problem creating jailed shell users

Discussion in 'General' started by tspau, Jul 18, 2011.

  1. tspau

    tspau New Member

    hello

    i have an ispconfig 3 installed following the guide at:

    http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig3

    i have setup in a client:

    Max. number of Shell users: 5
    SSH-Chroot Options: Jailkit

    and then i've created a shell user for this client, setting:

    Chroot Shell: Jailkit

    but i can't access to shell with that user, and in my /etc/passwd i've got:

    testshell:x:5030:5029::/var/www/clients/client32/web62/./home/testshell:/bin/false

    why is the shell configured to /bin/false? i did something wrong?
     
  2. till

    till Super Moderator

    It may take a few minutes until the shell user gets created and activated. Please check the jobqueue in the monitor if there are any pending jobs and the syslog in the monitor for errors.
     
  3. tspau

    tspau New Member

    hello.

    i've noticed it takes a while to create the users, but now there's nothing on the job queue, and the user is added to /etc/passwd.

    the funny thing is that is added with a /bin/false shell:

    satsh:x:5037:5035::/var/www/clients/client49/web84/./home/satsh:/bin/false

    if i create another user without been jailed (chroot shell: none), it's created with a /bin/bash shell:

    satrt:x:5037:5035::/var/www/clients/client49/web84:/bin/bash

    and i can login with this user, with access to all file system
     
  4. tspau

    tspau New Member

    i have installed ispconfig in another server, and jailkit works fine.

    i think the only differences between the testing server and my production site are this:

    -in the production server, where didn't work jailkit, /home is a soft link to /usr/home:

    lrwxrwxrwx 1 root root 10 abr 16 2010 home -> /usr/home/

    -in production server, quota is not enabled (don't have the /quota.user and /quota.group files).


    maybe one of these differences could be the reason to fail jailkit?
     
  5. till

    till Super Moderator

    You can try to debug the creaztion of jailed users on your server:

    1) disable the server.sh cronjob in the root crontab.
    2) Create a new jailed ssh user in ispconfig.
    3) Enable loglevel debug in ISPConfig under System > server config
    4) run this script as root un the shell:

    /usr/local/ispconfig/server/server.sh
     
  6. tspau

    tspau New Member

    i keep working on it:

    in my production server, when i create a jailed shell user, no jailed /bin carpet is created, only an /etc carpet whit a void passwd.

    i've copied the /bin and /etc from a jailed user from my testing server, editing etc/group and etc/passwd with the data of the local user.

    also i've changed the shell of the jailed user from /bin/false to /usr/sbin/jk_chrootsh

    when i've tried to login, in auth.log i get:

    Jul 19 15:18:11 mysite su[11866]: Successful su for satsh by root
    Jul 19 15:18:11 mysite su[11866]: + pts/0 root:satsh
    Jul 19 15:18:11 mysite su[11866]: pam_unix(su:session): session opened for user satsh by sshuser(uid=0)
    Jul 19 15:18:11 mysite jk_chrootsh[11867]: abort, the current dir is /usr/var/www/clients/client49/web84 after chdir(/var/www/clients/client49/web84), but it should be /var/www/clients/client49/web84
    Jul 19 15:18:11 mysite su[11866]: pam_unix(su:session): session closed for user satsh

    ok, my /var is a softlink to /usr/var, so in ispconfig panel, i've changed at system -> server config -> web: all references from /var/... to /usr/var/...

    i try to create a new user, site and shell user, but still is not created the jailed /bin neither /etc and in /etc/passwd the shell is still /bin/false

    :-(

    i try again to copy the bin and etc from a jail of my test server (editig /etc/group and /etc/passwd) and if i try to log now, auth.log shows:


    Jul 19 16:09:03 mysite su[18609]: Successful su for tssatshell by root
    Jul 19 16:09:03 mysite su[18609]: + pts/1 root:tssatshell
    Jul 19 16:09:03 mysite su[18609]: pam_unix(su:session): session opened for user tssatshell by sshuser(uid=0)
    Jul 19 16:09:03 mysite jk_chrootsh[18610]: now entering jail /usr/var/www/clients/client50/web85 for user tssatshell (5037)
    Jul 19 16:09:03 mysite jk_chrootsh[18610]: ERROR: failed to execute shell /bin/bash for user tssatshell (5037), check the permissions and libraries of /usr/var/www/clients/client50/web85//bin/bash
    Jul 19 16:09:03 mysite su[18609]: pam_unix(su:session): session closed for user tssatshell

    any help?
     
  7. till

    till Super Moderator

    Please do what I suggested to you in #5 if you want to debug the problem.

    I guess the problem is that var/www is a symlink to /usr/var/www (and not only /home as you mentioned above) which is a security breach for jailkit so jailkit disables the user.

    I recommend that you reinstall the server if you want to use jailkit so that /var/www and /home/www are no symlinks, they have to be real directorys or partitions. As alternative you can try to mount /var/www instead of using a symlink.
     
    Last edited: Jul 19, 2011
  8. tspau

    tspau New Member

    hello

    i don't understand where i have to disable the cronjob server.sh, is not in my cron.d :confused:

    running that script (without disablen the cronjob) only shows:

    19.07.2011-16:24 - DEBUG - Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    19.07.2011-16:24 - DEBUG - No Updated records found, starting only the core.
    19.07.2011-16:24 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.
     
  9. till

    till Super Moderator

    The root crontab can be edited with the command:

    crontab -e
     
  10. tspau

    tspau New Member

    hello.

    this is the output:
    # /usr/local/ispconfig/server/server.sh
    25.07.2011-16:09 - DEBUG - Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    25.07.2011-16:09 - DEBUG - Found 1 changes, starting update process.
    25.07.2011-16:09 - DEBUG - Call function 'insert' in plugin 'shelluser_base_plugin' raised by event 'shell_user_insert'.
    25.07.2011-16:09 - DEBUG - Executed command: useradd -d /usr/var/www/clients/client50/web85 -g client50 -o -p \$1\$98v/TGom\$qbB.4U/S2CwJwjFe4hKYn0 -s /bin/bash -u 5037 tssatxell
    25.07.2011-16:09 - DEBUG - Added shelluser: tssatxell
    25.07.2011-16:09 - DEBUG - Disabling shelluser temporarily: usermod -s /bin/false -L tssatxell
    25.07.2011-16:09 - DEBUG - Call function 'insert' in plugin 'shelluser_jailkit_plugin' raised by event 'shell_user_insert'.
    25.07.2011-16:09 - DEBUG - exec: chmod 755 /usr/var/www/clients/client50/web85
    25.07.2011-16:09 - DEBUG - exec: chown root:root /usr/var/www/clients/client50/web85
    usermod: sin cambios
    25.07.2011-16:09 - DEBUG - Added jailkit user to chroot with command: /usr/local/ispconfig/server/scripts/create_jailkit_user.sh tssatxell /usr/var/www/clients/client50/web85 /home/tssatxell /bin/bash web85 /home/web85
    25.07.2011-16:09 - DEBUG - Added created jailkit user home in : /usr/var/www/clients/client50/web85/home/tssatxell
    25.07.2011-16:09 - DEBUG - Added created jailkit parent user home in : /usr/var/www/clients/client50/web85/home/web85
    25.07.2011-16:09 - DEBUG - exec: chmod 755 /usr/var/www/clients/client50/web85
    25.07.2011-16:09 - DEBUG - exec: chown root:root /usr/var/www/clients/client50/web85
    25.07.2011-16:09 - DEBUG - Jailkit Plugin -> insert username:tssatxell
    25.07.2011-16:09 - DEBUG - Processed datalog_id 2054
    25.07.2011-16:09 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.


    and now in /etc/passwd:

    tssatxell:x:5037:5036::/usr/var/www/clients/client50/web85/./home/tssatxell:/usr/sbin/jk_chrootsh

    but if i run su tssatxell it doesn't log, and in /var/log/auth.log:

    Jul 25 16:12:27 myserver su[4295]: Successful su for tssatxell by root
    Jul 25 16:12:27 myserver su[4295]: + pts/0 root:tssatxell
    Jul 25 16:12:27 myserver su[4295]: pam_unix(su:session): session opened for user tssatxell by sshuser(uid=0)
    Jul 25 16:12:27 myserver jk_chrootsh[4296]: now entering jail /usr/var/www/clients/client50/web85 for user tssatxell (5037)
    Jul 25 16:12:27 myserver jk_chrootsh[4296]: ERROR: failed to execute shell /bin/bash for user tssatxell (5037), check the permissions and libraries of /usr/var/www/clients/client50/web85//bin/bash
    Jul 25 16:12:27 myserver su[4295]: pam_unix(su:session): session closed for user tssatxell
     
  11. tspau

    tspau New Member

    hello.

    if i try to run jk_init from the shell, i've got this error:

    # jk_init -v -j /usr/var/www/clients/client6/web8 basicshell
    ERROR: /usr/var/www/clients/client6/web8 is not owned by root:root!

    ERROR: jail directory basicshell is not safe

    Usage: /usr/sbin/jk_init [OPTIONS]
    Usage: /usr/sbin/jk_init [OPTIONS] -j jaildir sections...

    -h --help : this help screen
    -c, --configfile=FILE : specify configfile location
    -l, --list : list all available sections in the configfile
    -j, --jail= : specify the jail to use.
    For backwards compatibility, if no jail is specified, the first
    argument after the options will be used as jail
    -v, --verbose : show what is being done
    -f, --force : force overwriting of existing files
    -k, --hardlink : use hardlinks if possible


    would it work if i copy the content of /usr/var to a new disk and mounted trough fstab so /var it's a mount point, not a symlink?

    thanks!
     
  12. andrercmeira

    andrercmeira New Member

    I have same problem, i try chown bin, etc, var, dev, usr in /var/www/clients/client1/web1/

    but not affect, continue without chroot in user...
     
  13. till

    till Super Moderator

    The problem discussed in this thraed is that a jailed user can not login, according to your other thread, your problem is that the shell user is not jailed. So I guess your problem is not related to this thread here.

    You can check that in /etc/passwd, if the shell of the jailed user is /bin/false, then your problem might be related to this. If the shell is not /bin/false, then you have a different problem.

    Please do not post to other threads if you opened already a thread for your problem.
     
: jailkit

Share This Page