Debian Buster + Jailkit concern

Discussion in 'Installation/Configuration' started by burlyhousetech, Sep 15, 2020 at 7:00 PM.

  1. burlyhousetech

    burlyhousetech Member HowtoForge Supporter

    Fresh install of ISPConfig v3.1.15p3 running on Debian Buster with Jailkit v2.21 using Perfect Server guide.

    After creating an SFTP (shell) user with Jailkit the user is unable to login. There appear to be multiple issues together conspiring in producing this symptom:
    1. error in /etc/jailkit/jk_init.ini
    2. missing /bin/bash (+ others)
    3. concern between Jailkit v2.2.1 on Debian 10 (or Python?)
    ~~~

    Looking at /var/log/auth.log yields this hint:
    Code:
    jk_chrootsh[10490]: ERROR: failed to execute shell /bin/bash for user ****** (####), check the permissions and libraries of /var/www/clients/client1/web###//bin/bash
    
    OK, so peeking inside the web user's I note that there are a lot of missing binaries:
    Code:
    $ ls bin
    basename  dircolors  dirname  groups  id  lesspipe  mysql  mysqldump  nano  patch  pico  rm  tar  unzip  zip
    
    Digging further, I found this entry in /var/log/ispconfig/cron.log:
    Code:
    Tue 15 Sep 2020 10:29:01 AM CDT Traceback (most recent call last):
    Tue 15 Sep 2020 10:29:01 AM CDT File "/usr/sbin/jk_init", line 261, in <module>
    Tue 15 Sep 2020 10:29:01 AM CDT main()
    Tue 15 Sep 2020 10:29:01 AM CDT File "/usr/sbin/jk_init", line 258, in main
    Tue 15 Sep 2020 10:29:01 AM CDT activateConfig(config, jail, args)
    Tue 15 Sep 2020 10:29:01 AM CDT File "/usr/sbin/jk_init", line 164, in activateConfig
    Tue 15 Sep 2020 10:29:01 AM CDT cfg.read([config['file']])
    Tue 15 Sep 2020 10:29:01 AM CDT File "/usr/lib/python3.7/configparser.py", line 696, in read
    Tue 15 Sep 2020 10:29:01 AM CDT self._read(fp, filename)
    Tue 15 Sep 2020 10:29:01 AM CDT File "/usr/lib/python3.7/configparser.py", line 1091, in _read
    Tue 15 Sep 2020 10:29:01 AM CDT fpname, lineno)
    Tue 15 Sep 2020 10:29:01 AM CDT configparser.DuplicateOptionError: While reading from '/etc/jailkit/jk_init.ini' [line 115]: option 'includesections' in section 'openvpn' already exists
    Tue 15 Sep 2020 10:29:02 AM CDT invalid shell, /var/www/clients/client1/web597/bin/bash does not exist
    Tue 15 Sep 2020 10:29:02 AM CDT finished.
    
    When I try to run jk_list:
    Code:
    # jk_list
    bash: jk_list: command not found
    # /usr/sbin/jk_list
    Traceback (most recent call last):
      File "/usr/sbin/jk_list", line 159, in <module>
        main()
      File "/usr/sbin/jk_list", line 156, in main
        printResults(results,wide)
      File "/usr/sbin/jk_list", line 92, in printResults
        results.sort()
    TypeError: '<' not supported between instances of 'ListResult' and 'ListResult'
    
    ~~~

    I've noted there are others who are recently describing similar issues, but this one in particular looks related:
    https://www.howtoforge.com/community/threads/possible-ubuntu-20-04-jailkit-issue.85071/#post-408047
     
  2. burlyhousetech

    burlyhousetech Member HowtoForge Supporter

    Fix for the reported Jailkit error is straight forward:
    Code:
    configparser.DuplicateOptionError: While reading from '/etc/jailkit/jk_init.ini' [line 115]: option 'includesections' in section 'openvpn' already exists
    
    Looking in /etc/jailkit/jk_init.ini simply delete the duplicate `includesections` found in `openvpn`.

    After this fix is applied I'm able to mostly create a jailkit manually for that user's directory:
    Code:
    $ sudo jk_init -j /var/www/clients/client1/web597/ basicshell editors extendedshell netutils ssh sftp scp groups jk_lsh
    usr/bin/var/www/clients/client1/web597/bin
    
    Code:
    Traceback (most recent call last):
      File "/usr/sbin/jk_init", line 261, in <module>
        main()
      File "/usr/sbin/jk_init", line 258, in main
        activateConfig(config, jail, args)
      File "/usr/sbin/jk_init", line 173, in activateConfig
        ji.handle_cfg_section(config,jail,cfg,section)
      File "/usr/sbin/jk_init", line 110, in handle_cfg_section
        self.handle_cfg_section(config,chroot,cfg,tmp)
      File "/usr/sbin/jk_init", line 157, in handle_cfg_section
        jk_lib.create_parent_path(chroot,os.path.dirname(tmp), config['verbose'], copy_permissions=0, allow_suid=0, copy_ownership=0)
      File "/usr/share/jailkit/jk_lib.py", line 485, in create_parent_path
        os.mkdir(jailpath, dir_mode)
    PermissionError: [Errno 1] Operation not permitted: '/var/www/clients/client1/web597/dev'
    
    Is there some method of triggering a rebuild of jailkit for a given vhost, or will I have to delete the ISPConfig Site and start anew?
     
  3. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

  4. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    Remove the /etc/jailkit/ directory within the jail, then update something (eg. password) in your shell user.
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    Th0m likes this.
  6. burlyhousetech

    burlyhousetech Member HowtoForge Supporter

  7. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    Perhaps the issue is due to python 3 not parsing the jail with the duplicate section the same as an older version did (I really don't know), but the first link you post explains the simple workaround is to remove the extra includesections line.

    I use 2.21 on Buster without issue. For fun I also tested adding that extraneous includesections line back in to my jk_init.ini on a buster system with 2.20, and it produces the exact same failure, so a clear 'no' on that idea as a workaround.
     

Share This Page