yahoo to BorderAmigos
Default

I'm using Debian Lenny on 2 servers with ISPConfig 3.0.2 and jailkit is working fine. I do notice 'snoopy' and 'unknown UID:' in your logs. The unknown user ID seems wrong. Also what is 'snoopy' doing? I don't know the answer. Just things to look into.
__________________
System6Hosting.com, ISPConfig 3, Debian.
Reply With Quote
  #10  
Old 24th March 2010, 19:50
jwlinux jwlinux is offline
Junior Member
 
Join Date: Mar 2010
Posts: 27
Thanks: 5
Thanked 2 Times in 2 Posts
 
Default

" I do notice 'snoopy' and 'unknown UID:' in your logs. The unknown user ID seems wrong. "

It actually doens't say "unknown UID", is says "unknown, uid:5004." unknown refers to some other field of information, I'm not sure what.

uid:5004 was the users's UID in /etc/password, that part is correct (or was at the time).

I also noticed that the user's directory tree files under web/ are owned by, for example:

drwxr-xr-x 2 1061 users 216 2010-03-24 04:55 error

and no such user 1061 exists in /etc/password. I don't know where it got 1061 from. I wonder if it's trying to use that in other places (such as while creating a shell user) and that's what's breaking it.

"Also what is 'snoopy' doing? I don't know the answer. Just things to look into."

Snoppy is a logging function. I have been using it for years on all kinds of servers, it works good, and is transparent to all programs. I'm sure there is some 0.01% possibility that snoopy is causing a problem but it is very, very unlikely.

Till: please tell me where I can look or what tests I ran run to try to find _why_ the jailkit user is not being created correctly.

On one of my two ISPConfig servers I also tried doing the automatic upgrade to 3.0.2.1, because I saw elsewhere on the forum that this was recommended in a few cases to fix jailkit problems.

I tried creating new sites and shell users after the upgrade, and it is still the same.

Thank you every one for your help,

JW
Reply With Quote
Reply

Bookmarks

Tags
debian lenny, ispconfig 3.0.2, jailkit chroot shell

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[debian 5 + ispconfig 3] Unable to send mail tanakskool HOWTO-Related Questions 6 4th November 2009 18:20
Booting On PXE And On A Customized Debian System sebastienp HOWTO-Related Questions 7 30th July 2009 21:13
Howto upgrade from Debian 4 (Etch) to Debian 5 (Lenny) Hans Tips/Tricks/Mods 2 1st December 2008 23:40
Bind Failed christoph2k HOWTO-Related Questions 4 28th April 2007 00:57
e-mail problem!!! Debian 3.1 maroonworks Installation/Configuration 18 6th December 2005 14:42


All times are GMT +2. The time now is 07:00.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.