Chrooted SSH users are not able to log on

Discussion in 'Installation/Configuration' started by dbareiro, Jun 30, 2016.

  1. dbareiro

    dbareiro New Member

    Hi all!

    Apparently the chrooted SSH users are not able to log on. I'm using Debian GNU/Linux Jessie (8.5) with Jailkit 2.19. When reviewing /var/log/auth.log at the time that the users try to connect via SSH, is logged something as the following:

    Jun 27 15:37:57 ispconfig jk_chrootsh[19240]: path /var/www/clients/client1/web7/bin/ is group writable
    Jun 27 15:37:57 ispconfig jk_chrootsh[19240]: abort, /var/www/clients/client1/web7 is not a safe jail, check ownership and permissions.
    Adding the following to /usr/local/ispconfig/server/scripts/ solves the problem:

    chmod g-w $CHROOT_HOMEDIR/bin
    This was mentioned in the issue #3569 on May 20 2015, although it seems that is not yet implemented in the stable release.

    Kind regards,
    biforme likes this.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's a bug in Debian or Jailkit which has been introduced in the latest Debian or Jailkit version as it works fine in older versions of the OS and Jailkit and also fine in other OS, jailkit just copies the permissions that Debian has set as default for /bin which are wrong now according to the jailkit shell. I hoped that Debian or Jailkit fix this, but as this does not seem to be the case, then we will have to add a workaround for that.
  3. dbareiro

    dbareiro New Member

    Hi, Till.

    Thanks for your reply.There seems to be a difference in the permissions for stable compared to oldstable:
    root@pfc:~# cat /etc/debian_version
    root@pfc:~# ls -ld /bin/
    drwxr-xr-x 2 root root 4096 mar  6 16:14 /bin/
    root@ispconfig:/var/www/clients/client1/web11# cat /etc/debian_version
    root@ispconfig:/var/www/clients/client1/web11# ls -ld /bin/
    drwxrwxr-x 2 root root 4096 Jun  9 16:20 /bin/
    root@ispconfig:/var/www/clients/client1/web11# ls -ld ./bin/
    drwxr-xr-x 2 root root 4096 Jun 28 15:37 ./bin/
    Although I'm not sure why the Debian developers did this change or if it is a bug that should be reported.

    Kind regards,

Share This Page