chroot shell jailkit not working

Discussion in 'General' started by Chris Tripp, May 2, 2018.

  1. Chris Tripp

    Chris Tripp New Member

    "service jailkit status" says the jailkit is running, but when a jailkit user tries to access with SSH the login terminates immediately. Switching user Chroot Shell to None and login works, but no jail.
    No errors in syslog or cron log.
    Code:
    May  1 18:31:43 email systemd-logind[884]: New session 290321 of user web8.
    May  1 18:31:43 email systemd: pam_unix(systemd-user:session): session opened for user web8 by (uid=0)
    May  1 18:31:44 email jk_chrootsh[23082]: now entering jail /var/www/clients/client1/web8 for user (5005) with arguments
    May  1 18:31:44 email jk_chrootsh[23082]: ERROR: failed to execute shell /bin/bash for user
    (5005), check the permissions and libraries of /var/www/clients/client1/web8//bin/bash
    May  1 18:31:44 email sshd[23028]: pam_unix(sshd:session): session closed for user
    May  1 18:31:44 email systemd-logind[884]: Removed session 290321.
    May  1 18:31:44 email systemd: pam_unix(systemd-user:session): session closed for user web8
    It looks like bash isn't executable in my jailkit. Did I miss this as part of the installation procedure, or do I need to follow another procedure to set this up?
     
    Last edited: May 2, 2018
  2. Jesse Norell

    Jesse Norell Well-Known Member

    probably your jk_init.ini needs a little tweaking for your OS to setup bash correctly. what OS are you running?
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Please post the output of:

    ls -la /var/www/clients/client1/web8/bin/bash

    and which OS do you use (as @Jesse Norell asked already).
     
  4. Chris Tripp

    Chris Tripp New Member

    OS: Ubuntu 16.04.4 LTS

    /bin/bash does not exist in the client folder. I'll check the jk_init to see if anything jumps out at me.
     
  5. Chris Tripp

    Chris Tripp New Member

    jk_init.ini:

    Code:
    [uidbasics]
    # this section probably needs adjustment on 64bit systems
    # or non-Linux systems
    comment = common files for all jails that need user/group information
    libraries = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/x86_64-linux-gnu/libnss*.so.2
    regularfiles = /etc/nsswitch.conf, /etc/ld.so.conf
    
    [netbasics]
    comment = common files for all jails that need any internet connectivity
    libraries = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /lib/x86_64-linux-gnu/libnss_dns.so.2
    regularfiles = /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols
    
    [logbasics]
    comment = timezone information
    regularfiles = /etc/localtime
    need_logsocket = 1
    
    [jk_lsh]
    comment = Jailkit limited shell
    executables = /usr/sbin/jk_lsh
    regularfiles = /etc/jailkit/jk_lsh.ini
    users = root
    groups = root
    need_logsocket = 1
    includesections = uidbasics
    
    [limitedshell]
    comment = alias for jk_lsh
    includesections = jk_lsh
    
    [cvs]
    comment = Concurrent Versions System
    executables = /usr/bin/cvs
    devices = /dev/null
    
    [git]
    comment = Fast Version Control System
    executables = /usr/bin/git*
    directories = /usr/share/git-core
    includesections = editors
    
    [scp]
    comment = ssh secure copy
    executables = /usr/bin/scp
    includesections = netbasics, uidbasics
    devices = /dev/urandom
    
    [sftp]
    comment = ssh secure ftp
    executables = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server
    includesections = netbasics, uidbasics
    devices = /dev/urandom, /dev/null
    
    [ssh]
    comment = ssh secure shell
    executables = /usr/bin/ssh
    includesections = netbasics, uidbasics
    devices = /dev/urandom, /dev/tty
    
    [rsync]
    executables = /usr/bin/rsync
    includesections = netbasics, uidbasics
    
    [procmail]
    comment = procmail mail delivery
    executables = /usr/bin/procmail, /bin/sh
    devices = /dev/null
    
    [basicshell]
    comment = bash based shell with several basic utilities
    executables = /bin/sh, /bin/bash, /bin/ls, /bin/cat, /bin/chmod, /bin/mkdir, /bin/cp, /bin/cpio, /bin/date, /bin/dd, /bin/echo, /bin/egrep, /bin/false, /bin/fgrep, /bin/grep, /bin/gunzip, /bin/gzip, /bin/ln, /bin/ls, /bin/mkdir, /bin/mktemp, /bin/more, /bin/mv, /bin/pwd, /bin/rm, /bin/rmdir, /bin/sed, /bin/sh, /bin/sleep, /bin/sync, /bin/tar, /bin/touch, /bin/true, /bin/uncompress, /bin/zcat
    regularfiles = /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile
    directories = /usr/lib/locale/en_US.utf8
    users = root
    groups = root
    includesections = uidbasics
    
    [midnightcommander]
    comment = Midnight Commander
    executables = /usr/bin/mc, /usr/bin/mcedit, /usr/bin/mcview
    directories = /etc/terminfo, /usr/share/terminfo, /usr/share/mc
    includesections = basicshell
    
    [extendedshell]
    comment = bash shell including things like awk, bzip, tail, less
    executables = /usr/bin/awk, /usr/bin/bzip2, /usr/bin/bunzip2, /usr/bin/ldd, /usr/bin/less, /usr/bin/clear, /usr/bin/cut, /usr/bin/du, /usr/bin/find, /usr/bin/head, /usr/bin/less, /usr/bin/md5sum, /usr/bin/nice, /usr/bin/sort, /usr/bin/tac, /usr/bin/tail, /usr/bin/tr, /usr/bin/sort, /usr/bin/wc, /usr/bin/watch, /usr/bin/whoami
    includesections = basicshell, midnightcommander, editors
    
    [editors]
    comment = vim, joe and nano
    executables = /usr/bin/joe, /usr/bin/nano, /usr/bin/vi, /usr/bin/vim, /usr/bin/pico
    regularfiles = /etc/vimrc
    directories = /etc/joe, /etc/terminfo, /usr/share/vim, /usr/share/terminfo, /lib/terminfo
    
    [netutils]
    comment = several internet utilities like wget, ftp, rsync, scp, ssh
    executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient
    includesections = netbasics, ssh, sftp, scp
    
    [apacheutils]
    comment = htpasswd utility
    executables = /usr/bin/htpasswd
    
    [extshellplusnet]
    comment = alias for extendedshell + netutils + apacheutils
    includesections = extendedshell, netutils, apacheutils
    
    [openvpn]
    comment = jail for the openvpn daemon
    executables = /usr/sbin/openvpn
    users = root,nobody
    groups = root,nogroup
    includesections = netbasics
    devices = /dev/urandom, /dev/random, /dev/net/tun
    includesections = netbasics, uidbasics
    need_logsocket = 1
    
    [apache]
    comment = the apache webserver, very basic setup, probably too limited for you
    executables = /usr/sbin/apache
    users = root, www-data
    groups = root, www-data
    includesections = netbasics, uidbasics
    
    [perl]
    comment = the perl interpreter and libraries
    executables = /usr/bin/perl
    directories = /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5
    
    [xauth]
    comment = getting X authentication to work
    executables = /usr/bin/X11/xauth
    regularfiles = /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf
    
    [xclients]
    comment = minimal files for X clients
    regularfiles = /usr/X11R6/lib/X11/rgb.txt
    includesections = xauth
    
    [vncserver]
    comment = the VNC server program
    executables = /usr/bin/Xvnc, /usr/bin/Xrealvnc
    directories = /usr/X11R6/lib/X11/fonts/
    includesections = xclients
    
    
    #[xterm]
    #comment = xterm
    #executables = /usr/bin/X11/xterm
    #directories = /usr/share/terminfo, /etc/terminfo
    #devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
     
  6. Jesse Norell

    Jesse Norell Well-Known Member

    I don't have jailkit on ubuntu 16.04 offhand, but iirc bash inside jails broke when I updated from debian jessie to stretch and I had to add this to the above basicshell section:
    Code:
    paths = /dev/tty, /usr/lib/x86_64-linux-gnu/gconv/, /usr/share/locale/locale.alias
    It's been a little while, but I believe that was determined via a mix of google searches and running bash under strace to see what files it opened, then ensuring they were in the jail. You might try adding that then just re-run jk_init again to copy things:
    Code:
    jk_init -j /var/www/clients/client1/web8 basicshell
     

Share This Page