Jailkit stopped working

Discussion in 'General' started by Jean-François Questiaux, May 26, 2017.

  1. Probably because of a last update on Ubuntu 16.04 I can't create new shell users with Jailkit. Creating with "chroot shell" on "none" allows SSH connexion, but not if I set it to "Jailkit". It seems that the .ssh folder is not created.
    Actually a lot of folders are missing:
    .ssh bin dev etc home lib lib64 run usr var

    I tried deleting the site and re-creating it but with no luck.
    Any idea how to debug/fix this?
     
    Last edited: May 26, 2017
  2. I follow up on this because now it happens also on a second server, so I'm beginning to think that this has to do with my recent update to ISPConfig 3.1.3. It seems that Jailkit does not play along with that version. But I have no clue about what to do.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Jailkit is working fine in ISPConfig 3.1.3 on my servers. There are no reported issues from other users as well.
     
  4. OK, for some reason it's working again on the Debian 8 server, but still not on the Ubuntu 16 one.
    Can I re-install Jailkit? In the ISPConfig manual it says that Jailkit has to be installed before ISPconfig, so ... Also, this Ubuntu server is a slave server in a multiserver environment, so I don't use the ISP console on it.
    Anyway, I would greatly appreciate any advice on this issue.
     
  5. Jesse Norell

    Jesse Norell Well-Known Member

    You could try that; it looks like the Makefile has an uninstall directive, so follow the setups to install it, but instead of running "make install" try "make uninstall". Then follow that with a "make install" and it should build again and install it fresh.

    You might test out some of the jailkit commands, eg. see if you can make a jailkit manually with:
    Code:
    mkdir /something
    jk_init -j /something ssh
    
    That should create a jailkit environment suitable to support an ssh login (though it won't setup any user accounts to login there); see if you get errors there. (just "rm -r /something" when done to cleanup)

    If jk_init works there, try enabling debugging in ispconfig and check the log file to see what happens when ispconfig's cronjob tries to run.
     
  6. Hi Jesse. Thank you for your input.
    I did run your test and it's working without error. So what's happening is that "jk_init" is not run by ISPConfig anymore since all the needed directories/files are not created when you set the chroot to "Jailkit" for the shell user.
    Therefore in the ISP log you get error like "file /var/www/clients/clientX/webXX/home does not exists".

    I'm a little reluctant to try the uninstall/install thing because of the warning in the ISP manual saying you can't install Jailkit after ISP, so I'd like to have a confirmation that it is safe to do.
     
  7. Jesse Norell

    Jesse Norell Well-Known Member

    If jk_init works manually, I wouldn't guess that uninstalling/reinstalling would help any. I don't know if running update.php from ISPConfig's install tarball again and reconfiguring services would help (@till should know), but it's sure worth a try (eg. maybe the plugins-enabled links need created).

    After reconfiguring ispconfig services as above if it's still a problem, the next step would be to setup debugging in ispconfig (see the post pinned to the top of this forum) to try to track down why ispconfig isn't running jk_init, or is trying to run it and unable to.
     
  8. The plot thickens: When I wrote the post, my last 2 new sites (and clients) had the issue.
    Today I added a new client/website and, like for the 2 others, I set the shell without Jailkit.
    Later on, after reading your post, I had an impulse and set this latest shell user to Jailkit and ... it worked as it did before. All usual folders are created and I'm again able to set CRON jobs for this site.

    Given that, I tried to set the 2 others users on Jailkit but ... no luck! Those don't want to work! I even tried to delete/recreate the shell user, but still no luck.

    And yes, I updated ISPConfig on that server too. Really weird!
     
  9. Jesse Norell

    Jesse Norell Well-Known Member

    One thought is check if maybe those two are set immutable (lsattr /var/www/clients/client#/web#/) and compare to working ones; maybe they are immutable, then you changed that setting in ispconfig so website root's aren't made immutable before acting on them or something?

    Other than that, check the password file entries for those, and try running jk_init manually to setup some jailkit sections for exactly those directories (ie. /var/www/clients/client#/web#/) and see if you get errors.
     
  10. I check the "immutable" and there is no difference between the "working" clients and the others.
    I tried then to run jk_init manually and got this error:

    Traceback (most recent call last):
    File "/usr/sbin/jk_init", line 247, in <module>
    main()
    File "/usr/sbin/jk_init", line 244, in main
    activateConfig(config, jail, args)
    File "/usr/sbin/jk_init", line 162, in activateConfig
    ji.handle_cfg_section(config,jail,cfg,section)
    File "/usr/sbin/jk_init", line 99, in handle_cfg_section
    self.handle_cfg_section(config,chroot,cfg,tmp)
    File "/usr/sbin/jk_init", line 108, in handle_cfg_section
    self.didfiles = jk_lib.copy_binaries_and_libs(chroot, paths2, config['force'], config['verbose'], 1, try_hardlink=config['hardlink'],try_glob_matching=1,handledfiles=self.didfiles)
    File "/usr/share/jailkit/jk_lib.py", line 642, in copy_binaries_and_libs
    create_parent_path(chroot,os.path.dirname(file), be_verbose, copy_permissions=1, allow_suid=allow_suid, copy_ownership=retain_owner)
    File "/usr/share/jailkit/jk_lib.py", line 464, in create_parent_path
    os.mkdir(jailpath, 0755)
    OSError: [Errno 13] Permission denied: '/var/www/clients/client10/web25/lib'

    The command was:
    jk_init -j /var/www/clients/client10/web25 ssh
     
  11. Jesse Norell

    Jesse Norell Well-Known Member

    Compare ownership/permissions on /var/www/clients/client10/web25/ and /var/www/clients/client10/web25/lib to working versions. Does /var/www/clients/client10/web25/lib exist? (If not, can you simply "mkdir /var/www/clients/client10/web25/lib"?) Do you have selinux running?
     
  12. SElinux is not running.
    /var/www/clients/client10/web25/lib does not exist and I can't create it, even connected as root:
    mkdir: cannot create directory ‘/var/www/clients/client10/web25/lib’: Permission denied
     
  13. Jesse Norell

    Jesse Norell Well-Known Member

    check the obvious, ie. permissions on /var/www/clients/client10/web25/ directory (and maybe verify *again* that there's no immutable flag set?). Beyond that.... maybe filesystem corruption? You could try renaming web25 to something else, then create a new web25 and copy all the files over (and re-mount the logs directory afterwards).
     
  14. Thanks for your help. I think I will leave it that way for the moment and wait for Debian 9 to be released, then transfer these site on a new Debian 9 server. I'm not used to use Ubuntu and I find it trickier to configure.
    Thanks again for your time.
     

Share This Page