chroot shell jailkit not working after update to 3.2

Discussion in 'General' started by jonathannet, Oct 15, 2020.

  1. jonathannet

    jonathannet Member

    After updating to ISPConfig 3.2 my friend got an error then logging in on winscp I can see this in the log, how do I fix that?

    Code:
    Oct 15 18:46:41 server1 systemd-logind[980]: New session 19304 of user web33.
    Oct 15 18:46:41 server1 systemd: pam_unix(systemd-user:session): session opened for user web33 by (uid=0)
    Oct 15 18:46:43 server1 jk_chrootsh[16809]: now entering jail /var/www/clients/client2/web33 for user username (5007) with arguments -c /usr/lib/openssh/sftp-server
    Oct 15 18:46:43 server1 jk_chrootsh[16809]: ERROR: failed to execute shell /bin/bash for user username (5007), check the permissions and libraries of /var/www/clients/client2/web33//bin/bash
    Oct 15 18:46:43 server1 sshd[16710]: pam_unix(sshd:session): session closed for user username
    Oct 15 18:46:43 server1 systemd-logind[980]: Removed session 19304.
    And ls -la /var/www/clients/client2/web33//bin/bash
    -rwxr-xr-x 1 root root 1113504 Jun 7 2019 /var/www/clients/client2/web33//bin/bash
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Hello @jonathannet, What OS is this on? Try enabling server debugging, then add something to the shell account (eg. add a bogus rsa key line or change quota) and save. See if any errors show up in ispconfig.log with that (or better, run server.sh manually after the above), and test it again.

    I'll test sftp-server in a jail and check back shortly.
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You might also check that you don't have a conf-custom template for jk_init.ini; the one distributed with 3.2 has an "sftp" section you can add to the server's default settings (under Server Config) or to the website's custom settings (Options tab of the website).
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    FWIW, sftp-server works fine for me in a jail on debian 10, using the [sftp] section in jk_init.ini (it is in my server's 'Jailkit chroot app sections' setting).
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Is this an existing user or one that you newly added in ISPConfig 3.2? And please post the result of:

    ls -la /var/www/clients/client2/web33

    and

    grep username /etc/passwd

    replace username with the name of the user
     
  6. jonathannet

    jonathannet Member

    I am using Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-118-generic x86_64) and It was working before updating to 3.2 tonight :)

    And ls -la /var/www/clients/client2/web33 gives me alot of directorys

    grep username /etc/passwd
    Code:
    username:x:5007:5006::/var/www/clients/client2/web33/./home/username:/usr/sbin/jk_chrootsh
     

    Attached Files:

  7. till

    till Super Moderator Staff Member ISPConfig Developer

    And that's the output that we need to see if they have the right permissions.

    The line from /etc/passwd is ok.
     
  8. jonathannet

    jonathannet Member

    Code:
    
    
     
    Last edited: Oct 15, 2020
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    The folders of the chroot seem to have the right owner as far as I can see.
     
  10. jonathannet

    jonathannet Member

    Okay but is it not some error with 2 // in the dir?
    Code:
    Oct 15 18:46:43 server1 jk_chrootsh[16809]: ERROR: failed to execute shell /bin/bash for user username (5007), check the permissions and libraries of /var/www/clients/client2/web33//bin/bash
    Oct 15 18:46:43 server1 sshd[16710]: pam_unix(sshd:session): session closed for user username
     
  11. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    No. If you haven't tried the above suggestions to fix it yet, what does 'ldd
    /var/www/clients/client2/web33//bin/bash' show? My guess is a missing library?

    Note you can run a resync of shell users to kick of an update of all jails; the above instructions should trigger that for just the single jail.
     
  12. jonathannet

    jonathannet Member

    In ISPC Cron Log:

    Code:
    Thu 15 Oct 18:50:01 CEST 2020 usermod: user <username> is currently used by process 1861
    Thu 15 Oct 18:50:01 CEST 2020 failed to execute usermod -d /var/www/clients/client2/web33/. -s /usr/sbin/jk_chrootsh <username>
    Thu 15 Oct 18:50:01 CEST 2020 failed to modify user <username>
    So do you mean I have to delete the section sftp in jk_init.ini or?
     
  13. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    No, I mean the jk_init.ini template you get with ISPConfig includes a sftp section which tests as working on debain 10 - ensure you don't have a /usr/local/ispconfig/server/conf-custom/install/jk_init.ini.master file which overrides that template. Or alternatively, compare your /etc/jailkit/jk_init.ini with the version from 3.2 to ensure they are the same.
     
  14. jonathannet

    jonathannet Member

    There is no jk_init.ini.master in /usr/local/ispconfig/server/conf-custom/install/

    But I have have a file in /etc/jailkit called jk_init.ini~ is that the old file or?

    And I can see I have an jk_init.ini in /usr/
     
  15. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    But not a jk_init.ini? What does 'ls -ltr /etc/jailkit' show ?
    Strange, that's not where one should be; perhaps it got moved from /etc/jailkit, which would explain it missing there?
     
  16. jonathannet

    jonathannet Member

    'ls -ltr /etc/jailkit' show
    Code:
    total 40
    -rw-r--r-- 1 root root   77 Oct 28  2018 jk_update.ini
    -rw-r--r-- 1 root root  166 Oct 28  2018 jk_uchroot.ini
    -rw-r--r-- 2 root root  337 Oct 28  2018 jk_lsh.ini
    -rw-r--r-- 1 root root 1087 Oct 28  2018 jk_check.ini
    -rw-r--r-- 1 root root  226 Dec 31  2018 jk_socketd.ini
    -rw-r--r-- 1 root root 5109 Oct 15 18:31 jk_init.ini~
    -rw-r--r-- 1 root root  278 Oct 15 18:31 jk_chrootsh.ini
    -rw-r--r-- 1 root root 5110 Oct 15 20:17 jk_init.ini
    
    I have a backup of the old files in /var/backup if I can use that file in /etc/jailkit from that backup
     
  17. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    So you do have a jk_init.ini, but it is much smaller than the current version you should receive from ispconfig 3.2. Did you answer 'yes' to reconfigure services during install? I would download 3.2 and run update.php again and be sure to reconfigure services when prompted.
     
  18. jonathannet

    jonathannet Member

    Yeah it is smaller because I edited it with the old version I think :)

    And then I type jk_init -l I get this, so it runs from the /etc/jailkit dir:
    Code:
    ** Available sections in /etc/jailkit/jk_init.ini **
    
    apache - the apache webserver, very basic setup, probably too limited for you
    apacheutils - htpasswd utility
    basicshell - bash based shell with several basic utilities
    composer - composer
    coreutils - non-sbin progs from coreutils
    cvs - Concurrent Versions System
    editors - vim, joe and nano
    env - /usr/bin/env for environment variables
    extendedshell - bash shell including things like awk, bzip, tail, less
    extshellplusnet - alias for extendedshell + netutils + apacheutils
    git - Fast Version Control System
    jk_lsh - Jailkit limited shell
    limitedshell - alias for jk_lsh
    logbasics - timezone information and log sockets
    midnightcommander - Midnight Commander
    mysql-client - mysql client
    netbasics - common files for all jails that need any internet connectivity
    netutils - several internet utilities like wget, ftp, rsync, scp, ssh
    node - NodeJS
    openvpn - jail for the openvpn daemon
    perl - the perl interpreter and libraries
    php - default php version and libraries
    php5_6 - php version 5.6
    php7_0 - php version 7.0
    php7_1 - php version 7.1
    php7_2 - php version 7.2
    php7_3 - php version 7.3
    php7_4 - php version 7.4
    php_common - common php directories and libraries
    ping - Ping program
    procmail - procmail mail delivery
    rsync
    scp - ssh secure copy
    sftp - ssh secure ftp
    ssh - ssh secure shell
    terminfo - terminfo databases, required for example for ncurses or vim
    uidbasics - common files for all jails that need user/group information
    vncserver - the VNC server program
    wp - WordPress Command Line
    xauth - getting X authentication to work
    xclients - minimal files for X clients
    
    I also readed on an stackoverflow about this:
    Code:
    Thu 15 Oct 18:50:01 CEST 2020 usermod: user <username> is currently used by process 1861
    And I just restarted the server and now the message is gone, so now the only thing there is not working is the Option on ISPConfig with jailkit turned on
     
    Last edited: Oct 16, 2020
    ahrasis likes this.
  19. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The "user <username> is currently used" message happens when usermod is run as part of jailkit setup and there's a process for that user running (eg. generally an active php daemon), it will show up from time to time, and to my knowledge does not a problem for 3.2 (note: this was an issue in 3.1.15p3 that can create a bad /etc/passwd entry).

    It is not clear (to me) what specifically isn't working. Does sftp still fail, or is there something else amiss? Did you follow the advice above to trigger the jail to update? Or even run some jk_update/jk_init manually to repair it? Also, if you still have the output, what did ldd show, offhand?
     
  20. jonathannet

    jonathannet Member

    I cannot login on ssh with jailkit set on for the user in ISPConfig I just get disconnected, but if I turn jailkit off, it works fine, here is the error from /var/log/auth.log

    Code:
    Oct 16 21:17:48 server1 sshd[7230]: Accepted password for <username> from 192.168.1.101 port 55055 ssh2
    Oct 16 21:17:48 server1 sshd[7230]: pam_unix(sshd:session): session opened for user <username> by (uid=0)
    Oct 16 21:17:48 server1 systemd-logind[993]: New session 1016 of user web33.
    Oct 16 21:17:50 server1 jk_chrootsh[7318]: now entering jail /var/www/clients/client2/web33 for user <username> (5007) with arguments -c /usr/lib/openssh/sftp-server
    Oct 16 21:17:50 server1 jk_chrootsh[7318]: ERROR: failed to execute shell /bin/bash for user <username> (5007), check the permissions and libraries of /var/www/clients/client2/web33//bin/bash
    Oct 16 21:17:50 server1 systemd-logind[993]: Removed session 1016.
    Oct 16 21:17:50 server1 sshd[7230]: pam_unix(sshd:session): session closed for user <username>
     

Share This Page