chroot problem?

Discussion in 'General' started by ang3lx, Sep 22, 2014.

  1. ang3lx

    ang3lx Member

    Hello,
    some hours ago i've logged into FTP account of a website and I found under /var/www/clients/clientX/webXX/ some directories:
    backup bin cgi-bin dev etc lib lib64 log private ssl tmp usr var web webdav

    All these directories are visible from FTP. At begin, I thought that my box was hacked, but seems that directories are created by chroot system..
    What happened? how can I delete them? what action had created them? I have not added any chroot user.

    thanks in advance
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    These directoies belong to the chroot enviroment of the website. They get added when you add a shell user or cronjob. Do not delete them as they are required for this site.
     
  3. ang3lx

    ang3lx Member

    thanks for reply,

    I noticed another thing.
    I've tried to create a chrooted SSH user. all works fine, user can loggin trough ssh.
    after I've deleted it, but he can login and directory are still here

    no errors in log:

     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The user is removed from /etc/passwd and /etc/shadow. The directories dont get removed.
     
  5. ang3lx

    ang3lx Member

    I checked both files and seems that user is still into /etc/passwd and /etc/shadow. SSH access was not deleted

    OS: Ubuntu 14.04.1 LTS
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    And you have ispconfig 3.0.5.4p3 installed?
     
  7. ang3lx

    ang3lx Member

    yes, 3.0.5.4p3
     
  8. ang3lx

    ang3lx Member

    UPDATE

    i've tried to delete manually the ssh user and i've this message

    process 971


    to delete the user, I had to stop before php-fpm and then give the command userdel
     
    Last edited: Sep 23, 2014
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig uses this command to remove a user which should work even if there are running processes:

    killall -u mixcreativoideaprofumi; userdel -f mixcreativoideaprofumi
     
  10. ang3lx

    ang3lx Member

    Yes, i see it into source code, but seems that sometimes won't work

    i make again all process

    1) create jail user mixcreativotest (ispconfig logs ok - no errors)
    2) delete jail user mixcreativotest (ispconfig logs ok - no errors)
    3) check /etc/passwd and /etc/shadow. user mixcreativotest is still here
    4) try manual command killall -u mixcreativotest; userdel -f mixcreativotest

    5) second time try - manual command killall -u mixcreativotest; userdel -f mixcreativotest
    6) ok, ssh user deleted
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    I dont have this issue here, but my testserver is quite fast and has no CPU load. Maybe the killing of the process takes some time, so the userdel is executed too early.
     
  12. ang3lx

    ang3lx Member

    My server has good hardware too
    Intel(R) Xeon(R) CPU E5-1620 v2 @ 3.70GHz with 64gb ram


    when I run command "killall -u mixcreativotest; userdel -f mixcreativotest"
    I think that process restart before userdel command (infact pid change)

    however

    for now I solved it (dirty solution :( ) by editing the file shelluser_jailkit_plugin.inc.php

    adding two exec() command


    do u think that is a good idea do a while of /etc/passwd matching line with escapeshellcmd($data['old']['username']) and make exec($command); until user is really deleted? :confused:
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    In the end its a bug of userdel as the force argument should really force a deletion, as described in the manpage. I guess I will have to write a new routine for user removal that works directly on the files instead of using userdel.
     
  14. ang3lx

    ang3lx Member

    Yes, in man talk about -f to force killing also with active processes (ubuntu 14.04 bug??? ).
    Is quite important fix it, since the SSH user in ISPConfig are deleted and closed but users can still access.

    thanks for your time, waiting for an official fix
     
  15. non7top

    non7top New Member

    I think it is more reliable to use killall -9 as the processes may not get killed by simple killall.
    Or at least lock the user before deleting it with sthg like chsh -s /sbin/nologin username.
     

Share This Page