chroot shell jailkit not working

Discussion in 'General' started by Chris Tripp, May 2, 2018.

  1. Chris Tripp

    Chris Tripp New Member

    "service jailkit status" says the jailkit is running, but when a jailkit user tries to access with SSH the login terminates immediately. Switching user Chroot Shell to None and login works, but no jail.
    No errors in syslog or cron log.
    May  1 18:31:43 email systemd-logind[884]: New session 290321 of user web8.
    May  1 18:31:43 email systemd: pam_unix(systemd-user:session): session opened for user web8 by (uid=0)
    May  1 18:31:44 email jk_chrootsh[23082]: now entering jail /var/www/clients/client1/web8 for user (5005) with arguments
    May  1 18:31:44 email jk_chrootsh[23082]: ERROR: failed to execute shell /bin/bash for user
    (5005), check the permissions and libraries of /var/www/clients/client1/web8//bin/bash
    May  1 18:31:44 email sshd[23028]: pam_unix(sshd:session): session closed for user
    May  1 18:31:44 email systemd-logind[884]: Removed session 290321.
    May  1 18:31:44 email systemd: pam_unix(systemd-user:session): session closed for user web8
    It looks like bash isn't executable in my jailkit. Did I miss this as part of the installation procedure, or do I need to follow another procedure to set this up?
    Last edited: May 2, 2018
  2. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    probably your jk_init.ini needs a little tweaking for your OS to setup bash correctly. what OS are you running?
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Please post the output of:

    ls -la /var/www/clients/client1/web8/bin/bash

    and which OS do you use (as @Jesse Norell asked already).
  4. Chris Tripp

    Chris Tripp New Member

    OS: Ubuntu 16.04.4 LTS

    /bin/bash does not exist in the client folder. I'll check the jk_init to see if anything jumps out at me.
  5. Chris Tripp

    Chris Tripp New Member


    # this section probably needs adjustment on 64bit systems
    # or non-Linux systems
    comment = common files for all jails that need user/group information
    libraries = /lib/, /lib64/, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/x86_64-linux-gnu/libnss*.so.2
    regularfiles = /etc/nsswitch.conf, /etc/
    comment = common files for all jails that need any internet connectivity
    libraries = /lib/, /lib64/, /lib/x86_64-linux-gnu/
    regularfiles = /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols
    comment = timezone information
    regularfiles = /etc/localtime
    need_logsocket = 1
    comment = Jailkit limited shell
    executables = /usr/sbin/jk_lsh
    regularfiles = /etc/jailkit/jk_lsh.ini
    users = root
    groups = root
    need_logsocket = 1
    includesections = uidbasics
    comment = alias for jk_lsh
    includesections = jk_lsh
    comment = Concurrent Versions System
    executables = /usr/bin/cvs
    devices = /dev/null
    comment = Fast Version Control System
    executables = /usr/bin/git*
    directories = /usr/share/git-core
    includesections = editors
    comment = ssh secure copy
    executables = /usr/bin/scp
    includesections = netbasics, uidbasics
    devices = /dev/urandom
    comment = ssh secure ftp
    executables = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server
    includesections = netbasics, uidbasics
    devices = /dev/urandom, /dev/null
    comment = ssh secure shell
    executables = /usr/bin/ssh
    includesections = netbasics, uidbasics
    devices = /dev/urandom, /dev/tty
    executables = /usr/bin/rsync
    includesections = netbasics, uidbasics
    comment = procmail mail delivery
    executables = /usr/bin/procmail, /bin/sh
    devices = /dev/null
    comment = bash based shell with several basic utilities
    executables = /bin/sh, /bin/bash, /bin/ls, /bin/cat, /bin/chmod, /bin/mkdir, /bin/cp, /bin/cpio, /bin/date, /bin/dd, /bin/echo, /bin/egrep, /bin/false, /bin/fgrep, /bin/grep, /bin/gunzip, /bin/gzip, /bin/ln, /bin/ls, /bin/mkdir, /bin/mktemp, /bin/more, /bin/mv, /bin/pwd, /bin/rm, /bin/rmdir, /bin/sed, /bin/sh, /bin/sleep, /bin/sync, /bin/tar, /bin/touch, /bin/true, /bin/uncompress, /bin/zcat
    regularfiles = /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile
    directories = /usr/lib/locale/en_US.utf8
    users = root
    groups = root
    includesections = uidbasics
    comment = Midnight Commander
    executables = /usr/bin/mc, /usr/bin/mcedit, /usr/bin/mcview
    directories = /etc/terminfo, /usr/share/terminfo, /usr/share/mc
    includesections = basicshell
    comment = bash shell including things like awk, bzip, tail, less
    executables = /usr/bin/awk, /usr/bin/bzip2, /usr/bin/bunzip2, /usr/bin/ldd, /usr/bin/less, /usr/bin/clear, /usr/bin/cut, /usr/bin/du, /usr/bin/find, /usr/bin/head, /usr/bin/less, /usr/bin/md5sum, /usr/bin/nice, /usr/bin/sort, /usr/bin/tac, /usr/bin/tail, /usr/bin/tr, /usr/bin/sort, /usr/bin/wc, /usr/bin/watch, /usr/bin/whoami
    includesections = basicshell, midnightcommander, editors
    comment = vim, joe and nano
    executables = /usr/bin/joe, /usr/bin/nano, /usr/bin/vi, /usr/bin/vim, /usr/bin/pico
    regularfiles = /etc/vimrc
    directories = /etc/joe, /etc/terminfo, /usr/share/vim, /usr/share/terminfo, /lib/terminfo
    comment = several internet utilities like wget, ftp, rsync, scp, ssh
    executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient
    includesections = netbasics, ssh, sftp, scp
    comment = htpasswd utility
    executables = /usr/bin/htpasswd
    comment = alias for extendedshell + netutils + apacheutils
    includesections = extendedshell, netutils, apacheutils
    comment = jail for the openvpn daemon
    executables = /usr/sbin/openvpn
    users = root,nobody
    groups = root,nogroup
    includesections = netbasics
    devices = /dev/urandom, /dev/random, /dev/net/tun
    includesections = netbasics, uidbasics
    need_logsocket = 1
    comment = the apache webserver, very basic setup, probably too limited for you
    executables = /usr/sbin/apache
    users = root, www-data
    groups = root, www-data
    includesections = netbasics, uidbasics
    comment = the perl interpreter and libraries
    executables = /usr/bin/perl
    directories = /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5
    comment = getting X authentication to work
    executables = /usr/bin/X11/xauth
    regularfiles = /usr/X11R6/lib/X11/rgb.txt, /etc/
    comment = minimal files for X clients
    regularfiles = /usr/X11R6/lib/X11/rgb.txt
    includesections = xauth
    comment = the VNC server program
    executables = /usr/bin/Xvnc, /usr/bin/Xrealvnc
    directories = /usr/X11R6/lib/X11/fonts/
    includesections = xclients
    #comment = xterm
    #executables = /usr/bin/X11/xterm
    #directories = /usr/share/terminfo, /etc/terminfo
    #devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
  6. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    I don't have jailkit on ubuntu 16.04 offhand, but iirc bash inside jails broke when I updated from debian jessie to stretch and I had to add this to the above basicshell section:
    paths = /dev/tty, /usr/lib/x86_64-linux-gnu/gconv/, /usr/share/locale/locale.alias
    It's been a little while, but I believe that was determined via a mix of google searches and running bash under strace to see what files it opened, then ensuring they were in the jail. You might try adding that then just re-run jk_init again to copy things:
    jk_init -j /var/www/clients/client1/web8 basicshell

Share This Page