i've got a strange issue on a new install. ubuntu 20.04, ispconfig 3.2.5 single server. installed using automated installer script. jailkit configuration is fully default. as installed. i've added a client, created a website, and then created an ssh user for the site. (ssh-key based login only) i can login as the ssh user, create files, switch to the /web folder etc, all without problems: Code: ~$ pwd /home/lee ~$ ls -l total 0 ~$ touch test ~$ ls -l total 0 -rw-r--r-- 1 10002 10002 0 Aug 26 13:38 test ~$ cd /web ~$ ls -l total 20 -rwxr-xr-- 1 10002 10002 7358 Aug 26 13:13 favicon.ico -rwxr-xr-- 1 10002 10002 14 Aug 26 13:13 robots.txt -rwxr-xr-- 1 10002 10002 1862 Aug 26 13:13 standard_index.html drwxr-xr-x 2 10002 10002 4096 Aug 26 13:17 stats as you can see though, it doesn't display the username or group name for ownership, only the uid/gid. as root: Code: # ls -l total 20 -rwxr-xr-- 1 web2 client1 7358 Aug 26 13:13 favicon.ico -rwxr-xr-- 1 web2 client1 14 Aug 26 13:13 robots.txt -rwxr-xr-- 1 web2 client1 1862 Aug 26 13:13 standard_index.html drwxr-xr-x 2 web2 client1 4096 Aug 26 13:17 stats and as the jailkitted ssh user, i can't find name for the user id: Code: ~$ whoami whoami: cannot find name for user ID 10002 and despite being able to ssh in, and create files, i can't scp a file to this website using the jailkit ssh user: Code: scp installer.php lee@<redacted fqdn>:/. unknown user 10002 lost connection i can't find any errors, and nothing looks wrong in any of the config files. from /etc/passwd: Code: sshd:x:109:65534::/run/sshd:/usr/sbin/nologin . . ispapps:x:5002:5003::/var/www/apps:/bin/sh ispconfig:x:5003:5004::/usr/local/ispconfig:/bin/sh ispconfigend:x:20000:20000::/usr/local/ispconfig:/bin/sh web2:x:10002:10002::/var/www/clients/client1/web2/./home/web2:/usr/sbin/jk_chrootsh lee:x:10002:10002::/var/www/clients/client1/web2/./home/lee:/usr/sbin/jk_chrootsh from /etc/group: Code: sshusers:x:5002:web2 ispapps:x:5003:www-data ispconfig:x:5004:www-data ispconfigend:x:20000: client0:x:10001:www-data client1:x:10002:www-data from /var/www/clients/client1/web2/etc/passwd: Code: root:x:0:0:root:/root:/bin/bash lee:x:10002:10002::/home/lee:/bin/bash from /var/www/clients/client1/web2/etc/group: Code: root:x:0: client1:x:10002: so everything seems to match my main multi-server setup, where all this just works. i'm at a bit of a loss where to look next to try to fix this. any ideas?
That's the passwd file used inside the jail, can't you read it when you are logged in via ssh? Check file/path permissions.
/var/www/clients/client1/web2/etc/passwd (and group) are owned by root:root, with permissions 644. both are readable (read-only) by the jailkit ssh user. although ownership shows as 0 0 (uid/gid numbers) rather than as root root when running ls -l as the jailkit ssh user.
Is there a /etc/nsswitch.conf in the jail, and what does it contain? You could try installing strace on the host (not in the jail), and run a chroot via strace, and see what it shows. In fact, to verify the command to run for that I reproduced the issue (on a Debian 10 host), and find in the output that it isn't finding libnss_files.so.2: Code: openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) And that is due to a recent typo in /etc/jailkit/jk_init.ini, which should be: Code: [uidbasics] comment = common files for all jails that need user/group information paths = /lib*/libnsl.so.*, /lib*/libnss*.so.*, /lib/*/libnsl.so.*, /lib/*/libnss*.so.*, /etc/nsswitch.conf, /etc/ld.so.conf You need to add the missing asterisk in /lib/*/libnss*.so.* then in mysql, "update web_domain set last_jailkit_hash = 'rebuild them all'" to have all jails rebuilt. Or you can hit the one jail with Code: jk_cp -j /var/www/clients/client1/web2/ /lib/*/libnss*.so.* If anyone needs it for future tracking of issues, the strace command for this would be: Code: strace -ff -s256 -o /tmp/tracing chroot --userspec=10002:10002 /var/www/clients/client1/web2/ /bin/id (Then open /tmp/tracing.{pid} and go through the output.)
excellent. thanks @Jesse Norell it was i used the nightly built to update the server a couple of days ago, just after it's initial install, to get around the acme / self signed cert bug. i'd seen similar issues with jailkit in the past, but none of the previous solutions worked. i did look at the jk-init.ini file yesterday, and noticed the paths had been shortened / more general than what was used before, i did compare them to the old entries and it all looked ok, i guess my brain expected to see the missing * and just filled it in itself. i reckon i could have looked at that same thing 20 times and not noticed that unless it was pointed out to me... anyway, it's all working now, jailkit ssh user can see file/directory ownsership names now instead of just uid/gid numbers, and upload files using scp.
