Wrong user:group for Jailkit shell folders

unsichtbare · Dec 8, 2019

In relation to this thread I noticed that when I create a chroot shell user with Jailkit, some of the the files contained in sub-directories of /var/www/domain.tld/ (/usr/bin, /usr/sbin, /var, /run, /lib64, etc.) are created and not owned by the correct user (in this example web34:client18), but rather by another user (web40:client21). This is true also with the same user (web40:client21) when I create a new site and enable chroot shell with Jailkit
Here is an example:

Code:

root@webhost1:/var/www/mydomain.tld# ls -la
total 76
drwxr-xr-x 19 root  root     4096 Dec  8 15:25 .
drwxr-xr-x  3 root  root     4096 Aug 30 21:05 ..
-rwxr-x---  1 web34 client18    0 Dec  8 15:25 .bash_history
-rw-r--r--  1 web34 client18    0 Dec  8 15:25 .profile
drwx------  2 web34 client18 4096 Dec  8 15:25 .ssh
drwxr-xr-x  2 root  root     4096 Dec  8 15:25 bin
drwxr-xr-x  2 web34 client18 4096 Feb 11  2018 cgi-bin
drwxr-xr-x  2 root  root     4096 Dec  8 15:25 dev
drwxr-xr-x  6 root  root     4096 Dec  8 15:25 etc
drwxr-xr-x  4 web34 client18 4096 Dec  8 15:25 home
drwxr-xr-x  4 root  root     4096 Dec  8 15:25 lib
drwxr-xr-x  2 root  root     4096 Dec  8 15:25 lib64
drwxr-xr-x  2 root  root     4096 Dec  8 06:28 log
drwx--x---  2 web34 client18 4096 Feb 11  2018 private
drwxr-xr-x  3 root  root     4096 Dec  8 15:25 run
drwxr-xr-x  2 root  root     4096 Aug 30 21:05 ssl
drwxrwxrwx  2 web34 client18 4096 Dec  8 11:12 tmp
drwxr-xr-x  6 root  root     4096 Dec  8 15:25 usr
drwxr-xr-x  3 root  root     4096 Dec  8 15:25 var
drwx--x--x  9 web34 client18 4096 Nov  3 04:02 web
drwx--x---  2 web34 client18 4096 Aug 30 21:05 webdav
root@webhost1:/var/www/mydomain.tld# ls -la /usr
total 108
drwxr-xr-x  10 root root  4096 Aug 29 20:08 .
drwxr-xr-x  23 root root  4096 Aug 29 19:54 ..
drwxr-xr-x   2 root root 53248 Sep 26 11:39 bin
drwxr-xr-x   2 root root  4096 Apr 12  2016 games
drwxr-xr-x  39 root root  4096 Aug 29 19:59 include
lrwxrwxrwx   1 root root    24 Aug 29 20:08 jk_init.ini -> /etc/jailkit/jk_init.ini
lrwxrwxrwx   1 root root    27 Aug 29 20:08 jk_socketd.ini -> /etc/jailkit/jk_socketd.ini
drwxr-xr-x  76 root root  4096 Aug 29 19:59 lib
drwxr-xr-x  11 root root  4096 Aug 29 20:10 local
drwxr-xr-x   2 root root 20480 Sep 26 11:39 sbin
drwxr-xr-x 188 root root  4096 Aug 29 20:02 share
drwxr-xr-x   6 root root  4096 Jun 18 06:46 src
root@webhost1:/var/www/mydomain.tld# ls -la /usr/bin
total 326676
drwxr-xr-x  2 root   root        53248 Sep 26 11:39  .
drwxr-xr-x 10 root   root         4096 Aug 29 20:08  ..
-rwxr-xr-x  1 root   root           96 Jul  9 16:51  2to3-2.7
-rwxr-xr-x  1 root   root        10104 Apr 23  2016  411toppm
lrwxrwxrwx  1 root   root           11 May 21  2019  GET -> lwp-request
lrwxrwxrwx  1 root   root           11 May 21  2019  HEAD -> lwp-request
lrwxrwxrwx  1 root   root           22 Aug 29 18:02  Mail -> /etc/alternatives/Mail
lrwxrwxrwx  1 root   root            4 Dec  4  2017  NF -> col1
lrwxrwxrwx  1 root   root           11 May 21  2019  POST -> lwp-request
...
-rwxr-xr-x  1 root   root       153944 Aug 22  2017  aspell
-rwxr-xr-x  1 root   root         2044 Aug 22  2017  aspell-import
-rwsr-sr-x  1 daemon daemon      51464 Feb 20  2018  at
-rwxr-xr-x  1 root   root        18296 Apr 23  2016  atktopbm
lrwxrwxrwx  1 root   root            2 Feb 20  2018  atq -> at
...
-rwxr-xr-x  1 root   root        39096 Jan 18  2018  base32
-rwxr-xr-x  1 root   root        39096 Jan 18  2018  base64
-rwxr-xr-x  5 web40  client21    35000 Jan 18  2018  basename
-rwxr-xr-x  1 root   root         7115 Jun  6  2019  bashbug
-rwxr-xr-x  1 root   root          152 Feb 20  2018  batch
...
-rwxr-xr-x  1 root   root        10232 Jan 17  2018  bsd-from
-rwxr-xr-x  1 root   root       108792 Apr 14  2017  bsd-mailx
-rwxr-sr-x  1 root   tty         14328 Jan 17  2018  bsd-write
-rwxr-xr-x  1 root   root        67672 Sep  5 03:59  busctl
-rwxr-xr-x  1 root   root         8264 Dec  4  2017  byobu
...
-rwxr-xr-x  1 root   root          380 Apr 20  2018  cftp3
lrwxrwxrwx  1 root   root           10 Apr 25  2016  chacl -> /bin/chacl
-rwxr-sr-x  1 root   shadow      71816 Mar 22  2019  chage
lrwxrwxrwx  1 root   root           11 Jun 18  2017  chardet3 -> chardetect3
-rwxr-xr-x  1 root   root          389 Jun 18  2017  chardetect3
...
-rwxr-xr-x  1 root   root       157800 Apr  4  2019  clamscan
-rwxr-xr-x  1 root   root       137312 Apr  4  2019  clamsubmit
-rwxr-xr-x  5 web40  client21    10240 May 23  2018  clear
-rwxr-xr-x  1 root   root        10312 Jun  6  2019  clear_console
-rwxr-xr-x  1 root   root        47200 Aug  4  2017  cmp
...
lrwxrwxrwx  1 root   root            6 Feb 26  2018  ctstat -> lnstat
-rwxr-xr-x  1 root   root       223304 Sep  6 05:27  curl
-rwxr-xr-x  5 web40  client21    43224 Jan 18  2018  cut
-rwxr-xr-x  1 root   root       246616 Apr  3  2018  daemon
-rwxr-xr-x  1 root   root         1380 Feb 14  2018  dbilogstrip
...
-rwxr-xr-x  1 root   root        63704 Aug  4  2017  diff3
-rwxr-xr-x  1 root   root       150024 Aug  7 14:43  dig
-rwxr-xr-x  5 web40  client21    47296 Jan 18  2018  dircolors
-rwxr-xr-x  1 root   root       546360 Jan 10  2019  dirmngr
-rwxr-xr-x  1 root   root       109320 Jan 10  2019  dirmngr-client
-rwxr-xr-x  5 web40  client21    30904 Jan 18  2018  dirname
lrwxrwxrwx  1 root   root           25 Aug 29 19:35  display -> /etc/alternatives/display
lrwxrwxrwx  1 root   root           29 Aug 29 19:35  display-im6 -> /etc/alternatives/display-im6
...

unsichtbare · Dec 8, 2019

Some additional info:
folders outside of /var/www seem to be affected as well, for example here is the content of /usr/share/vim80:

Code:

root@webhost1:/usr/share/vim/vim80# ls -la
total 520
drwxr-xr-x 17 root  root      4096 Jun 18 06:46 .
drwxr-xr-x  5 root  root      4096 Jun 18 06:46 ..
drwxr-xr-x  4 root  root      4096 Jun 18 06:46 autoload
-rw-r--r--  5 web40 client21  1955 Jun  6  2019 bugreport.vim
drwxr-xr-x  2 root  root      4096 Jun 18 06:46 colors
drwxr-xr-x  2 root  root     12288 Jun 18 06:46 compiler
-rw-r--r--  5 web40 client21  2064 Jun  6  2019 debian.vim
-rw-r--r--  5 web40 client21  4120 Jun  6  2019 defaults.vim
-rw-r--r--  5 web40 client21   645 Jun  6  2019 delmenu.vim
drwxr-xr-x  2 root  root     20480 Jun 18 06:46 doc
-rw-r--r--  5 web40 client21  2248 Jun  6  2019 evim.vim
-rw-r--r--  5 web40 client21 56051 Jun  6  2019 filetype.vim
-rw-r--r--  5 web40 client21   280 Jun  6  2019 ftoff.vim
drwxr-xr-x  2 root  root     24576 Jun 18 06:46 ftplugin
-rw-r--r--  5 web40 client21   971 Jun  6  2019 ftplugin.vim
-rw-r--r--  5 web40 client21   337 Jun  6  2019 ftplugof.vim
-rw-r--r--  5 web40 client21  1599 Jun  6  2019 gvimrc_example.vim
drwxr-xr-x  2 root  root     20480 Jun 18 06:46 indent
-rw-r--r--  5 web40 client21   767 Jun  6  2019 indent.vim
-rw-r--r--  5 web40 client21   282 Jun  6  2019 indoff.vim
drwxr-xr-x  2 root  root     12288 Jun 18 06:46 keymap
drwxr-xr-x 40 root  root     20480 Jun 18 06:46 lang
drwxr-xr-x  6 root  root      4096 Jun 18 06:46 macros
-rw-r--r--  5 web40 client21 39461 Jun  6  2019 menu.vim
-rw-r--r--  5 web40 client21  3399 Jun  6  2019 mswin.vim
-rw-r--r--  5 web40 client21 59323 Jun  6  2019 optwin.vim
drwxr-xr-x  3 root  root      4096 May  9  2018 pack
drwxr-xr-x  2 root  root      4096 Jun 18 06:46 plugin
drwxr-xr-x  2 root  root      4096 Jun 18 06:46 print
-rw-r--r--  5 web40 client21 17780 Jun  6  2019 rgb.txt
-rw-r--r--  5 web40 client21 11367 Jun  6  2019 scripts.vim
drwxr-xr-x  2 root  root      4096 Jun 18 06:46 spell
-rw-r--r--  5 web40 client21 36975 Jun  6  2019 synmenu.vim
drwxr-xr-x  2 root  root     69632 Jun 18 06:46 syntax
drwxr-xr-x  2 root  root     12288 Jun 18 06:46 tutor
-rw-r--r--  5 web40 client21  1491 Jun  6  2019 vimrc_example.vim
root@webhost1:/usr/share/vim/vim80#

till · Dec 9, 2019

They need to be owned by root.

- update -

Ok, missed the part that they are outside of root. Did you use jailkit manually somehow? Did you check the user web40 in the password file, anything unusual with its homedir path in that file?

unsichtbare · Dec 9, 2019

Yesterday I went through root level directories one at a time (/bin, /sbin, /usr (except /var/www/)) and changed all files outside that were owned by web40:client21 using this command:
Code:
find . -user web40 -exec chown root:root {} \;
I still have many files in various other /var/www/clients/clientX/webY folders belonging to web40, here is an example:
Code:
root@webhost1:/var/www/clients/client1/web7# find . -user web40
./usr/lib/x86_64-linux-gnu/liblwres.so.160.0.1
./usr/lib/x86_64-linux-gnu/libdns.so.1100.1.1
./usr/lib/x86_64-linux-gnu/libbind9.so.160.0.6
./usr/lib/x86_64-linux-gnu/libisc.so.169.0.1
./usr/lib/x86_64-linux-gnu/libisccfg.so.160.1.2
./usr/lib/x86_64-linux-gnu/libpython3.6m.so.1.0
./usr/bin/host
./lib/x86_64-linux-gnu/libexpat.so.1.6.7
./lib/x86_64-linux-gnu/libuuid.so.1.3.0
./lib/x86_64-linux-gnu/libnss_systemd.so.2
./bin/more
./bin/fgrep
./bin/grep
./bin/egrep
Can I change these to root:root as well, or should they be the correct webX:clientY?
Here are the relevant lines from /etc/passwd:
Code:
web40:x:5029:5021::/var/www/clients/client21/web40/./home/web40:/usr/sbin/jk_chrootsh
jqpublic:x:5029:5021::/var/www/clients/client21/web40/./home/jqpublic:/usr/sbin/jk_chrootsh
THX
-JB

till · Dec 9, 2019

unsichtbare said: ↑

Can I change these to root:root as well, or should they be the correct webX:clientY?
Click to expand...

These must be owned by root user as well.

unsichtbare said: ↑

Here are the relevant lines from /etc/passwd:
Click to expand...

This looks fine. I've no ida how that could happen, have not seen that on another system yet.

till · Dec 9, 2019

Hmm, maybe one idea. Did you maybe run a chown -r inside that web in the past on all directories and files instead of just the 'web' directory?

unsichtbare · Dec 9, 2019

No. I haven't chown'd in years, not usually a need for it.

I did use migration toolkit for this site, is there any way that could affect things.

till · Dec 9, 2019

No, I don't think so.

unsichtbare · Dec 9, 2019

Here is an example of a folder:

Code:

root@webhost1:/var/www/clients/client1/web7/bin# ls -la
total 3852
drwxr-xr-x  2 web7  client1     4096 Aug 30 21:06 .
drwxr-xr-x 19 web7  client1     4096 Aug 30 21:06 ..
-rwxr-xr-x  5 root  root     1113504 Jun  6  2019 bash
-rwxr-xr-x  5 root  root       35064 Jan 18  2018 cat
-rwxr-xr-x  5 root  root       59608 Jan 18  2018 chmod
-rwxr-xr-x  5 root  root      141528 Jan 18  2018 cp
-rwxr-xr-x  4 root  root      157224 Dec  2  2017 cpio
-rwxr-xr-x  5 root  root      100568 Jan 18  2018 date
-rwxr-xr-x  5 root  root       76000 Jan 18  2018 dd
-rwxr-xr-x  5 root  root       35000 Jan 18  2018 echo
-rwxr-xr-x  3 web40 client21      28 Jul 12  2017 egrep
-rwxr-xr-x  5 root  root       30904 Jan 18  2018 false
-rwxr-xr-x  3 web40 client21      28 Jul 12  2017 fgrep
-rwxr-xr-x  3 web40 client21  219528 Jul 12  2017 grep
-rwxr-xr-x 10 root  root        2301 Apr 28  2017 gunzip
-rwxr-xr-x  5 root  root      101560 Apr 28  2017 gzip
-rwxr-xr-x  5 root  root      170760 Dec  1  2017 less
-rwxr-xr-x  5 root  root        8564 Dec  1  2017 lesspipe
-rwxr-xr-x  5 root  root       67808 Jan 18  2018 ln
-rwxr-xr-x  5 root  root      133792 Jan 18  2018 ls
-rwxr-xr-x  5 root  root       80056 Jan 18  2018 mkdir
-rwxr-xr-x  5 root  root       43192 Jan 18  2018 mktemp
-rwxr-xr-x  3 web40 client21   38952 Oct 15  2018 more
-rwxr-xr-x  5 root  root      137440 Jan 18  2018 mv
-rwxr-xr-x  5 root  root      245872 Mar  6  2018 nano
-rwxr-xr-x  5 root  root       35000 Jan 18  2018 pwd
-rwxr-xr-x  5 root  root       63704 Jan 18  2018 rm
-rwxr-xr-x  5 root  root       43192 Jan 18  2018 rmdir
-rwxr-xr-x  5 root  root      109000 Jan 30  2018 sed
lrwxrwxrwx  1 web7  client1        4 Aug 30 21:06 sh -> bash
-rwxr-xr-x  5 root  root       35000 Jan 18  2018 sleep
-rwxr-xr-x  5 root  root       35000 Jan 18  2018 sync
-rwxr-xr-x  5 root  root      423312 Jan 21  2019 tar
-rwxr-xr-x  5 root  root       88280 Jan 18  2018 touch
-rwxr-xr-x  5 root  root       30904 Jan 18  2018 true
-rwxr-xr-x 10 root  root        2301 Apr 28  2017 uncompress
-rwxr-xr-x  5 root  root        1937 Apr 28  2017 zcat
root@webhost1:/var/www/clients/client1/web7/bin#

Could I simply migrate the site to a new account, delete web40:client21 entirely and then on the entire /var/www/clients/:

Code:

find . -user web40 -exec chown root:root {} \;

THX

till · Dec 9, 2019

unsichtbare said: ↑

Could I simply migrate the site to a new account, delete web40:client21 entirely and then on the entire /var/www/clients/:
Click to expand...

No, because your find command will fail as soon as the user is removed. These steps might work:

1) Backup the website files.
2) Use the find command to fix the ownership of files.
3) Delete the website and recreate it. in case that ispconfig rejects to remove the website folder when you delete the site, remove it manually.

Log in or Sign up

Wrong user:group for Jailkit shell folders

unsichtbare Member HowtoForge Supporter

unsichtbare Member HowtoForge Supporter

till Super Moderator Staff Member ISPConfig Developer

unsichtbare Member HowtoForge Supporter

till Super Moderator Staff Member ISPConfig Developer

till Super Moderator Staff Member ISPConfig Developer

unsichtbare Member HowtoForge Supporter

till Super Moderator Staff Member ISPConfig Developer

unsichtbare Member HowtoForge Supporter

till Super Moderator Staff Member ISPConfig Developer

Share This Page

Log in or Sign up

Wrong user:group for Jailkit shell folders

unsichtbare Member HowtoForge Supporter

unsichtbare Member HowtoForge Supporter

till Super Moderator Staff Member ISPConfig Developer

unsichtbare Member HowtoForge Supporter

till Super Moderator Staff Member ISPConfig Developer

till Super Moderator Staff Member ISPConfig Developer

unsichtbare Member HowtoForge Supporter

till Super Moderator Staff Member ISPConfig Developer

unsichtbare Member HowtoForge Supporter

till Super Moderator Staff Member ISPConfig Developer

Share This Page

Useful Searches