Chroot SSH + ISPConfig

Does anyone have any tutorial for this? Is it possible and relatively easy to do without breaking the system for current ISPconfig users?

 

I am also interested in information on how to do this.

Does anyone have any information on how to do this without affecting ISPConfig?

Thanks.

 

Take a look here: http://www.howtoforge.com/forums/showthread.php?t=6370&highlight=chroot+ssh+ispconfig

 

Hi falko,

Thanks for your reply, however that howto talks about the chroot limiting users to /home/chroot.

I wish to be able to set up my server so that when each ISPconfig user logs in, they are limited to their /var/www/webx/ directory, and cannot go outside of this. Obviously the root account should be able to go anywhere.

Any hints?

Thanks.

 

Hello,

I've just discovered that my shell users aren't chrooted. Yikes!

Anyhow, I followed the Howto that Falko pointed to and all seemed to go well, but I'm not getting the desired behaviour. None of my users can log in - they are all greeted with a /bin/bash file or directory does not exist error when they try to log in.

I have enabled the chroot option in config.inc.php and bash does exist in /chroot/home/bin.

I have restarted both ssh and ispconfig_server.

My users from /etc/passwd look like this:

Code:

test.domain:x:1008:1013:test:/var/www/web13/user/test.domain/./:/bin/bash

which looks right to me in that the '.' appears in the right place. I'm not sure why ISPConfig is putting a :/bin/bash after it, though, but I'm not chroot expert by any means so that may be correct.

The user in question has the shell access option checked under his user settings and the web in question has shell access enabled as well.

Any idea where I'm going wrong?

Thanks!

Edit: ISPConfig 2.2.11

 

Hate to be a bumper, but can anyone help me troubleshoot this issue?

Thanks!

 

config.inc.php:

Code:

$go_info["server"]["ssh_chroot"] = 1;

As posted, a typical new or edited user looks like:

Code:

test.domain:x:1008:1013:test:/var/www/web13/user/test.domain/./:/bin/bash

Yet, when this users attempts to log in, he is punted with a:

Code:

/bin/bash: No such file or directory

error.

Code:

hyperion:/home/chroot/bin# pwd
/home/chroot/bin
hyperion:/home/chroot/bin# ls -al
total 868
drwxr-sr-x  2 root staff   4096 Mar  9 10:11 .
drwxr-sr-x  8 root staff   4096 Mar  9 10:10 ..
-rwxr-xr-x  1 root staff 625228 Mar  9 10:11 bash
-rwxr-xr-x  1 root staff  75948 Mar  9 10:11 ls
-rwxr-xr-x  1 root staff  20888 Mar  9 10:11 mkdir
-rwxr-xr-x  1 root staff  55340 Mar  9 10:11 mv
-rwsr-xr-x  1 root staff  30764 Mar  9 10:11 ping
-rwxr-xr-x  1 root staff  13848 Mar  9 10:11 pwd
-rwxr-xr-x  1 root staff  30712 Mar  9 10:11 rm

Each chrooted user's home directory contains the same files as listed above. That all looks right, but the user cannot find bash when he logs in.

I am kind of confused about the use of the chrooted /etc/passwd and group files. ISPConfig doesn't update them when I create or edit new users, rather it updates the system proper /etc/passwd and group files. Is that correct behaviour?

Thanks!

 

I just discovered that

Code:

user/test.jonwatson# ls -la
total 144
drwxr-xr-x  8 test.jonwatson web13  4096 Mar  9 10:17 .
drwxr-xr-x  4 me.jonwatson   web13  4096 Mar  9 10:17 ..
-rw-r--r--  1 root           root    103 Mar 11 10:22 .antivirus.rc
-rw-r--r--  1 root           root    788 Mar 11 10:22 .autoresponder.rc
-rw-------  1 test.jonwatson web13    24 Mar 11 10:22 .forward
-rw-r--r--  1 root           root  67866 Mar 11 10:22 .html-trap.rc
-rw-r--r--  1 root           root   3889 Mar 11 10:22 .local-rules.rc
-rw-r--r--  1 root           root    204 Mar 11 10:22 .mailsize.rc
-rw-r--r--  1 root           root    492 Mar 11 10:22 .procmailrc
-rw-r--r--  1 root           root    656 Mar 11 10:22 .quota.rc
-rw-r--r--  1 root           root   1151 Mar 11 10:22 .spamassassin.rc
-rw-r--r--  1 root           root   2039 Mar 11 10:22 .user_prefs
-rw-r--r--  1 root           root     32 Mar 11 10:22 .vacation.msg
drwx------  5 test.jonwatson web13  4096 Mar  9 10:17 Maildir
drwxr-xr-x  2 root           root   4096 Mar  9 10:17 bin
drwxr-xr-x  2 root           root   4096 Mar  9 10:17 etc
drwxr-xr-x  3 root           root   4096 Mar  9 10:17 lib
drwxr-xr-x  4 root           root   4096 Mar  9 10:17 usr
drwxrwxr-x  2 test.jonwatson web13  4096 Mar  9 10:17 web

I've also tried changing ownership to test.jonwatson/web13 for all the bin, etc, lib...etc...files but that didn't help.

Weird thing (to me) is that I can su to test.jonwatson from root with no problem. I just can't log on with the test.jonwatson account.

Ah, OK, thanks.

 

Any ideas on this?

I've just tried the same HOWTO on a fresh ISPConfig install and I get the same results. My newly chrooted users cannot log in.

I received no errors during the HOWTO, and everything seems to be in the correct place.

How do I troubleshoot this?

Thanks!

 

I seem to have it working now.

This text file helped me out. Seems I was missing some of the link libraries.

http://www.danielclemente.com/amarok/chroot.txt

I would like to know how ISPConfig knows that files to copy into each new user's chrooted home, though. I'd like to add some apps to the list. Can you tell me where that list is?

Thanks!

 

And me again.

I didn't test new users before I made my last post. New users are chrooted properly in the /etc/passwd file, but no files are moved into their home directories. Therefore, they get the same no /bin/bash error.

I do have the chroot setting in the config.inc.php file set to 1.

Seriously, this seems to be a pretty hot issue but there doesn't seem to be any resolution on it. Many people have followed the tutorial, but it doesn't seem as if anyone actually has chrooted users running. I hate to say it, but if I can't get chrooted users, I'm going to have to leave ISPConfig. I can't have users running all over each other's home directories. I know this isn't an ISPConfig issue specifically, but let's face it - chrooted users is a requirement in a shared hosting environment.

Can someone (Till? Falko? Anyone?) definitely tell us how to do this or how to troubleshoot it?

Thanks!

 

That's true, I guess. No news is good news. I always try to come back to a forum and post when I have solved a problem but you're right if I didn't have a problem in the first place I wouldn't.

It seems that the part that is failing for me is the create_chroot_env.sh script. As I stated, new users are created in the passwd file with the correct chroot indicator, but the binaries are not copied over to their home directory.

When I atttempt to manually run the create_chroot_env.sh file it fails with the following errors:

Code:

cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libdl.so.2': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libc.so.6': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/librt.so.1': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libc.so.6': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libpthread.so.0': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libdl.so.2': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libc.so.6': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libdl.so.2': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libc.so.6': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libdl.so.2': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libc.so.6': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libc.so.6': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libc.so.6': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libdl.so.2': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libresolv.so.2': No such file or directory
cp: cannot create regular file `.//usr/lib/i686/cmov/libcrypto.so.0.9.8': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libutil.so.1': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libnsl.so.1': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libcrypt.so.1': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libc.so.6': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libdl.so.2': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libresolv.so.2': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libc.so.6': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libc.so.6': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/librt.so.1': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libc.so.6': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libpthread.so.0': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot create regular file `.//lib/tls/i686/cmov/libc.so.6': No such file or directory

I have already removed the code that puts the extra '/' in before the path.

I also notice that the driectories where these files would be copied to are created in the /var/www/webX directory instead of the user's home directory. Is that right?

I see that the script contains full paths so I don't think it matters what directory I am in when I run this script...does it?

I suspect this is the last bit that I need to figure out and then it will all work.

 

What's in that script? Which distribution do you use?

Yes.

 

The script contains this:

Code:

#!/bin/bash

#
# Usage: ./create_chroot_env username
#

# Here specify the apps you want into the enviroment
APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/zi
p /bin/tar /usr/bin/dircolors"

# Sanity check
if [ "$1" = "" ] ; then
        echo "    Usage: ./create_chroot_env username"
        exit
fi

# Obtain username and HomeDir
CHROOT_USERNAME=$1
HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME"  | cut -d':' -f 6`
cd $HOMEDIR

# Create Directories no one will do it for you
mkdir etc
mkdir bin
mkdir usr
mkdir usr/bin

# Create short version to /usr/bin/groups
# On some system it requires /bin/sh, which is generally unnessesary in a chroot cage

echo "#!/bin/bash" > usr/bin/groups
echo "id -Gn" >> usr/bin/groups

# Add some users to ./etc/paswd
grep /etc/passwd -e "^root" -e "^$CHROOT_USERNAME" > etc/passwd
grep /etc/group -e "^root" -e "^$CHROOT_USERNAME" > etc/group

# Copy the apps and the related libs
for prog in $APPS;  do
        cp $prog ./$prog

        # obtain a list of related libraryes
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
 LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l
                done
        fi
done

I am running Debian 3.1 and ISPConfig 2.2.11.

Thanks!

 

I hope this is in one line in your script instead of two?

 

Yes, sorry - a bad paste on my part. It is one line in my script.

Question: I know that the chroot only affects new users after I have turned it on in the config.inc.php file, but can the site that the new users belong to exist before turning it on?

I ask because since the files copy to the site's top directory perhaps the site itself has to be created after chrooting is turned on.

Any truth to that?

Thanks!