Hello, some hours ago i've logged into FTP account of a website and I found under /var/www/clients/clientX/webXX/ some directories: backup bin cgi-bin dev etc lib lib64 log private ssl tmp usr var web webdav All these directories are visible from FTP. At begin, I thought that my box was hacked, but seems that directories are created by chroot system.. What happened? how can I delete them? what action had created them? I have not added any chroot user. thanks in advance
These directoies belong to the chroot enviroment of the website. They get added when you add a shell user or cronjob. Do not delete them as they are required for this site.
thanks for reply, I noticed another thing. I've tried to create a chrooted SSH user. all works fine, user can loggin trough ssh. after I've deleted it, but he can login and directory are still here no errors in log:
I checked both files and seems that user is still into /etc/passwd and /etc/shadow. SSH access was not deleted OS: Ubuntu 14.04.1 LTS
UPDATE i've tried to delete manually the ssh user and i've this message process 971 to delete the user, I had to stop before php-fpm and then give the command userdel
ISPConfig uses this command to remove a user which should work even if there are running processes: killall -u mixcreativoideaprofumi; userdel -f mixcreativoideaprofumi
Yes, i see it into source code, but seems that sometimes won't work i make again all process 1) create jail user mixcreativotest (ispconfig logs ok - no errors) 2) delete jail user mixcreativotest (ispconfig logs ok - no errors) 3) check /etc/passwd and /etc/shadow. user mixcreativotest is still here 4) try manual command killall -u mixcreativotest; userdel -f mixcreativotest 5) second time try - manual command killall -u mixcreativotest; userdel -f mixcreativotest 6) ok, ssh user deleted
I dont have this issue here, but my testserver is quite fast and has no CPU load. Maybe the killing of the process takes some time, so the userdel is executed too early.
My server has good hardware too Intel(R) Xeon(R) CPU E5-1620 v2 @ 3.70GHz with 64gb ram when I run command "killall -u mixcreativotest; userdel -f mixcreativotest" I think that process restart before userdel command (infact pid change) however for now I solved it (dirty solution ) by editing the file shelluser_jailkit_plugin.inc.php adding two exec() command do u think that is a good idea do a while of /etc/passwd matching line with escapeshellcmd($data['old']['username']) and make exec($command); until user is really deleted?
In the end its a bug of userdel as the force argument should really force a deletion, as described in the manpage. I guess I will have to write a new routine for user removal that works directly on the files instead of using userdel.
Yes, in man talk about -f to force killing also with active processes (ubuntu 14.04 bug??? ). Is quite important fix it, since the SSH user in ISPConfig are deleted and closed but users can still access. thanks for your time, waiting for an official fix
I think it is more reliable to use killall -9 as the processes may not get killed by simple killall. Or at least lock the user before deleting it with sthg like chsh -s /sbin/nologin username.
