jailkit ssh/scp issue

Discussion in 'General' started by nhybgtvfr, Aug 26, 2021.

  1. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    i've got a strange issue on a new install. ubuntu 20.04, ispconfig 3.2.5 single server.
    installed using automated installer script.
    jailkit configuration is fully default. as installed.

    i've added a client, created a website, and then created an ssh user for the site. (ssh-key based login only)

    i can login as the ssh user, create files, switch to the /web folder etc, all without problems:
    Code:
    ~$ pwd
    /home/lee
    ~$ ls -l
    total 0
    ~$ touch test
    ~$ ls -l
    total 0
    -rw-r--r-- 1 10002 10002 0 Aug 26 13:38 test
    ~$ cd /web
    ~$ ls -l
    total 20
    -rwxr-xr-- 1 10002 10002 7358 Aug 26 13:13 favicon.ico
    -rwxr-xr-- 1 10002 10002   14 Aug 26 13:13 robots.txt
    -rwxr-xr-- 1 10002 10002 1862 Aug 26 13:13 standard_index.html
    drwxr-xr-x 2 10002 10002 4096 Aug 26 13:17 stats
    
    as you can see though, it doesn't display the username or group name for ownership, only the uid/gid.

    as root:
    Code:
    # ls -l
    total 20
    -rwxr-xr-- 1 web2 client1 7358 Aug 26 13:13 favicon.ico
    -rwxr-xr-- 1 web2 client1   14 Aug 26 13:13 robots.txt
    -rwxr-xr-- 1 web2 client1 1862 Aug 26 13:13 standard_index.html
    drwxr-xr-x 2 web2 client1 4096 Aug 26 13:17 stats
    
    and as the jailkitted ssh user, i can't find name for the user id:

    Code:
    ~$ whoami
    whoami: cannot find name for user ID 10002
    
    and despite being able to ssh in, and create files, i can't scp a file to this website using the jailkit ssh user:
    Code:
     scp installer.php [email protected]<redacted fqdn>:/.
    unknown user 10002
    lost connection
    
    i can't find any errors, and nothing looks wrong in any of the config files.

    from /etc/passwd:
    Code:
    sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
    .
    .
    ispapps:x:5002:5003::/var/www/apps:/bin/sh
    ispconfig:x:5003:5004::/usr/local/ispconfig:/bin/sh
    ispconfigend:x:20000:20000::/usr/local/ispconfig:/bin/sh
    web2:x:10002:10002::/var/www/clients/client1/web2/./home/web2:/usr/sbin/jk_chrootsh
    lee:x:10002:10002::/var/www/clients/client1/web2/./home/lee:/usr/sbin/jk_chrootsh
    
    from /etc/group:
    Code:
    sshusers:x:5002:web2
    ispapps:x:5003:www-data
    ispconfig:x:5004:www-data
    ispconfigend:x:20000:
    client0:x:10001:www-data
    client1:x:10002:www-data
    
    from /var/www/clients/client1/web2/etc/passwd:
    Code:
    root:x:0:0:root:/root:/bin/bash
    lee:x:10002:10002::/home/lee:/bin/bash
    
    from /var/www/clients/client1/web2/etc/group:
    Code:
    root:x:0:
    client1:x:10002:
    
    so everything seems to match my main multi-server setup, where all this just works. i'm at a bit of a loss where to look next to try to fix this.
    any ideas?
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That's the passwd file used inside the jail, can't you read it when you are logged in via ssh? Check file/path permissions.
     
  3. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    /var/www/clients/client1/web2/etc/passwd (and group) are owned by root:root, with permissions 644.

    both are readable (read-only) by the jailkit ssh user. although ownership shows as 0 0 (uid/gid numbers) rather than as root root when running ls -l as the jailkit ssh user.
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Is there a /etc/nsswitch.conf in the jail, and what does it contain?

    You could try installing strace on the host (not in the jail), and run a chroot via strace, and see what it shows. In fact, to verify the command to run for that I reproduced the issue (on a Debian 10 host), and find in the output that it isn't finding libnss_files.so.2:
    Code:
    openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    
    And that is due to a recent typo in /etc/jailkit/jk_init.ini, which should be:
    Code:
    [uidbasics]
    comment = common files for all jails that need user/group information
    paths = /lib*/libnsl.so.*, /lib*/libnss*.so.*, /lib/*/libnsl.so.*, /lib/*/libnss*.so.*, /etc/nsswitch.conf, /etc/ld.so.conf
    
    You need to add the missing asterisk in /lib/*/libnss*.so.* then in mysql, "update web_domain set last_jailkit_hash = 'rebuild them all'" to have all jails rebuilt. Or you can hit the one jail with
    Code:
    jk_cp -j /var/www/clients/client1/web2/ /lib/*/libnss*.so.*
    If anyone needs it for future tracking of issues, the strace command for this would be:
    Code:
    strace -ff -s256 -o /tmp/tracing chroot --userspec=10002:10002 /var/www/clients/client1/web2/ /bin/id
    
    (Then open /tmp/tracing.{pid} and go through the output.)
     
    Last edited: Aug 26, 2021
    nhybgtvfr and Taleman like this.
  5. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    excellent. thanks @Jesse Norell
    it was
    i used the nightly built to update the server a couple of days ago, just after it's initial install, to get around the acme / self signed cert bug.
    i'd seen similar issues with jailkit in the past, but none of the previous solutions worked.
    i did look at the jk-init.ini file yesterday, and noticed the paths had been shortened / more general than what was used before, i did compare them to the old entries and it all looked ok, i guess my brain expected to see the missing * and just filled it in itself. i reckon i could have looked at that same thing 20 times and not noticed that unless it was pointed out to me... :oops:

    anyway, it's all working now, jailkit ssh user can see file/directory ownsership names now instead of just uid/gid numbers, and upload files using scp. :D
     
    Jesse Norell and ahrasis like this.

Share This Page