"service jailkit status" says the jailkit is running, but when a jailkit user tries to access with SSH the login terminates immediately. Switching user Chroot Shell to None and login works, but no jail. No errors in syslog or cron log. Code: May 1 18:31:43 email systemd-logind[884]: New session 290321 of user web8. May 1 18:31:43 email systemd: pam_unix(systemd-user:session): session opened for user web8 by (uid=0) May 1 18:31:44 email jk_chrootsh[23082]: now entering jail /var/www/clients/client1/web8 for user (5005) with arguments May 1 18:31:44 email jk_chrootsh[23082]: ERROR: failed to execute shell /bin/bash for user (5005), check the permissions and libraries of /var/www/clients/client1/web8//bin/bash May 1 18:31:44 email sshd[23028]: pam_unix(sshd:session): session closed for user May 1 18:31:44 email systemd-logind[884]: Removed session 290321. May 1 18:31:44 email systemd: pam_unix(systemd-user:session): session closed for user web8 It looks like bash isn't executable in my jailkit. Did I miss this as part of the installation procedure, or do I need to follow another procedure to set this up?
probably your jk_init.ini needs a little tweaking for your OS to setup bash correctly. what OS are you running?
Please post the output of: ls -la /var/www/clients/client1/web8/bin/bash and which OS do you use (as @Jesse Norell asked already).
OS: Ubuntu 16.04.4 LTS /bin/bash does not exist in the client folder. I'll check the jk_init to see if anything jumps out at me.
jk_init.ini: Code: [uidbasics] # this section probably needs adjustment on 64bit systems # or non-Linux systems comment = common files for all jails that need user/group information libraries = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/x86_64-linux-gnu/libnss*.so.2 regularfiles = /etc/nsswitch.conf, /etc/ld.so.conf [netbasics] comment = common files for all jails that need any internet connectivity libraries = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /lib/x86_64-linux-gnu/libnss_dns.so.2 regularfiles = /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols [logbasics] comment = timezone information regularfiles = /etc/localtime need_logsocket = 1 [jk_lsh] comment = Jailkit limited shell executables = /usr/sbin/jk_lsh regularfiles = /etc/jailkit/jk_lsh.ini users = root groups = root need_logsocket = 1 includesections = uidbasics [limitedshell] comment = alias for jk_lsh includesections = jk_lsh [cvs] comment = Concurrent Versions System executables = /usr/bin/cvs devices = /dev/null [git] comment = Fast Version Control System executables = /usr/bin/git* directories = /usr/share/git-core includesections = editors [scp] comment = ssh secure copy executables = /usr/bin/scp includesections = netbasics, uidbasics devices = /dev/urandom [sftp] comment = ssh secure ftp executables = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server includesections = netbasics, uidbasics devices = /dev/urandom, /dev/null [ssh] comment = ssh secure shell executables = /usr/bin/ssh includesections = netbasics, uidbasics devices = /dev/urandom, /dev/tty [rsync] executables = /usr/bin/rsync includesections = netbasics, uidbasics [procmail] comment = procmail mail delivery executables = /usr/bin/procmail, /bin/sh devices = /dev/null [basicshell] comment = bash based shell with several basic utilities executables = /bin/sh, /bin/bash, /bin/ls, /bin/cat, /bin/chmod, /bin/mkdir, /bin/cp, /bin/cpio, /bin/date, /bin/dd, /bin/echo, /bin/egrep, /bin/false, /bin/fgrep, /bin/grep, /bin/gunzip, /bin/gzip, /bin/ln, /bin/ls, /bin/mkdir, /bin/mktemp, /bin/more, /bin/mv, /bin/pwd, /bin/rm, /bin/rmdir, /bin/sed, /bin/sh, /bin/sleep, /bin/sync, /bin/tar, /bin/touch, /bin/true, /bin/uncompress, /bin/zcat regularfiles = /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile directories = /usr/lib/locale/en_US.utf8 users = root groups = root includesections = uidbasics [midnightcommander] comment = Midnight Commander executables = /usr/bin/mc, /usr/bin/mcedit, /usr/bin/mcview directories = /etc/terminfo, /usr/share/terminfo, /usr/share/mc includesections = basicshell [extendedshell] comment = bash shell including things like awk, bzip, tail, less executables = /usr/bin/awk, /usr/bin/bzip2, /usr/bin/bunzip2, /usr/bin/ldd, /usr/bin/less, /usr/bin/clear, /usr/bin/cut, /usr/bin/du, /usr/bin/find, /usr/bin/head, /usr/bin/less, /usr/bin/md5sum, /usr/bin/nice, /usr/bin/sort, /usr/bin/tac, /usr/bin/tail, /usr/bin/tr, /usr/bin/sort, /usr/bin/wc, /usr/bin/watch, /usr/bin/whoami includesections = basicshell, midnightcommander, editors [editors] comment = vim, joe and nano executables = /usr/bin/joe, /usr/bin/nano, /usr/bin/vi, /usr/bin/vim, /usr/bin/pico regularfiles = /etc/vimrc directories = /etc/joe, /etc/terminfo, /usr/share/vim, /usr/share/terminfo, /lib/terminfo [netutils] comment = several internet utilities like wget, ftp, rsync, scp, ssh executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient includesections = netbasics, ssh, sftp, scp [apacheutils] comment = htpasswd utility executables = /usr/bin/htpasswd [extshellplusnet] comment = alias for extendedshell + netutils + apacheutils includesections = extendedshell, netutils, apacheutils [openvpn] comment = jail for the openvpn daemon executables = /usr/sbin/openvpn users = root,nobody groups = root,nogroup includesections = netbasics devices = /dev/urandom, /dev/random, /dev/net/tun includesections = netbasics, uidbasics need_logsocket = 1 [apache] comment = the apache webserver, very basic setup, probably too limited for you executables = /usr/sbin/apache users = root, www-data groups = root, www-data includesections = netbasics, uidbasics [perl] comment = the perl interpreter and libraries executables = /usr/bin/perl directories = /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5 [xauth] comment = getting X authentication to work executables = /usr/bin/X11/xauth regularfiles = /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf [xclients] comment = minimal files for X clients regularfiles = /usr/X11R6/lib/X11/rgb.txt includesections = xauth [vncserver] comment = the VNC server program executables = /usr/bin/Xvnc, /usr/bin/Xrealvnc directories = /usr/X11R6/lib/X11/fonts/ includesections = xclients #[xterm] #comment = xterm #executables = /usr/bin/X11/xterm #directories = /usr/share/terminfo, /etc/terminfo #devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
I don't have jailkit on ubuntu 16.04 offhand, but iirc bash inside jails broke when I updated from debian jessie to stretch and I had to add this to the above basicshell section: Code: paths = /dev/tty, /usr/lib/x86_64-linux-gnu/gconv/, /usr/share/locale/locale.alias It's been a little while, but I believe that was determined via a mix of google searches and running bash under strace to see what files it opened, then ensuring they were in the jail. You might try adding that then just re-run jk_init again to copy things: Code: jk_init -j /var/www/clients/client1/web8 basicshell
Last week I have ISPConfig updated to 3.2. and some OS-Updates. Ubuntu 18.04 LTS. Since this time I have the same error: Code: Nov 13 15:55:20 ibcaju04 jk_chrootsh[24928]: now entering jail /var/www/clients/client1/web5 for user web_admin (1005) with arguments -c /usr/lib/openssh/sftp-server Nov 13 15:55:20 ibcaju04 jk_chrootsh[24928]: ERROR: failed to execute shell /bin/bash for user web_admin (1005), check the permissions and libraries of /var/www/clients/client1/web5//bin/bash Is this correct to have a // in the path? on client side (Filezilla) I have the error Code: Fehler: FATAL ERROR: Received unexpected end-of-file from SFTP server Fehler: Herstellen der Verbindung zum Server fehlgeschlagen The strage is, that not all users have this issue.
If I add in the options of the shell user at "base dir" a slash at the end (/var/www/clients/client1/web5/) then my error message is Code: ERROR: failed to execute shell /bin/bash for user web_admin (1005), check the permissions and libraries of /var/www/clients/client1/web5///bin/bash
