Jailkit user new files are owned by root

Discussion in 'Installation/Configuration' started by ItsDom, Jun 6, 2013.

  1. ItsDom

    ItsDom New Member

    Hi.

    I'm running ISPconfig 3.0.5.2 on CentOS 6.4 which I installed and setup following approximately this: http://www.howtoforge.com/perfect-server-centos-6.4-x86_64-nginx-dovecot-ispconfig-3

    On the server, /mnt/data points to a cifs share on another machine, then /srv is a bind mount to /mnt/data/server/srv

    I've got jailkit setup, but whenever I connect through it (shell user "domshell") and try and create a file using vim somewhere I'm allowed to (such as private which is domshell:client9) and try and write to it, I get "Can't open linked file for writing" and it wont let me save.

    But when I force close without saving, it shows the file has been created but owned by root:root and it's empty. Obviously because it's now it's owned by root, and I'm logged in as a jailed shell user, the file becomes read-only for me. It's not just vim either, this stops me doing everything - I'm trying to install composer through the jailed shell as a test, but when downloading the composer file, it does the same - mentions permission issues, fails, but still creates the file 0kb with root:root as the owner.

    Could this be because /mnt/data is mounted as root? If so, is there a way round it, so that the owner of a new file is the person logged into the jailkit shell? Ideal situation would be a shell user can log in and create files in places he's allowed (such as private and web) and they're created and owned by him.

    Thanks in advanced

    Dom
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I havent seen this behaviour yet on a server, so it might be related to civfs. Maybe you can try to create a directory on the local disk owned by domshell:client9, then mount this with mount --bind somewhere into the directory tree of that website and create a file with vim there to see if it works when the directory is not on civfs.
     
  3. ItsDom

    ItsDom New Member

    You appear to be right. I created /opt/test on the web server and bind mounted that into private fom domshell client and it behaved normally as it should (e.g. I could create files as a jailed user)


    So now we've concluded it's probably CIFs, any suggestion on how to achieve what I'm trying to do (effectively have /clients/ folder on another server) and still be able to have a functioning chroot jail?

    I've just tried doing the sharing from the file server using NFSv4, and that has similar issues (it insists on creating the files with the permission of the user which mounts the filesystem rather than the logged in jailkit user)

    This must be possible surely....? I imagine any reliable corporate system probably separates storage from front facing servers?

    I appreciate I'm getting a bit beyond the realms of ISPconfig support and more into general linux networking though:/


    Thanks in advanced.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    It should be possible to use jailkit on a remote filesystem, not sure about civfs but with nfs it should work. maybe its a problem with mount options.

    As thats a very specific question and I dont know the exact internals on how the jailkit shell works when it accesses the filesystem, I recommend to ask this question in parallel on the jailkit mailinglist.
     
  5. ItsDom

    ItsDom New Member

    Okay, thanks.

    From what I can figure out, it's a feature. It is because it's mounted as root. I'm guessing when ispconfig creates the /clientx/webx/web folder (or another folder that owned by the client not root) when the user is setup, they are created and then chmod'd to webx:clientx.

    The "correct" way of dealing with my situation would be to create a separate mount for each user and setting e.g. the mount options gid=client9 gid and uid=domshell uid for the client9 folder I think so that when files are created in a session by the domshell they're defaulted to domshell:client9.

    After all, if I chmod the files as root back over to domshell:client9 I can edit them through the jailed shell.

    If I were to insert some code so that to mount the clientx folder as it's created, and once it has been created and populated, automatically remount it with the new gid and uid - where would you suggest I put such code....?
     
    Last edited: Jun 6, 2013
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The folders arecreated in the apache / or nginx plugin. The plugins are located in /usr/local/ispconfig/server/plugins-available/


    Instead of editing a existing plugin it might be ebtter to create new plugin which creates the folders before the apache plugin is called. I a folder exists already, the apache plgin will just skip to create it.

    Make a new plugin which subscribes to the web_domain_insert event to create the folders and mount them. The plugin name must be in alphabet before the apache2 plugin to ensure that it is aclled before the apache plugin. To activate a plugin,make a symlink from plugins-enabled folder to the plugin file in the plugins-available folder.

    For debugging server plugins, see first post in ispconfig general forum.
     
  7. ItsDom

    ItsDom New Member

    Brilliant, thank you very much - I'll look into that now
     
  8. ItsDom

    ItsDom New Member

    Okay, so I decided against creating a plugin to mount shares for each user. This is because I'd have to have 4 mount points for directory to be owned by the user (private, web, cgi-bin and tmp) and there it's only possible to have 255 mount points per filesystem type (http://serverfault.com/questions/46457/any-problems-with-many-nfs-mounts)

    For the sake of my setup, I can't see myself having more than 255/4 clients, but I'd like to know that I can if I wanted to.

    I found that with in smb.conf for the share, if you ad "inherit permissions = true" then new file permissions will be copied from the parent directory which is pretty much what I need.

    However, I've now hit other problems getting php-cli and mysql to play friendly with jailkit - I'll create a new thread for that shortly as I'm not sure it's really related to this same issue (although there's a chance it could be...)
     
  9. ItsDom

    ItsDom New Member

    Just a follow up to this. I realised that despite inheriting the correct user, new files had the wrong group.

    Because it had the correct user, everything seemed to run fine but I didn't do any thorough testing.

    I managed to force it to set the same group on a new file by setting the sticky group id bit on the required directory:

    Code:
    chmod g+s /path/to/folder
    The sticky group id bit on a directory makes it so that new files/folders created in it get the same group. For more info on the sticky bit, and how to recursively apply it to sub folders that already exist, see http://en.wikipedia.org/wiki/Setgid#setuid_and_setgid_on_directories

    For some reason, this wouldn't work from a samba client - I had to do it on the actual file server.
     

Share This Page