Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 6th June 2013, 14:33
ItsDom ItsDom is offline
Member
 
Join Date: Dec 2012
Posts: 41
Thanks: 2
Thanked 5 Times in 5 Posts
Default Jailkit user new files are owned by root

Hi.

I'm running ISPconfig 3.0.5.2 on CentOS 6.4 which I installed and setup following approximately this: http://www.howtoforge.com/perfect-se...ot-ispconfig-3

On the server, /mnt/data points to a cifs share on another machine, then /srv is a bind mount to /mnt/data/server/srv

I've got jailkit setup, but whenever I connect through it (shell user "domshell") and try and create a file using vim somewhere I'm allowed to (such as private which is domshell:client9) and try and write to it, I get "Can't open linked file for writing" and it wont let me save.

But when I force close without saving, it shows the file has been created but owned by root:root and it's empty. Obviously because it's now it's owned by root, and I'm logged in as a jailed shell user, the file becomes read-only for me. It's not just vim either, this stops me doing everything - I'm trying to install composer through the jailed shell as a test, but when downloading the composer file, it does the same - mentions permission issues, fails, but still creates the file 0kb with root:root as the owner.

Could this be because /mnt/data is mounted as root? If so, is there a way round it, so that the owner of a new file is the person logged into the jailkit shell? Ideal situation would be a shell user can log in and create files in places he's allowed (such as private and web) and they're created and owned by him.

Thanks in advanced

Dom
Reply With Quote
Sponsored Links
  #2  
Old 6th June 2013, 15:01
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,187
Thanks: 829
Thanked 5,417 Times in 4,259 Posts
Default

I havent seen this behaviour yet on a server, so it might be related to civfs. Maybe you can try to create a directory on the local disk owned by domshell:client9, then mount this with mount --bind somewhere into the directory tree of that website and create a file with vim there to see if it works when the directory is not on civfs.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 6th June 2013, 15:47
ItsDom ItsDom is offline
Member
 
Join Date: Dec 2012
Posts: 41
Thanks: 2
Thanked 5 Times in 5 Posts
Default

You appear to be right. I created /opt/test on the web server and bind mounted that into private fom domshell client and it behaved normally as it should (e.g. I could create files as a jailed user)


So now we've concluded it's probably CIFs, any suggestion on how to achieve what I'm trying to do (effectively have /clients/ folder on another server) and still be able to have a functioning chroot jail?

I've just tried doing the sharing from the file server using NFSv4, and that has similar issues (it insists on creating the files with the permission of the user which mounts the filesystem rather than the logged in jailkit user)

This must be possible surely....? I imagine any reliable corporate system probably separates storage from front facing servers?

I appreciate I'm getting a bit beyond the realms of ISPconfig support and more into general linux networking though:/


Thanks in advanced.
Reply With Quote
  #4  
Old 6th June 2013, 16:01
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,187
Thanks: 829
Thanked 5,417 Times in 4,259 Posts
Default

It should be possible to use jailkit on a remote filesystem, not sure about civfs but with nfs it should work. maybe its a problem with mount options.

As thats a very specific question and I dont know the exact internals on how the jailkit shell works when it accesses the filesystem, I recommend to ask this question in parallel on the jailkit mailinglist.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 6th June 2013, 21:23
ItsDom ItsDom is offline
Member
 
Join Date: Dec 2012
Posts: 41
Thanks: 2
Thanked 5 Times in 5 Posts
Default

Okay, thanks.

From what I can figure out, it's a feature. It is because it's mounted as root. I'm guessing when ispconfig creates the /clientx/webx/web folder (or another folder that owned by the client not root) when the user is setup, they are created and then chmod'd to webx:clientx.

The "correct" way of dealing with my situation would be to create a separate mount for each user and setting e.g. the mount options gid=client9 gid and uid=domshell uid for the client9 folder I think so that when files are created in a session by the domshell they're defaulted to domshell:client9.

After all, if I chmod the files as root back over to domshell:client9 I can edit them through the jailed shell.

If I were to insert some code so that to mount the clientx folder as it's created, and once it has been created and populated, automatically remount it with the new gid and uid - where would you suggest I put such code....?

Last edited by ItsDom; 6th June 2013 at 21:26.
Reply With Quote
  #6  
Old 7th June 2013, 10:21
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,187
Thanks: 829
Thanked 5,417 Times in 4,259 Posts
Default

The folders arecreated in the apache / or nginx plugin. The plugins are located in /usr/local/ispconfig/server/plugins-available/


Instead of editing a existing plugin it might be ebtter to create new plugin which creates the folders before the apache plugin is called. I a folder exists already, the apache plgin will just skip to create it.

Make a new plugin which subscribes to the web_domain_insert event to create the folders and mount them. The plugin name must be in alphabet before the apache2 plugin to ensure that it is aclled before the apache plugin. To activate a plugin,make a symlink from plugins-enabled folder to the plugin file in the plugins-available folder.

For debugging server plugins, see first post in ispconfig general forum.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 7th June 2013, 11:06
ItsDom ItsDom is offline
Member
 
Join Date: Dec 2012
Posts: 41
Thanks: 2
Thanked 5 Times in 5 Posts
Default

Brilliant, thank you very much - I'll look into that now
Reply With Quote
  #8  
Old 11th June 2013, 15:48
ItsDom ItsDom is offline
Member
 
Join Date: Dec 2012
Posts: 41
Thanks: 2
Thanked 5 Times in 5 Posts
Default

Okay, so I decided against creating a plugin to mount shares for each user. This is because I'd have to have 4 mount points for directory to be owned by the user (private, web, cgi-bin and tmp) and there it's only possible to have 255 mount points per filesystem type (http://serverfault.com/questions/464...any-nfs-mounts)

For the sake of my setup, I can't see myself having more than 255/4 clients, but I'd like to know that I can if I wanted to.

I found that with in smb.conf for the share, if you ad "inherit permissions = true" then new file permissions will be copied from the parent directory which is pretty much what I need.

However, I've now hit other problems getting php-cli and mysql to play friendly with jailkit - I'll create a new thread for that shortly as I'm not sure it's really related to this same issue (although there's a chance it could be...)
Reply With Quote
  #9  
Old 15th June 2013, 15:57
ItsDom ItsDom is offline
Member
 
Join Date: Dec 2012
Posts: 41
Thanks: 2
Thanked 5 Times in 5 Posts
 
Default

Just a follow up to this. I realised that despite inheriting the correct user, new files had the wrong group.

Because it had the correct user, everything seemed to run fine but I didn't do any thorough testing.

I managed to force it to set the same group on a new file by setting the sticky group id bit on the required directory:

Code:
chmod g+s /path/to/folder
The sticky group id bit on a directory makes it so that new files/folders created in it get the same group. For more info on the sticky bit, and how to recursively apply it to sub folders that already exist, see http://en.wikipedia.org/wiki/Setgid#...on_directories

For some reason, this wouldn't work from a samba client - I had to do it on the actual file server.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Webmail jacksmerv Installation/Configuration 13 12th January 2011 14:03
/boot is 100% full Sohail Khawaja HOWTO-Related Questions 6 6th January 2010 20:32
Databases don't work homo General 5 9th June 2009 11:55
messed up apache2-php5 installation klonos HOWTO-Related Questions 2 24th January 2009 23:12
i am having some problem ? cobro Installation/Configuration 20 30th April 2008 16:26


All times are GMT +2. The time now is 14:55.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.