Hi, I tried to find some answers in the other posts but couldn't find anything. I manage to create a shell user without jail chroot but when I log in, I'm getting a really long path and I can go anywhere on the server. So I tried to jail the user in its website directory but then, I couldn't log anymore. The server was sending an error 111 to my sftp client. In my auth.log, I found this: Code: May 3 01:46:12 ns3107256 sshd[7052]: Connection from xxx port 28651 on xxxx port 22222 May 3 01:46:12 ns1123 sshd[7052]: Accepted password for defaulttestshell from xxxx port 28651 ssh2 May 3 01:46:12 ns1123sshd[7052]: pam_unix(sshd:session): session opened for user defaulttestshell by (uid=0) May 3 01:46:12 ns1123sshd[7052]: User child is on pid 7058 May 3 01:46:12 ns1123sshd[7058]: Starting session: subsystem 'sftp' for defaulttestshell from xxxx port 28651 id 0 May 3 01:46:12 ns1123jk_chrootsh[7059]: now entering jail /home/www/clients/client0/web117 for user defaulttestshell (5064) with arguments -c /usr/lib/openssh/sftp-server May 3 01:46:12 ns1123jk_chrootsh[7059]: ERROR: failed to execute shell /bin/bash for user defaulttestshell (5064), check the permissions and libraries of /home/www/clients/client0/web117//bin/bash May 3 01:46:12 ns1123sshd[7058]: Close session: user defaulttestshell from xxx port 28651 id 0 I checked the folder /home/www/clients/client0/web117 and couldn't find the /bin/bash sub-folder. I didn't change my jk.init.ini so far. In a previous post, you gave the following link: http://symka.blogspot.com/2013/05/jailkit-ispconfig-ubuntu-1204-sftp.html I'm not sure this is going to work on my Debian 9.4 Stretch. Could you give me a hint to fix this please? Also, here is my jk.init.ini : Code: [uidbasics] # this section probably needs adjustment on 64bit systems # or non-Linux systems comment = common files for all jails that need user/group information libraries = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/x86_64-linux-gnu/libnss*.so.2 regularfiles = /etc/nsswitch.conf, /etc/ld.so.conf [netbasics] comment = common files for all jails that need any internet connectivity libraries = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /lib/x86_64-linux-gnu/libnss_dns.so.2 regularfiles = /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols [logbasics] comment = timezone information regularfiles = /etc/localtime need_logsocket = 1 [jk_lsh] comment = Jailkit limited shell executables = /usr/sbin/jk_lsh regularfiles = /etc/jailkit/jk_lsh.ini users = root groups = root need_logsocket = 1 includesections = uidbasics [limitedshell] comment = alias for jk_lsh includesections = jk_lsh [cvs] comment = Concurrent Versions System executables = /usr/bin/cvs devices = /dev/null [git] comment = Fast Version Control System executables = /usr/bin/git* directories = /usr/share/git-core includesections = editors [scp] comment = ssh secure copy executables = /usr/bin/scp includesections = netbasics, uidbasics devices = /dev/urandom [sftp] comment = ssh secure ftp executables = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server includesections = netbasics, uidbasics devices = /dev/urandom, /dev/null [ssh] comment = ssh secure shell executables = /usr/bin/ssh includesections = netbasics, uidbasics devices = /dev/urandom, /dev/tty [rsync] executables = /usr/bin/rsync includesections = netbasics, uidbasics [procmail] comment = procmail mail delivery executables = /usr/bin/procmail, /bin/sh devices = /dev/null [basicshell] comment = bash based shell with several basic utilities executables = /bin/sh, /bin/bash, /bin/ls, /bin/cat, /bin/chmod, /bin/mkdir, /bin/cp, /bin/cpio, /bin/date, /bin/dd, /bin/echo, /bin/egrep, /bin/false, /bin/fgrep, /bin/grep, /bin/gunzip, /bin/gzip, /bin/ln, /bin/ls, /bin/mkdir, /bin/mktemp, /bin/more, /bin/mv, /bin/pwd, /bin/rm, /bin/rmdir, /bin/sed, /bin/sh, /bin/sleep, /bin/sync, /bin/tar, /bin/touch, /bin/true, /bin/uncompress, /bin/zcat regularfiles = /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile directories = /usr/lib/locale/en_US.utf8 users = root groups = root includesections = uidbasics [midnightcommander] comment = Midnight Commander executables = /usr/bin/mc, /usr/bin/mcedit, /usr/bin/mcview directories = /etc/terminfo, /usr/share/terminfo, /usr/share/mc includesections = basicshell [extendedshell] comment = bash shell including things like awk, bzip, tail, less executables = /usr/bin/awk, /usr/bin/bzip2, /usr/bin/bunzip2, /usr/bin/ldd, /usr/bin/less, /usr/bin/clear, /usr/bin/cut, /usr/bin/du, /usr/bin/find, /usr/bin/head, /usr/bin/less, /usr/bin/md5sum, /usr/bin/nice, /usr/bin/sort, /usr/bin/tac, /usr/bin/tail, /usr/bin/tr, /usr/bin/sort, /usr/bin/wc, /usr/bin/watch, /usr/bin/whoami includesections = basicshell, midnightcommander, editors [editors] comment = vim, joe and nano executables = /usr/bin/joe, /usr/bin/nano, /usr/bin/vi, /usr/bin/vim, /usr/bin/pico regularfiles = /etc/vimrc directories = /etc/joe, /etc/terminfo, /usr/share/vim, /usr/share/terminfo, /lib/terminfo [netutils] comment = several internet utilities like wget, ftp, rsync, scp, ssh executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient includesections = netbasics, ssh, sftp, scp [apacheutils] comment = htpasswd utility executables = /usr/bin/htpasswd [extshellplusnet] comment = alias for extendedshell + netutils + apacheutils includesections = extendedshell, netutils, apacheutils [openvpn] comment = jail for the openvpn daemon executables = /usr/sbin/openvpn users = root,nobody groups = root,nogroup includesections = netbasics devices = /dev/urandom, /dev/random, /dev/net/tun includesections = netbasics, uidbasics need_logsocket = 1 [apache] comment = the apache webserver, very basic setup, probably too limited for you executables = /usr/sbin/apache users = root, www-data groups = root, www-data includesections = netbasics, uidbasics [perl] comment = the perl interpreter and libraries executables = /usr/bin/perl directories = /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5 [xauth] comment = getting X authentication to work executables = /usr/bin/X11/xauth regularfiles = /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf [xclients] comment = minimal files for X clients regularfiles = /usr/X11R6/lib/X11/rgb.txt includesections = xauth [vncserver] comment = the VNC server program executables = /usr/bin/Xvnc, /usr/bin/Xrealvnc directories = /usr/X11R6/lib/X11/fonts/ includesections = xclients #[xterm] #comment = xterm #executables = /usr/bin/X11/xterm #directories = /usr/share/terminfo, /etc/terminfo #devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
Code: /home/www/clients/client0/web117/web: total 260 drwx--x--x 6 web117 client0 4096 avril 4 16:40 . drwxr-xr-x 13 root root 4096 mai 3 01:04 .. -rw-r--r-- 1 web117 client0 53 janv. 14 17:33 googleb4b95fa05479217c.html -rw-r--r-- 1 web117 client0 6563 janv. 30 14:57 .htaccess -rw-r--r-- 1 web117 client0 6563 janv. 30 11:06 .htaccess.orgi -rw-r--r-- 1 web117 client0 420 mars 1 10:27 index.php -rw-r--r-- 1 web117 client0 5973 janv. 30 11:06 iwp-clone-log.txt -rw-r--r-- 1 web117 client0 19935 mars 1 10:27 license.txt -rw-r--r-- 1 web117 client0 7001 janv. 30 11:56 pinterest-2fb5c.html -rw-r--r-- 1 web117 client0 7425 mars 13 03:47 readme.html -rw-r--r-- 1 web117 client0 5516 janv. 25 19:25 robots.txt drwxr-xr-x 6 web117 client0 4096 mai 3 00:01 stats -rw-r--r-- 1 web117 client0 6919 mars 1 10:27 wp-activate.php drwxr-xr-x 9 web117 client0 4096 janv. 30 11:06 wp-admin -rw-r--r-- 1 web117 client0 369 mars 1 10:27 wp-blog-header.php -rw-r--r-- 1 web117 client0 2283 mars 1 10:27 wp-comments-post.php -rw-r--r-- 1 web117 client0 3987 mai 1 13:22 wp-config.php -rw-r--r-- 1 web117 client0 3600 mars 1 10:27 wp-config-sample.php drwxr-xr-x 11 web117 client0 4096 mai 3 10:16 wp-content -rw-r--r-- 1 web117 client0 3847 mars 1 10:27 wp-cron.php drwxr-xr-x 19 web117 client0 12288 mars 1 10:27 wp-includes -rw-r--r-- 1 web117 client0 2502 mars 1 10:27 wp-links-opml.php -rw-r--r-- 1 web117 client0 3306 mars 1 10:27 wp-load.php -rw-r--r-- 1 web117 client0 38883 mars 1 10:27 wp-login.php -rw-r--r-- 1 web117 client0 8403 mars 1 10:27 wp-mail.php -rw-r--r-- 1 web117 client0 17947 mars 1 10:27 wp-settings.php -rw-r--r-- 1 web117 client0 31085 mars 1 10:27 wp-signup.php -rw-r--r-- 1 web117 client0 4764 mars 1 10:27 wp-trackback.php -rw-r--r-- 1 web117 client0 3068 mars 1 10:27 xmlrpc.php
Code: /home/www/clients/client0/web117/cgi-bin: total 8 drwxr-xr-x 2 web117 client0 4096 janv. 15 00:15 . drwxr-xr-x 13 root root 4096 mai 3 01:04 .. /home/www/clients/client0/web117/etc: total 8 drwxr-xr-x 2 root root 4096 mai 3 01:04 . drwxr-xr-x 13 root root 4096 mai 3 01:04 .. -rw-r--r-- 1 root root 0 janv. 1 1970 passwd /home/www/clients/client0/web117/home: total 16 drwxr-xr-x 4 root root 4096 mai 3 01:04 . drwxr-xr-x 13 root root 4096 mai 3 01:04 .. drwxr-x--- 3 web117 client0 4096 mai 3 01:01 defaulttestshell drwxr-x--- 2 web117 client0 4096 mai 3 01:04 web117 /home/www/clients/client0/web117/log: total 492 drwxr-xr-x 2 root root 4096 mai 3 02:14 . drwxr-xr-x 13 root root 4096 mai 3 01:04 .. -rw-r--r-- 1 root root 13104 avril 24 00:27 20190422-access.log.gz -rw-r--r-- 1 root root 13138 avril 25 00:29 20190423-access.log.gz -rw-r--r-- 1 root root 11820 avril 26 00:46 20190424-access.log.gz -rw-r--r-- 1 root root 23290 avril 27 00:37 20190425-access.log.gz -rw-r--r-- 1 root root 15869 avril 28 00:24 20190426-access.log.gz -rw-r--r-- 1 root root 13064 avril 29 00:38 20190427-access.log.gz -rw-r--r-- 1 root root 13448 avril 30 00:51 20190428-access.log.gz -rw-r--r-- 1 root root 8443 mai 1 00:49 20190429-access.log.gz -rw-r--r-- 1 root root 7856 mai 2 00:35 20190430-access.log.gz -rw-r--r-- 1 root root 13582 mai 3 00:39 20190501-access.log.gz -rw-r--r-- 1 root root 207543 mai 2 23:30 20190502-access.log -rw-r--r-- 1 root root 76748 mai 3 13:09 20190503-access.log lrwxrwxrwx 1 root root 19 mai 3 02:14 access.log -> 20190503-access.log -rw-r--r-- 1 root root 935 mai 3 08:30 error.log -rw-r--r-- 1 root root 2135 avril 24 00:27 error.log.10.gz -rw-r--r-- 1 root root 684 mai 3 00:39 error.log.1.gz -rw-r--r-- 1 root root 2076 mai 2 00:35 error.log.2.gz -rw-r--r-- 1 root root 565 mai 1 00:49 error.log.3.gz -rw-r--r-- 1 root root 1997 avril 30 00:51 error.log.4.gz -rw-r--r-- 1 root root 1867 avril 29 00:38 error.log.5.gz -rw-r--r-- 1 root root 1598 avril 28 00:24 error.log.6.gz -rw-r--r-- 1 root root 1817 avril 27 00:37 error.log.7.gz -rw-r--r-- 1 root root 1666 avril 26 00:46 error.log.8.gz -rw-r--r-- 1 root root 2517 avril 25 00:29 error.log.9.gz lrwxrwxrwx 1 root root 56 mai 3 00:01 yesterday-access.log -> /home/www/clients/client0/web117/log/20190502-access.log /home/www/clients/client0/web117/private: total 8 drwx--x--- 2 web117 client0 4096 janv. 15 00:15 . drwxr-xr-x 13 root root 4096 mai 3 01:04 .. /home/www/clients/client0/web117/ssl: total 8 drwxr-xr-x 2 root root 4096 janv. 30 16:09 . drwxr-xr-x 13 root root 4096 mai 3 01:04 .. lrwxrwxrwx 1 root root 45 janv. 30 16:09 datart.fr-le.bundle -> /etc/letsencrypt/live/www.datart.fr/chain.pem lrwxrwxrwx 1 root root 49 janv. 30 16:09 datart.fr-le.crt -> /etc/letsencrypt/live/www.datart.fr/fullchain.pem lrwxrwxrwx 1 root root 47 janv. 30 16:09 datart.fr-le.key -> /etc/letsencrypt/live/www.datart.fr/privkey.pem lrwxrwxrwx 1 root root 45 janv. 30 10:59 www.datart.fr-le.bundle -> /etc/letsencrypt/live/www.datart.fr/chain.pem lrwxrwxrwx 1 root root 49 janv. 30 10:59 www.datart.fr-le.crt -> /etc/letsencrypt/live/www.datart.fr/fullchain.pem lrwxrwxrwx 1 root root 47 janv. 30 10:59 www.datart.fr-le.key -> /etc/letsencrypt/live/www.datart.fr/privkey.pem /home/www/clients/client0/web117/tmp: total 1880 drwxrwxrwx 2 web117 client0 4096 mai 2 23:30 . drwxr-xr-x 13 root root 4096 mai 3 01:04 .. -rw-r--r-- 1 web117 client0 1914354 avril 18 02:05 GeoLite2-Country.tar-JQen5t.tmp /home/www/clients/client0/web117/var: total 12 drwxr-xr-x 3 root root 4096 mai 3 01:04 . drwxr-xr-x 13 root root 4096 mai 3 01:04 .. drwxr-xr-x 3 root root 4096 mai 3 01:04 run /home/www/clients/client0/web117/web: total 260 drwx--x--x 6 web117 client0 4096 avril 4 16:40 . drwxr-xr-x 13 root root 4096 mai 3 01:04 .. -rw-r--r-- 1 web117 client0 53 janv. 14 17:33 googleb4b95fa05479217c.html -rw-r--r-- 1 web117 client0 6563 janv. 30 14:57 .htaccess -rw-r--r-- 1 web117 client0 6563 janv. 30 11:06 .htaccess.orgi -rw-r--r-- 1 web117 client0 420 mars 1 10:27 index.php -rw-r--r-- 1 web117 client0 5973 janv. 30 11:06 iwp-clone-log.txt -rw-r--r-- 1 web117 client0 19935 mars 1 10:27 license.txt -rw-r--r-- 1 web117 client0 7001 janv. 30 11:56 pinterest-2fb5c.html -rw-r--r-- 1 web117 client0 7425 mars 13 03:47 readme.html -rw-r--r-- 1 web117 client0 5516 janv. 25 19:25 robots.txt drwxr-xr-x 6 web117 client0 4096 mai 3 00:01 stats -rw-r--r-- 1 web117 client0 6919 mars 1 10:27 wp-activate.php drwxr-xr-x 9 web117 client0 4096 janv. 30 11:06 wp-admin -rw-r--r-- 1 web117 client0 369 mars 1 10:27 wp-blog-header.php -rw-r--r-- 1 web117 client0 2283 mars 1 10:27 wp-comments-post.php -rw-r--r-- 1 web117 client0 3987 mai 1 13:22 wp-config.php -rw-r--r-- 1 web117 client0 3600 mars 1 10:27 wp-config-sample.php drwxr-xr-x 11 web117 client0 4096 mai 3 13:09 wp-content -rw-r--r-- 1 web117 client0 3847 mars 1 10:27 wp-cron.php drwxr-xr-x 19 web117 client0 12288 mars 1 10:27 wp-includes -rw-r--r-- 1 web117 client0 2502 mars 1 10:27 wp-links-opml.php -rw-r--r-- 1 web117 client0 3306 mars 1 10:27 wp-load.php -rw-r--r-- 1 web117 client0 38883 mars 1 10:27 wp-login.php -rw-r--r-- 1 web117 client0 8403 mars 1 10:27 wp-mail.php -rw-r--r-- 1 web117 client0 17947 mars 1 10:27 wp-settings.php -rw-r--r-- 1 web117 client0 31085 mars 1 10:27 wp-signup.php -rw-r--r-- 1 web117 client0 4764 mars 1 10:27 wp-trackback.php -rw-r--r-- 1 web117 client0 3068 mars 1 10:27 xmlrpc.php /home/www/clients/client0/web117/webdav: total 8 drwx--x--- 2 web117 client0 4096 janv. 15 00:15 . drwxr-xr-x 13 root root 4096 mai 3 01:04 ..
Seems as if some folders like /bin and /usr and some other parts of the jail are missing. Try to update the jail with: jk_update -j /home/www/clients/client0/web117
I just created the user. That's weird. Code: jk_update -j /home/www/clients/client0/web117 ERROR: while scannign dir /home/www/clients/client0/web117/bin/: No such file or directory ERROR: while scannign dir /home/www/clients/client0/web117/lib/: No such file or directory ERROR: while scannign dir /home/www/clients/client0/web117/usr/: No such file or directory ERROR: while scannign dir /home/www/clients/client0/web117/opt/: No such file or directory
Try to re-initialize the jail with: jk_init -j /home/www/clients/client0/web117 basicshell editors extendedshell netutils ssh sftp scp groups jk_lsh
Will I need to do it everytime? Code: ERROR: /home/www/clients/client0 is not owned by root:root! ERROR: jail directory basicshell is not safe /www and sub folders are owned by www-data
The folders are normally owned by root and not www-data. Probably you manually changed the ownership sometime in the past as ISPCobfig is not using www-data user for this.
I had to move the www folder to another partition. Ok, I changed the owners back to root. I removed the shell user. I created a new shell user. Once logged, I'm in /home/defaulttestshell2 instead of the website folder (jailkit). When I go in the website folder, I can't see any files but I can access to any files of the server. /!\ Without jailkit, I access to none of the website folders.
That's no problem when it's done properly as described here: https://www.howtoforge.com/use_moun...ctory_of_a_ispconfig_server_to_a_new_location If you altered paths instead like using /home/www instead of /var/www in ISPConfig might cause parts of the setup to fail, e.g. suexec. Deleting a shell user and creating a new one will not recreate a jail. A jail will get created only once when the first jailed user of a site is created. That's as it should be. a "cd ../../web" or "cd /web" will show you the web folder. You can not access files outside of the website when the user is jailed. So either you think that you can access files because the files inside a jail look very similiar to the root filesystem or the user you created is not a jailed user. You can easily xheck that as root user in /etc/passwd file, a jailed user looks like this: tomtest:x:5004:5006::/var/www/clients/client1/web1/./home/tomtest:/usr/sbin/jk_chrootsh as you see, the path contains a /./ at the folder which will be the root of the jail and the shell is /usr/sbin/jk_chrootsh instead of /bin/bash And a general note, to up and download files securely, use FTPS (FTP over SSL) and not SFTP. I would use a jailed SSH user with SCP only if your application does not support FTPS or when you want to run shell commands and login by SSH to that site.
Thans Till. Honestly, I don't remember how I moved it but what I did looks like your post. I might have changed the user to test something. Here is my new user: defaulttestshell2:x:5064:5005::/home/www/clients/client0/web117/./home/defaulttestshell2:/usr/sbin/jk_chrootsh This looks good to me. Hm, I wanted to use sftp for security purpose, indeed. I don't see any checkbox or so in the FTP user section. If Shell users stands for sftp, where do I create ftps users?
1/ Just WOW. I removed the shell user and it removed the ssl folder aswell. Apache crashed and couldn't restart from itself. Root user doesn't even have the rights to clean up the web folder (etc var home... that have been created at the same time than the shell user). I had to remove the website completly and import a backup. 2/ Ok thanks. I noticed it works with explicit tls/ssl.
1) Removing a shell user doesw not remove the ssl folder of the website. To be more precise, removing a shell user in ISPConfig does not emove any folders.
Playing with shell users is the only thing I did before this folder gets removed. Anyway, it's not a big deal. Thanks for your help.
