Chroot ShellUsers fail to initialize correctly

Server details
OS: Ubuntu 16.04.6 LTS
ISPConfig: 3.1.15p3

Im having some issues with creating jailed shell users. The process i have been doing is as follows:

1. Login to ISPConfig dashboard
2. Go to Sites and add a new website
3. Go to Shell-User and Add a new shell user
4. Fill in settings and change chroot shell to jailkit
5. save

This all runs smoothly and the user is added to /etc/passwd,

Code:

defaultssh:x:5026:5012::/var/www/clients/client0/web25/./home/defaultssh:/usr/sbin/jk_chrootsh

However when i go to login via ssh, i am able to connect but the connection is closed right away,

Code:

Apr  5 14:11:41 cserv1 sshd[28698]: pam_unix(sshd:session): session opened for user defaultssh by (uid=0)
Apr  5 14:11:42 cserv1 jk_chrootsh[28737]: now entering jail /var/www/clients/client0/web25 for user defaultssh (5026) with arguments
Apr  5 14:11:42 cserv1 jk_chrootsh[28737]: ERROR: failed to execute shell /bin/bash for user defaultssh (5026), check the permissions and libraries of /var/www/clients/client0/web25//bin/bash

Checking the /var/log/ispconfig/cron.log i came across this error "ERROR: /var/www/clients/client0/web25/var is not owned by root:root!", which i think is stopping the jail initize the bin directory for the user and why the login is failing.

I don't believe ive played around with any of the settings and I've just recently upgraded ISPConfig and let it reconfigure itself. Could someone please help me with this.

ls -la .../client0/web25

Code:

total 52
drwxr-xr-x 13 root  root    4096 Apr  5 13:39 .
drwxr-xr-x  4 root  root    4096 Apr  5 13:38 ..
-rwxr-x---  1 web25 client0    0 Apr  5 13:39 .bash_history
drwxr-xr-x  2 web25 client0 4096 Apr  5 13:38 cgi-bin
drwxr-xr-x  2 root  root    4096 Apr  5 13:39 etc
drwxr-xr-x  4 root  root    4096 Apr  5 13:39 home
drwxr-xr-x  2 root  root    4096 Apr  5 13:38 log
drwx--x---  2 web25 client0 4096 Apr  5 13:38 private
-rw-r--r--  1 web25 client0    0 Apr  5 13:39 .profile
drwx------  2 web25 client0 4096 Apr  5 13:39 .ssh
drwxr-xr-x  2 root  root    4096 Apr  5 13:38 ssl
drwxrwxrwx  2 web25 client0 4096 Apr  5 13:38 tmp
drwx--x--x  4 web25 client0 4096 Apr  5 13:39 var
drwxr-x--x  4 web25 client0 4096 Apr  5 13:38 web
drwxr-xr-x  8 web25 client0 4096 Apr  5 13:38 website.git

/var/log/ispconfig/cron.log

Code:

Sun Apr 5 13:39:02 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:02 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_init -f -k -c /etc/jailkit/jk_init.ini -j '/var/www/clients/client0/web25' 'basicshell' 'editors' 'extendedshell' 'netutils' 'ssh' 'sftp' 'scp' 'groups' 'jk_lsh' - return code: 3
Sun Apr 5 13:39:02 +08 2020 05.04.2020-07:39 - DEBUG - chmod failed: /var/www/clients/client0/web25/bin : 493
Sun Apr 5 13:39:03 +08 2020 05.04.2020-07:39 - DEBUG - Added jailkit chroot
Sun Apr 5 13:39:03 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:03 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/groups' - return code: 6
Sun Apr 5 13:39:03 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:03 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:03 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/id' - return code: 6
Sun Apr 5 13:39:03 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:03 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:03 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/dircolors' - return code: 6
Sun Apr 5 13:39:03 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:03 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:03 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/lesspipe' - return code: 6
Sun Apr 5 13:39:03 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:03 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:03 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/basename' - return code: 6
Sun Apr 5 13:39:03 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:03 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:03 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/dirname' - return code: 6
Sun Apr 5 13:39:03 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:03 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:04 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/pico' - return code: 6
Sun Apr 5 13:39:04 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:04 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:04 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/mysql' - return code: 6
Sun Apr 5 13:39:04 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:04 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:04 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/mysqldump' - return code: 6
Sun Apr 5 13:39:04 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:04 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:04 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/git' - return code: 6
Sun Apr 5 13:39:04 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:04 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:04 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/git-receive-pack' - return code: 6
Sun Apr 5 13:39:04 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:04 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:04 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/git-upload-pack' - return code: 6
Sun Apr 5 13:39:04 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:04 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:04 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/unzip' - return code: 6
Sun Apr 5 13:39:04 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:05 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:05 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/zip' - return code: 6
Sun Apr 5 13:39:05 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:05 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:05 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/bin/tar' - return code: 6
Sun Apr 5 13:39:05 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:05 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:05 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/bin/rm' - return code: 6
Sun Apr 5 13:39:05 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:05 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:05 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/usr/bin/patch' - return code: 6
Sun Apr 5 13:39:05 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:05 +08 2020 ERROR: /var/www/clients/client0/web25/var is not owned by root:root!
Sun Apr 5 13:39:05 +08 2020 05.04.2020-07:39 - DEBUG - safe_exec cmd: jk_cp -k '/var/www/clients/client0/web25' '/etc/localtime' - return code: 6
Sun Apr 5 13:39:05 +08 2020 05.04.2020-07:39 - DEBUG - Added programs to jailkit chroot
Sun Apr 5 13:39:05 +08 2020 PHP Warning:  file_put_contents(/var/www/clients/client0/web25/etc/bash.bashrc): failed to open stream: No such file or directory in /usr/local/ispconfig/server/plugins-available/shelluser_jailkit_plugin.inc.php on line 297

 

Hi Till, to be honest i don't know why there is a folder named var with the wrong owner. I've just tested now and its created automatically when ever i create a website using the dashboard. I've tried with different clients and still is created. I haven't created anything manually and I've checked alias and subdomains and nothing is set.

If its not ISPConfig creating the directory then my only thought is it could be the plugin which handles git for me (https://github.com/Rynoxx/ispconfig3-website-git). I'll investigate that now.

Do you have any ideas for the best way to track down the cause? Any specific logs etc ?

 

I've checked the source code of the plug and i don't believe it's responsible

Log record for making a new website from /var/log/ispconfig/cron.log

Code:

Sun Apr 5 16:07:01 +08 2020
Sun Apr 5 16:07:01 +08 2020
Sun Apr 5 16:07:01 +08 2020 05.04.2020-10:07 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
Sun Apr 5 16:07:01 +08 2020 05.04.2020-10:07 - DEBUG - Found 1 changes, starting update process.
Sun Apr 5 16:07:01 +08 2020 05.04.2020-10:07 - DEBUG - Calling function 'ssl' from plugin 'nginx_plugin' raised by event 'web_domain_insert'.
Sun Apr 5 16:07:01 +08 2020 05.04.2020-10:07 - DEBUG - Calling function 'insert' from plugin 'nginx_plugin' raised by event 'web_domain_insert'.
Sun Apr 5 16:07:02 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: useradd -d '/var/www/clients/client3/web27' -g 'client3'  -G sshusers 'web27' -s /bin/false - return code: 0
Sun Apr 5 16:07:02 +08 2020 05.04.2020-10:07 - DEBUG - Adding the user: web27
Sun Apr 5 16:07:02 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client3/web27' - return code: 0
Sun Apr 5 16:07:02 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: mkdir -p '/var/log/ispconfig/httpd/test7.arealurl.com' - return code: 0
Sun Apr 5 16:07:02 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: mount --bind '/var/log/ispconfig/httpd/test7.arealurl.com' '/var/www/clients/client3/web27/log' - return code: 0
Sun Apr 5 16:07:02 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client3/web27' - return code: 0
Sun Apr 5 16:07:02 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: ln -s '/var/www/clients/client3/web27/' '/var/www/test7.arealurl.com' - return code: 0
Sun Apr 5 16:07:02 +08 2020 05.04.2020-10:07 - DEBUG - Creating symlink: ln -s /var/www/clients/client3/web27/ /var/www/test7.arealurl.com
Sun Apr 5 16:07:02 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: ln -s '/var/www/clients/client3/web27/' '/var/www/clients/client3/test7.arealurl.com' - return code: 0
Sun Apr 5 16:07:02 +08 2020 05.04.2020-10:07 - DEBUG - Creating symlink: ln -s /var/www/clients/client3/web27/ /var/www/clients/client3/test7.arealurl.com
Sun Apr 5 16:07:02 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: cp '/usr/local/ispconfig/server/conf/error/en/'* '/var/www/clients/client3/web27/web//error/' - return code: 0
Sun Apr 5 16:07:02 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: chmod -R a+r '/var/www/clients/client3/web27/web//error/' - return code: 0
Sun Apr 5 16:07:02 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: cp '/usr/local/ispconfig/server/conf/index/standard_index.html_en' '/var/www/clients/client3/web27/web//index.html' - return code: 0
Sun Apr 5 16:07:02 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: cp '/usr/local/ispconfig/server/conf/index/favicon.ico' '/var/www/clients/client3/web27/web//' - return code: 0
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: cp '/usr/local/ispconfig/server/conf/index/robots.txt' '/var/www/clients/client3/web27/web//' - return code: 0
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: chmod -R a+r '/var/www/clients/client3/web27/web//' - return code: 0
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client3/web27'|awk 'END{print $2,$NF}' - return code: 0
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: setquota -u 'web27' '0' '0' 0 0 -a &> /dev/null - return code: 0
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: setquota -T -u 'web27' 604800 604800 -a &> /dev/null - return code: 0
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: chown -R 'web27':'client3' '/var/www/clients/client3/web27/web/' - return code: 0
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: chown 'web27':'client3' '/var/www/clients/client3/web27/web/' - return code: 0
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client3/web27' - return code: 0
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: usermod --groups sshusers 'web27' 2>/dev/null - return code: 0
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client3/web27' - return code: 0
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: touch '/var/log/ispconfig/httpd/test7.arealurl.com/error.log' - return code: 0
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - SSL Disabled. test7.arealurl.com
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - Writing the vhost file: /etc/nginx/sites-available/test7.arealurl.com.vhost
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - Creating symlink: /etc/nginx/sites-enabled/100-test7.arealurl.com.vhost->/etc/nginx/sites-available/test7.arealurl.com.vhost
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - Created AWStats config file: /etc/awstats/awstats.test7.arealurl.com.conf
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - Restarting php-fpm: systemctl reload php7.0-fpm.service
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - nginx status is: running
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
Sun Apr 5 16:07:03 +08 2020 05.04.2020-10:07 - DEBUG - Checking nginx configuration...
Sun Apr 5 16:07:04 +08 2020 05.04.2020-10:07 - DEBUG - nginx configuration ok!
Sun Apr 5 16:07:04 +08 2020 05.04.2020-10:07 - DEBUG - Restarting httpd: systemctl restart nginx.service
Sun Apr 5 16:07:04 +08 2020 05.04.2020-10:07 - DEBUG - nginx restart return value is: 0
Sun Apr 5 16:07:06 +08 2020 05.04.2020-10:07 - DEBUG - nginx online status after restart is: running
Sun Apr 5 16:07:06 +08 2020 05.04.2020-10:07 - DEBUG - Calling function 'insert' from plugin 'website_git' raised by event 'web_domain_insert'.
Sun Apr 5 16:07:06 +08 2020 05.04.2020-10:07 - DEBUG - exec: which git
Sun Apr 5 16:07:06 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client3/web27' - return code: 0
Sun Apr 5 16:07:06 +08 2020 05.04.2020-10:07 - DEBUG - exec: /usr/bin/git --bare init '/var/www/clients/client3/web27/website.git'
Sun Apr 5 16:07:06 +08 2020 05.04.2020-10:07 - DEBUG - exec: /usr/bin/git --work-tree='/var/www/clients/client3/web27/web' --git-dir='/var/www/clients/client3/web27/website.git' config user.name "web27"
Sun Apr 5 16:07:06 +08 2020 05.04.2020-10:07 - DEBUG - exec: /usr/bin/git --work-tree='/var/www/clients/client3/web27/web' --git-dir='/var/www/clients/client3/web27/website.git' config user.email "web27@client3"
Sun Apr 5 16:07:06 +08 2020 05.04.2020-10:07 - DEBUG - exec: /usr/bin/git --work-tree='/var/www/clients/client3/web27/web' --git-dir='/var/www/clients/client3/web27/website.git' add -A
Sun Apr 5 16:07:06 +08 2020 05.04.2020-10:07 - DEBUG - exec: /usr/bin/git --work-tree='/var/www/clients/client3/web27/web' --git-dir='/var/www/clients/client3/web27/website.git' commit -m "Initial commit"
Sun Apr 5 16:07:06 +08 2020 05.04.2020-10:07 - DEBUG - exec: /usr/bin/git --work-tree='/var/www/clients/client3/web27/web' --git-dir='/var/www/clients/client3/web27/website.git' config user.name "'web27'"
Sun Apr 5 16:07:06 +08 2020 05.04.2020-10:07 - DEBUG - exec: /usr/bin/git --work-tree='/var/www/clients/client3/web27/web' --git-dir='/var/www/clients/client3/web27/website.git' config user.email "'web27@client3'"
Sun Apr 5 16:07:06 +08 2020 05.04.2020-10:07 - DEBUG - exec: chown 'web27':'client3' '/var/www/clients/client3/web27/website.git' -R
Sun Apr 5 16:07:07 +08 2020 05.04.2020-10:07 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client3/web27' - return code: 0
Sun Apr 5 16:07:07 +08 2020 05.04.2020-10:07 - DEBUG - Processed datalog_id 1022
Sun Apr 5 16:07:07 +08 2020 05.04.2020-10:07 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
Sun Apr 5 16:07:07 +08 2020 finished.

 

Looks like you're are right. I just disabled the plugin and no var directory is created. I'm surprised because i thought the plugin just initiated a git repo for /web, but for some reason it also creates a copy of my /var/clients/clientx/webx/

I'll look more into and see if i can remove it.

Thank for the help Till