Wrong user:group for Jailkit shell folders

Discussion in 'ISPConfig 3 Priority Support' started by unsichtbare, Dec 8, 2019.

  1. unsichtbare

    unsichtbare Member HowtoForge Supporter

    In relation to this thread I noticed that when I create a chroot shell user with Jailkit, some of the the files contained in sub-directories of /var/www/domain.tld/ (/usr/bin, /usr/sbin, /var, /run, /lib64, etc.) are created and not owned by the correct user (in this example web34:client18), but rather by another user (web40:client21). This is true also with the same user (web40:client21) when I create a new site and enable chroot shell with Jailkit
    Here is an example:
    Code:
    [email protected]:/var/www/mydomain.tld# ls -la
    total 76
    drwxr-xr-x 19 root  root     4096 Dec  8 15:25 .
    drwxr-xr-x  3 root  root     4096 Aug 30 21:05 ..
    -rwxr-x---  1 web34 client18    0 Dec  8 15:25 .bash_history
    -rw-r--r--  1 web34 client18    0 Dec  8 15:25 .profile
    drwx------  2 web34 client18 4096 Dec  8 15:25 .ssh
    drwxr-xr-x  2 root  root     4096 Dec  8 15:25 bin
    drwxr-xr-x  2 web34 client18 4096 Feb 11  2018 cgi-bin
    drwxr-xr-x  2 root  root     4096 Dec  8 15:25 dev
    drwxr-xr-x  6 root  root     4096 Dec  8 15:25 etc
    drwxr-xr-x  4 web34 client18 4096 Dec  8 15:25 home
    drwxr-xr-x  4 root  root     4096 Dec  8 15:25 lib
    drwxr-xr-x  2 root  root     4096 Dec  8 15:25 lib64
    drwxr-xr-x  2 root  root     4096 Dec  8 06:28 log
    drwx--x---  2 web34 client18 4096 Feb 11  2018 private
    drwxr-xr-x  3 root  root     4096 Dec  8 15:25 run
    drwxr-xr-x  2 root  root     4096 Aug 30 21:05 ssl
    drwxrwxrwx  2 web34 client18 4096 Dec  8 11:12 tmp
    drwxr-xr-x  6 root  root     4096 Dec  8 15:25 usr
    drwxr-xr-x  3 root  root     4096 Dec  8 15:25 var
    drwx--x--x  9 web34 client18 4096 Nov  3 04:02 web
    drwx--x---  2 web34 client18 4096 Aug 30 21:05 webdav
    [email protected]:/var/www/mydomain.tld# ls -la /usr
    total 108
    drwxr-xr-x  10 root root  4096 Aug 29 20:08 .
    drwxr-xr-x  23 root root  4096 Aug 29 19:54 ..
    drwxr-xr-x   2 root root 53248 Sep 26 11:39 bin
    drwxr-xr-x   2 root root  4096 Apr 12  2016 games
    drwxr-xr-x  39 root root  4096 Aug 29 19:59 include
    lrwxrwxrwx   1 root root    24 Aug 29 20:08 jk_init.ini -> /etc/jailkit/jk_init.ini
    lrwxrwxrwx   1 root root    27 Aug 29 20:08 jk_socketd.ini -> /etc/jailkit/jk_socketd.ini
    drwxr-xr-x  76 root root  4096 Aug 29 19:59 lib
    drwxr-xr-x  11 root root  4096 Aug 29 20:10 local
    drwxr-xr-x   2 root root 20480 Sep 26 11:39 sbin
    drwxr-xr-x 188 root root  4096 Aug 29 20:02 share
    drwxr-xr-x   6 root root  4096 Jun 18 06:46 src
    [email protected]:/var/www/mydomain.tld# ls -la /usr/bin
    total 326676
    drwxr-xr-x  2 root   root        53248 Sep 26 11:39  .
    drwxr-xr-x 10 root   root         4096 Aug 29 20:08  ..
    -rwxr-xr-x  1 root   root           96 Jul  9 16:51  2to3-2.7
    -rwxr-xr-x  1 root   root        10104 Apr 23  2016  411toppm
    lrwxrwxrwx  1 root   root           11 May 21  2019  GET -> lwp-request
    lrwxrwxrwx  1 root   root           11 May 21  2019  HEAD -> lwp-request
    lrwxrwxrwx  1 root   root           22 Aug 29 18:02  Mail -> /etc/alternatives/Mail
    lrwxrwxrwx  1 root   root            4 Dec  4  2017  NF -> col1
    lrwxrwxrwx  1 root   root           11 May 21  2019  POST -> lwp-request
    ...
    -rwxr-xr-x  1 root   root       153944 Aug 22  2017  aspell
    -rwxr-xr-x  1 root   root         2044 Aug 22  2017  aspell-import
    -rwsr-sr-x  1 daemon daemon      51464 Feb 20  2018  at
    -rwxr-xr-x  1 root   root        18296 Apr 23  2016  atktopbm
    lrwxrwxrwx  1 root   root            2 Feb 20  2018  atq -> at
    ...
    -rwxr-xr-x  1 root   root        39096 Jan 18  2018  base32
    -rwxr-xr-x  1 root   root        39096 Jan 18  2018  base64
    -rwxr-xr-x  5 web40  client21    35000 Jan 18  2018  basename
    -rwxr-xr-x  1 root   root         7115 Jun  6  2019  bashbug
    -rwxr-xr-x  1 root   root          152 Feb 20  2018  batch
    ...
    -rwxr-xr-x  1 root   root        10232 Jan 17  2018  bsd-from
    -rwxr-xr-x  1 root   root       108792 Apr 14  2017  bsd-mailx
    -rwxr-sr-x  1 root   tty         14328 Jan 17  2018  bsd-write
    -rwxr-xr-x  1 root   root        67672 Sep  5 03:59  busctl
    -rwxr-xr-x  1 root   root         8264 Dec  4  2017  byobu
    ...
    -rwxr-xr-x  1 root   root          380 Apr 20  2018  cftp3
    lrwxrwxrwx  1 root   root           10 Apr 25  2016  chacl -> /bin/chacl
    -rwxr-sr-x  1 root   shadow      71816 Mar 22  2019  chage
    lrwxrwxrwx  1 root   root           11 Jun 18  2017  chardet3 -> chardetect3
    -rwxr-xr-x  1 root   root          389 Jun 18  2017  chardetect3
    ...
    -rwxr-xr-x  1 root   root       157800 Apr  4  2019  clamscan
    -rwxr-xr-x  1 root   root       137312 Apr  4  2019  clamsubmit
    -rwxr-xr-x  5 web40  client21    10240 May 23  2018  clear
    -rwxr-xr-x  1 root   root        10312 Jun  6  2019  clear_console
    -rwxr-xr-x  1 root   root        47200 Aug  4  2017  cmp
    ...
    lrwxrwxrwx  1 root   root            6 Feb 26  2018  ctstat -> lnstat
    -rwxr-xr-x  1 root   root       223304 Sep  6 05:27  curl
    -rwxr-xr-x  5 web40  client21    43224 Jan 18  2018  cut
    -rwxr-xr-x  1 root   root       246616 Apr  3  2018  daemon
    -rwxr-xr-x  1 root   root         1380 Feb 14  2018  dbilogstrip
    ...
    -rwxr-xr-x  1 root   root        63704 Aug  4  2017  diff3
    -rwxr-xr-x  1 root   root       150024 Aug  7 14:43  dig
    -rwxr-xr-x  5 web40  client21    47296 Jan 18  2018  dircolors
    -rwxr-xr-x  1 root   root       546360 Jan 10  2019  dirmngr
    -rwxr-xr-x  1 root   root       109320 Jan 10  2019  dirmngr-client
    -rwxr-xr-x  5 web40  client21    30904 Jan 18  2018  dirname
    lrwxrwxrwx  1 root   root           25 Aug 29 19:35  display -> /etc/alternatives/display
    lrwxrwxrwx  1 root   root           29 Aug 29 19:35  display-im6 -> /etc/alternatives/display-im6
    ...
    
     
  2. unsichtbare

    unsichtbare Member HowtoForge Supporter

    Some additional info:
    folders outside of /var/www seem to be affected as well, for example here is the content of /usr/share/vim80:
    Code:
    [email protected]:/usr/share/vim/vim80# ls -la
    total 520
    drwxr-xr-x 17 root  root      4096 Jun 18 06:46 .
    drwxr-xr-x  5 root  root      4096 Jun 18 06:46 ..
    drwxr-xr-x  4 root  root      4096 Jun 18 06:46 autoload
    -rw-r--r--  5 web40 client21  1955 Jun  6  2019 bugreport.vim
    drwxr-xr-x  2 root  root      4096 Jun 18 06:46 colors
    drwxr-xr-x  2 root  root     12288 Jun 18 06:46 compiler
    -rw-r--r--  5 web40 client21  2064 Jun  6  2019 debian.vim
    -rw-r--r--  5 web40 client21  4120 Jun  6  2019 defaults.vim
    -rw-r--r--  5 web40 client21   645 Jun  6  2019 delmenu.vim
    drwxr-xr-x  2 root  root     20480 Jun 18 06:46 doc
    -rw-r--r--  5 web40 client21  2248 Jun  6  2019 evim.vim
    -rw-r--r--  5 web40 client21 56051 Jun  6  2019 filetype.vim
    -rw-r--r--  5 web40 client21   280 Jun  6  2019 ftoff.vim
    drwxr-xr-x  2 root  root     24576 Jun 18 06:46 ftplugin
    -rw-r--r--  5 web40 client21   971 Jun  6  2019 ftplugin.vim
    -rw-r--r--  5 web40 client21   337 Jun  6  2019 ftplugof.vim
    -rw-r--r--  5 web40 client21  1599 Jun  6  2019 gvimrc_example.vim
    drwxr-xr-x  2 root  root     20480 Jun 18 06:46 indent
    -rw-r--r--  5 web40 client21   767 Jun  6  2019 indent.vim
    -rw-r--r--  5 web40 client21   282 Jun  6  2019 indoff.vim
    drwxr-xr-x  2 root  root     12288 Jun 18 06:46 keymap
    drwxr-xr-x 40 root  root     20480 Jun 18 06:46 lang
    drwxr-xr-x  6 root  root      4096 Jun 18 06:46 macros
    -rw-r--r--  5 web40 client21 39461 Jun  6  2019 menu.vim
    -rw-r--r--  5 web40 client21  3399 Jun  6  2019 mswin.vim
    -rw-r--r--  5 web40 client21 59323 Jun  6  2019 optwin.vim
    drwxr-xr-x  3 root  root      4096 May  9  2018 pack
    drwxr-xr-x  2 root  root      4096 Jun 18 06:46 plugin
    drwxr-xr-x  2 root  root      4096 Jun 18 06:46 print
    -rw-r--r--  5 web40 client21 17780 Jun  6  2019 rgb.txt
    -rw-r--r--  5 web40 client21 11367 Jun  6  2019 scripts.vim
    drwxr-xr-x  2 root  root      4096 Jun 18 06:46 spell
    -rw-r--r--  5 web40 client21 36975 Jun  6  2019 synmenu.vim
    drwxr-xr-x  2 root  root     69632 Jun 18 06:46 syntax
    drwxr-xr-x  2 root  root     12288 Jun 18 06:46 tutor
    -rw-r--r--  5 web40 client21  1491 Jun  6  2019 vimrc_example.vim
    [email protected]:/usr/share/vim/vim80#
     
    Last edited: Dec 8, 2019
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    They need to be owned by root.

    - update -

    Ok, missed the part that they are outside of root. Did you use jailkit manually somehow? Did you check the user web40 in the password file, anything unusual with its homedir path in that file?
     
    Last edited: Dec 9, 2019
  4. unsichtbare

    unsichtbare Member HowtoForge Supporter

    Yesterday I went through root level directories one at a time (/bin, /sbin, /usr (except /var/www/)) and changed all files outside that were owned by web40:client21 using this command:
    Code:
    find . -user web40 -exec chown root:root {} \;
    I still have many files in various other /var/www/clients/clientX/webY folders belonging to web40, here is an example:
    Code:
    [email protected]:/var/www/clients/client1/web7# find . -user web40
    ./usr/lib/x86_64-linux-gnu/liblwres.so.160.0.1
    ./usr/lib/x86_64-linux-gnu/libdns.so.1100.1.1
    ./usr/lib/x86_64-linux-gnu/libbind9.so.160.0.6
    ./usr/lib/x86_64-linux-gnu/libisc.so.169.0.1
    ./usr/lib/x86_64-linux-gnu/libisccfg.so.160.1.2
    ./usr/lib/x86_64-linux-gnu/libpython3.6m.so.1.0
    ./usr/bin/host
    ./lib/x86_64-linux-gnu/libexpat.so.1.6.7
    ./lib/x86_64-linux-gnu/libuuid.so.1.3.0
    ./lib/x86_64-linux-gnu/libnss_systemd.so.2
    ./bin/more
    ./bin/fgrep
    ./bin/grep
    ./bin/egrep
    
    Can I change these to root:root as well, or should they be the correct webX:clientY?
    Here are the relevant lines from /etc/passwd:
    Code:
    web40:x:5029:5021::/var/www/clients/client21/web40/./home/web40:/usr/sbin/jk_chrootsh
    jqpublic:x:5029:5021::/var/www/clients/client21/web40/./home/jqpublic:/usr/sbin/jk_chrootsh
    THX
    -JB
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    These must be owned by root user as well.

    This looks fine. I've no ida how that could happen, have not seen that on another system yet.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Hmm, maybe one idea. Did you maybe run a chown -r inside that web in the past on all directories and files instead of just the 'web' directory?
     
  7. unsichtbare

    unsichtbare Member HowtoForge Supporter

    No. I haven't chown'd in years, not usually a need for it.

    I did use migration toolkit for this site, is there any way that could affect things.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    No, I don't think so.
     
  9. unsichtbare

    unsichtbare Member HowtoForge Supporter

    Here is an example of a folder:
    Code:
    [email protected]:/var/www/clients/client1/web7/bin# ls -la
    total 3852
    drwxr-xr-x  2 web7  client1     4096 Aug 30 21:06 .
    drwxr-xr-x 19 web7  client1     4096 Aug 30 21:06 ..
    -rwxr-xr-x  5 root  root     1113504 Jun  6  2019 bash
    -rwxr-xr-x  5 root  root       35064 Jan 18  2018 cat
    -rwxr-xr-x  5 root  root       59608 Jan 18  2018 chmod
    -rwxr-xr-x  5 root  root      141528 Jan 18  2018 cp
    -rwxr-xr-x  4 root  root      157224 Dec  2  2017 cpio
    -rwxr-xr-x  5 root  root      100568 Jan 18  2018 date
    -rwxr-xr-x  5 root  root       76000 Jan 18  2018 dd
    -rwxr-xr-x  5 root  root       35000 Jan 18  2018 echo
    -rwxr-xr-x  3 web40 client21      28 Jul 12  2017 egrep
    -rwxr-xr-x  5 root  root       30904 Jan 18  2018 false
    -rwxr-xr-x  3 web40 client21      28 Jul 12  2017 fgrep
    -rwxr-xr-x  3 web40 client21  219528 Jul 12  2017 grep
    -rwxr-xr-x 10 root  root        2301 Apr 28  2017 gunzip
    -rwxr-xr-x  5 root  root      101560 Apr 28  2017 gzip
    -rwxr-xr-x  5 root  root      170760 Dec  1  2017 less
    -rwxr-xr-x  5 root  root        8564 Dec  1  2017 lesspipe
    -rwxr-xr-x  5 root  root       67808 Jan 18  2018 ln
    -rwxr-xr-x  5 root  root      133792 Jan 18  2018 ls
    -rwxr-xr-x  5 root  root       80056 Jan 18  2018 mkdir
    -rwxr-xr-x  5 root  root       43192 Jan 18  2018 mktemp
    -rwxr-xr-x  3 web40 client21   38952 Oct 15  2018 more
    -rwxr-xr-x  5 root  root      137440 Jan 18  2018 mv
    -rwxr-xr-x  5 root  root      245872 Mar  6  2018 nano
    -rwxr-xr-x  5 root  root       35000 Jan 18  2018 pwd
    -rwxr-xr-x  5 root  root       63704 Jan 18  2018 rm
    -rwxr-xr-x  5 root  root       43192 Jan 18  2018 rmdir
    -rwxr-xr-x  5 root  root      109000 Jan 30  2018 sed
    lrwxrwxrwx  1 web7  client1        4 Aug 30 21:06 sh -> bash
    -rwxr-xr-x  5 root  root       35000 Jan 18  2018 sleep
    -rwxr-xr-x  5 root  root       35000 Jan 18  2018 sync
    -rwxr-xr-x  5 root  root      423312 Jan 21  2019 tar
    -rwxr-xr-x  5 root  root       88280 Jan 18  2018 touch
    -rwxr-xr-x  5 root  root       30904 Jan 18  2018 true
    -rwxr-xr-x 10 root  root        2301 Apr 28  2017 uncompress
    -rwxr-xr-x  5 root  root        1937 Apr 28  2017 zcat
    [email protected]:/var/www/clients/client1/web7/bin#
    
    Could I simply migrate the site to a new account, delete web40:client21 entirely and then on the entire /var/www/clients/:
    Code:
    find . -user web40 -exec chown root:root {} \;
    THX
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    No, because your find command will fail as soon as the user is removed. These steps might work:

    1) Backup the website files.
    2) Use the find command to fix the ownership of files.
    3) Delete the website and recreate it. in case that ispconfig rejects to remove the website folder when you delete the site, remove it manually.
     

Share This Page