Debian 10 can't use git to fetch repo in jail

Discussion in 'Installation/Configuration' started by Niubbo75, Aug 10, 2022.

  1. Niubbo75

    Niubbo75 Member

    Hello, I'm running a Debian 10 server with apache and ISPConfig (installed following step by step this guide:https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/ ) I have set up a new website and a new user with shell access in jail, I gave git permissions (and I can use git command) but I've two big problems, the first is that I can't give ssh-agent permission to the user (I really don't know where to set it up, I gave ssh permission to the user but seems it is not enought), the second one is that I can't create files and folders under user's root (I mean /var/www/clients/client*/web*/) so I could not fetch this repo because it have composer just a folder up to /web. I have try to just migrate data via FTP but website don't load because it need sone files in /web/../vendor that could not be there and the entire website was made using composer (and also composer is needed to maintein update the website).
    How can I solve those problems?
     
  2. Steini86

    Steini86 Active Member

    You should be able to create files in /var/www/clients/client*/web*/. What is the error message that you get and how are the permissions set? Which user are you trying?
    If you want to overwrite these folders or create new ones in /var/www/clients/client* than this fails because this folder has the immutable bit set. For a one-time change use the chattr command as root (see: https://www.howtoforge.com/linux-chattr-command/)
    For a general change use ISPC: System > Server config > Web > Permissions > Make web folders immutable (extended attributes)
     
  3. Niubbo75

    Niubbo75 Member

    Hello Steini86 and thankyou for your reply.
    Following your suggestion about chattr and the possibility to do this via ISPC I've set it and now I can create files and folder also above /web.
    Now I still have the need to let jailed users use ssh-agent so they could use git with ssl cert and I don't know how to let it to the users.
    I'm login using ISPC shell user's credential.
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Is ssh-agent installed in the directories the jail can access?
    What happens when jailed user gives command ssh-agent?
     
  5. Steini86

    Steini86 Active Member

    Sorry to say, but I have no experience with jailkit or ssh-agent nor have I used git in a jailed environment. As far as I understand, you need a binary available inside the shell?
    Then see this example on how to add programs to the jailed user:
    https://www.faqforge.com/linux/add-php-in-ssh-jail-ispconfig-3
    Although this is for a PHP executable, it works with others accordingly.
    Hope this helps.
     
  6. Niubbo75

    Niubbo75 Member

    Hello Taileman and thankyou for your reply.
    I'm sure that ssh-agent is installed on the system (if I gave user shell access w/out jail user can run ssh-agent), I'm almost pretty sure that ssh-agent is not present in jailed because if I type ssh [TAB] I do not have any options, only ssh, and I don't know how to add it, I'm using on this server ISPConfig, I don't know if I can do something from there or not.
     
  7. Niubbo75

    Niubbo75 Member

    Hello Stein86, I've already followed that tutorial, but with no luck, I've already added "php" and also "composer" and "git", I've try to add also "ssh-agent" but it still doesn't work, perhaps I don't know what to add in /etc/jailkit/jk_init.ini to let ssh-agent work (I think "ssh" section will be almost complete, but I'm not su sure)
     
  8. Steini86

    Steini86 Active Member

  9. Niubbo75

    Niubbo75 Member

  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I have not used git much, but I do not remember needing ssh-agent.
    I examined my jail shell user, it looks like neither ssh nor git jail copies the ssh-agent command to the jail. This seems to indicate ssh-agent is not mandatory for using git. It may make using git easier, though.
    So you would need to copy the /usr/bin/ssh-agent to the jail of that user. I can not tell how it is done without reading the documentation, and I am tired now. It may be something like jk_cp -j nameofjail /usr/bin/ssh-agent.
     
    wojtekx and Niubbo75 like this.

Share This Page