In relation to this thread I noticed that when I create a chroot shell user with Jailkit, some of the the files contained in sub-directories of /var/www/domain.tld/ (/usr/bin, /usr/sbin, /var, /run, /lib64, etc.) are created and not owned by the correct user (in this example web34:client18), but rather by another user (web40:client21). This is true also with the same user (web40:client21) when I create a new site and enable chroot shell with Jailkit Here is an example: Code: root@webhost1:/var/www/mydomain.tld# ls -la total 76 drwxr-xr-x 19 root root 4096 Dec 8 15:25 . drwxr-xr-x 3 root root 4096 Aug 30 21:05 .. -rwxr-x--- 1 web34 client18 0 Dec 8 15:25 .bash_history -rw-r--r-- 1 web34 client18 0 Dec 8 15:25 .profile drwx------ 2 web34 client18 4096 Dec 8 15:25 .ssh drwxr-xr-x 2 root root 4096 Dec 8 15:25 bin drwxr-xr-x 2 web34 client18 4096 Feb 11 2018 cgi-bin drwxr-xr-x 2 root root 4096 Dec 8 15:25 dev drwxr-xr-x 6 root root 4096 Dec 8 15:25 etc drwxr-xr-x 4 web34 client18 4096 Dec 8 15:25 home drwxr-xr-x 4 root root 4096 Dec 8 15:25 lib drwxr-xr-x 2 root root 4096 Dec 8 15:25 lib64 drwxr-xr-x 2 root root 4096 Dec 8 06:28 log drwx--x--- 2 web34 client18 4096 Feb 11 2018 private drwxr-xr-x 3 root root 4096 Dec 8 15:25 run drwxr-xr-x 2 root root 4096 Aug 30 21:05 ssl drwxrwxrwx 2 web34 client18 4096 Dec 8 11:12 tmp drwxr-xr-x 6 root root 4096 Dec 8 15:25 usr drwxr-xr-x 3 root root 4096 Dec 8 15:25 var drwx--x--x 9 web34 client18 4096 Nov 3 04:02 web drwx--x--- 2 web34 client18 4096 Aug 30 21:05 webdav root@webhost1:/var/www/mydomain.tld# ls -la /usr total 108 drwxr-xr-x 10 root root 4096 Aug 29 20:08 . drwxr-xr-x 23 root root 4096 Aug 29 19:54 .. drwxr-xr-x 2 root root 53248 Sep 26 11:39 bin drwxr-xr-x 2 root root 4096 Apr 12 2016 games drwxr-xr-x 39 root root 4096 Aug 29 19:59 include lrwxrwxrwx 1 root root 24 Aug 29 20:08 jk_init.ini -> /etc/jailkit/jk_init.ini lrwxrwxrwx 1 root root 27 Aug 29 20:08 jk_socketd.ini -> /etc/jailkit/jk_socketd.ini drwxr-xr-x 76 root root 4096 Aug 29 19:59 lib drwxr-xr-x 11 root root 4096 Aug 29 20:10 local drwxr-xr-x 2 root root 20480 Sep 26 11:39 sbin drwxr-xr-x 188 root root 4096 Aug 29 20:02 share drwxr-xr-x 6 root root 4096 Jun 18 06:46 src root@webhost1:/var/www/mydomain.tld# ls -la /usr/bin total 326676 drwxr-xr-x 2 root root 53248 Sep 26 11:39 . drwxr-xr-x 10 root root 4096 Aug 29 20:08 .. -rwxr-xr-x 1 root root 96 Jul 9 16:51 2to3-2.7 -rwxr-xr-x 1 root root 10104 Apr 23 2016 411toppm lrwxrwxrwx 1 root root 11 May 21 2019 GET -> lwp-request lrwxrwxrwx 1 root root 11 May 21 2019 HEAD -> lwp-request lrwxrwxrwx 1 root root 22 Aug 29 18:02 Mail -> /etc/alternatives/Mail lrwxrwxrwx 1 root root 4 Dec 4 2017 NF -> col1 lrwxrwxrwx 1 root root 11 May 21 2019 POST -> lwp-request ... -rwxr-xr-x 1 root root 153944 Aug 22 2017 aspell -rwxr-xr-x 1 root root 2044 Aug 22 2017 aspell-import -rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 at -rwxr-xr-x 1 root root 18296 Apr 23 2016 atktopbm lrwxrwxrwx 1 root root 2 Feb 20 2018 atq -> at ... -rwxr-xr-x 1 root root 39096 Jan 18 2018 base32 -rwxr-xr-x 1 root root 39096 Jan 18 2018 base64 -rwxr-xr-x 5 web40 client21 35000 Jan 18 2018 basename -rwxr-xr-x 1 root root 7115 Jun 6 2019 bashbug -rwxr-xr-x 1 root root 152 Feb 20 2018 batch ... -rwxr-xr-x 1 root root 10232 Jan 17 2018 bsd-from -rwxr-xr-x 1 root root 108792 Apr 14 2017 bsd-mailx -rwxr-sr-x 1 root tty 14328 Jan 17 2018 bsd-write -rwxr-xr-x 1 root root 67672 Sep 5 03:59 busctl -rwxr-xr-x 1 root root 8264 Dec 4 2017 byobu ... -rwxr-xr-x 1 root root 380 Apr 20 2018 cftp3 lrwxrwxrwx 1 root root 10 Apr 25 2016 chacl -> /bin/chacl -rwxr-sr-x 1 root shadow 71816 Mar 22 2019 chage lrwxrwxrwx 1 root root 11 Jun 18 2017 chardet3 -> chardetect3 -rwxr-xr-x 1 root root 389 Jun 18 2017 chardetect3 ... -rwxr-xr-x 1 root root 157800 Apr 4 2019 clamscan -rwxr-xr-x 1 root root 137312 Apr 4 2019 clamsubmit -rwxr-xr-x 5 web40 client21 10240 May 23 2018 clear -rwxr-xr-x 1 root root 10312 Jun 6 2019 clear_console -rwxr-xr-x 1 root root 47200 Aug 4 2017 cmp ... lrwxrwxrwx 1 root root 6 Feb 26 2018 ctstat -> lnstat -rwxr-xr-x 1 root root 223304 Sep 6 05:27 curl -rwxr-xr-x 5 web40 client21 43224 Jan 18 2018 cut -rwxr-xr-x 1 root root 246616 Apr 3 2018 daemon -rwxr-xr-x 1 root root 1380 Feb 14 2018 dbilogstrip ... -rwxr-xr-x 1 root root 63704 Aug 4 2017 diff3 -rwxr-xr-x 1 root root 150024 Aug 7 14:43 dig -rwxr-xr-x 5 web40 client21 47296 Jan 18 2018 dircolors -rwxr-xr-x 1 root root 546360 Jan 10 2019 dirmngr -rwxr-xr-x 1 root root 109320 Jan 10 2019 dirmngr-client -rwxr-xr-x 5 web40 client21 30904 Jan 18 2018 dirname lrwxrwxrwx 1 root root 25 Aug 29 19:35 display -> /etc/alternatives/display lrwxrwxrwx 1 root root 29 Aug 29 19:35 display-im6 -> /etc/alternatives/display-im6 ...
Some additional info: folders outside of /var/www seem to be affected as well, for example here is the content of /usr/share/vim80: Code: root@webhost1:/usr/share/vim/vim80# ls -la total 520 drwxr-xr-x 17 root root 4096 Jun 18 06:46 . drwxr-xr-x 5 root root 4096 Jun 18 06:46 .. drwxr-xr-x 4 root root 4096 Jun 18 06:46 autoload -rw-r--r-- 5 web40 client21 1955 Jun 6 2019 bugreport.vim drwxr-xr-x 2 root root 4096 Jun 18 06:46 colors drwxr-xr-x 2 root root 12288 Jun 18 06:46 compiler -rw-r--r-- 5 web40 client21 2064 Jun 6 2019 debian.vim -rw-r--r-- 5 web40 client21 4120 Jun 6 2019 defaults.vim -rw-r--r-- 5 web40 client21 645 Jun 6 2019 delmenu.vim drwxr-xr-x 2 root root 20480 Jun 18 06:46 doc -rw-r--r-- 5 web40 client21 2248 Jun 6 2019 evim.vim -rw-r--r-- 5 web40 client21 56051 Jun 6 2019 filetype.vim -rw-r--r-- 5 web40 client21 280 Jun 6 2019 ftoff.vim drwxr-xr-x 2 root root 24576 Jun 18 06:46 ftplugin -rw-r--r-- 5 web40 client21 971 Jun 6 2019 ftplugin.vim -rw-r--r-- 5 web40 client21 337 Jun 6 2019 ftplugof.vim -rw-r--r-- 5 web40 client21 1599 Jun 6 2019 gvimrc_example.vim drwxr-xr-x 2 root root 20480 Jun 18 06:46 indent -rw-r--r-- 5 web40 client21 767 Jun 6 2019 indent.vim -rw-r--r-- 5 web40 client21 282 Jun 6 2019 indoff.vim drwxr-xr-x 2 root root 12288 Jun 18 06:46 keymap drwxr-xr-x 40 root root 20480 Jun 18 06:46 lang drwxr-xr-x 6 root root 4096 Jun 18 06:46 macros -rw-r--r-- 5 web40 client21 39461 Jun 6 2019 menu.vim -rw-r--r-- 5 web40 client21 3399 Jun 6 2019 mswin.vim -rw-r--r-- 5 web40 client21 59323 Jun 6 2019 optwin.vim drwxr-xr-x 3 root root 4096 May 9 2018 pack drwxr-xr-x 2 root root 4096 Jun 18 06:46 plugin drwxr-xr-x 2 root root 4096 Jun 18 06:46 print -rw-r--r-- 5 web40 client21 17780 Jun 6 2019 rgb.txt -rw-r--r-- 5 web40 client21 11367 Jun 6 2019 scripts.vim drwxr-xr-x 2 root root 4096 Jun 18 06:46 spell -rw-r--r-- 5 web40 client21 36975 Jun 6 2019 synmenu.vim drwxr-xr-x 2 root root 69632 Jun 18 06:46 syntax drwxr-xr-x 2 root root 12288 Jun 18 06:46 tutor -rw-r--r-- 5 web40 client21 1491 Jun 6 2019 vimrc_example.vim root@webhost1:/usr/share/vim/vim80#
They need to be owned by root. - update - Ok, missed the part that they are outside of root. Did you use jailkit manually somehow? Did you check the user web40 in the password file, anything unusual with its homedir path in that file?
Yesterday I went through root level directories one at a time (/bin, /sbin, /usr (except /var/www/)) and changed all files outside that were owned by web40:client21 using this command: Code: find . -user web40 -exec chown root:root {} \; I still have many files in various other /var/www/clients/clientX/webY folders belonging to web40, here is an example: Code: root@webhost1:/var/www/clients/client1/web7# find . -user web40 ./usr/lib/x86_64-linux-gnu/liblwres.so.160.0.1 ./usr/lib/x86_64-linux-gnu/libdns.so.1100.1.1 ./usr/lib/x86_64-linux-gnu/libbind9.so.160.0.6 ./usr/lib/x86_64-linux-gnu/libisc.so.169.0.1 ./usr/lib/x86_64-linux-gnu/libisccfg.so.160.1.2 ./usr/lib/x86_64-linux-gnu/libpython3.6m.so.1.0 ./usr/bin/host ./lib/x86_64-linux-gnu/libexpat.so.1.6.7 ./lib/x86_64-linux-gnu/libuuid.so.1.3.0 ./lib/x86_64-linux-gnu/libnss_systemd.so.2 ./bin/more ./bin/fgrep ./bin/grep ./bin/egrep Can I change these to root:root as well, or should they be the correct webX:clientY? Here are the relevant lines from /etc/passwd: Code: web40:x:5029:5021::/var/www/clients/client21/web40/./home/web40:/usr/sbin/jk_chrootsh jqpublic:x:5029:5021::/var/www/clients/client21/web40/./home/jqpublic:/usr/sbin/jk_chrootsh THX -JB
These must be owned by root user as well. This looks fine. I've no ida how that could happen, have not seen that on another system yet.
Hmm, maybe one idea. Did you maybe run a chown -r inside that web in the past on all directories and files instead of just the 'web' directory?
No. I haven't chown'd in years, not usually a need for it. I did use migration toolkit for this site, is there any way that could affect things.
Here is an example of a folder: Code: root@webhost1:/var/www/clients/client1/web7/bin# ls -la total 3852 drwxr-xr-x 2 web7 client1 4096 Aug 30 21:06 . drwxr-xr-x 19 web7 client1 4096 Aug 30 21:06 .. -rwxr-xr-x 5 root root 1113504 Jun 6 2019 bash -rwxr-xr-x 5 root root 35064 Jan 18 2018 cat -rwxr-xr-x 5 root root 59608 Jan 18 2018 chmod -rwxr-xr-x 5 root root 141528 Jan 18 2018 cp -rwxr-xr-x 4 root root 157224 Dec 2 2017 cpio -rwxr-xr-x 5 root root 100568 Jan 18 2018 date -rwxr-xr-x 5 root root 76000 Jan 18 2018 dd -rwxr-xr-x 5 root root 35000 Jan 18 2018 echo -rwxr-xr-x 3 web40 client21 28 Jul 12 2017 egrep -rwxr-xr-x 5 root root 30904 Jan 18 2018 false -rwxr-xr-x 3 web40 client21 28 Jul 12 2017 fgrep -rwxr-xr-x 3 web40 client21 219528 Jul 12 2017 grep -rwxr-xr-x 10 root root 2301 Apr 28 2017 gunzip -rwxr-xr-x 5 root root 101560 Apr 28 2017 gzip -rwxr-xr-x 5 root root 170760 Dec 1 2017 less -rwxr-xr-x 5 root root 8564 Dec 1 2017 lesspipe -rwxr-xr-x 5 root root 67808 Jan 18 2018 ln -rwxr-xr-x 5 root root 133792 Jan 18 2018 ls -rwxr-xr-x 5 root root 80056 Jan 18 2018 mkdir -rwxr-xr-x 5 root root 43192 Jan 18 2018 mktemp -rwxr-xr-x 3 web40 client21 38952 Oct 15 2018 more -rwxr-xr-x 5 root root 137440 Jan 18 2018 mv -rwxr-xr-x 5 root root 245872 Mar 6 2018 nano -rwxr-xr-x 5 root root 35000 Jan 18 2018 pwd -rwxr-xr-x 5 root root 63704 Jan 18 2018 rm -rwxr-xr-x 5 root root 43192 Jan 18 2018 rmdir -rwxr-xr-x 5 root root 109000 Jan 30 2018 sed lrwxrwxrwx 1 web7 client1 4 Aug 30 21:06 sh -> bash -rwxr-xr-x 5 root root 35000 Jan 18 2018 sleep -rwxr-xr-x 5 root root 35000 Jan 18 2018 sync -rwxr-xr-x 5 root root 423312 Jan 21 2019 tar -rwxr-xr-x 5 root root 88280 Jan 18 2018 touch -rwxr-xr-x 5 root root 30904 Jan 18 2018 true -rwxr-xr-x 10 root root 2301 Apr 28 2017 uncompress -rwxr-xr-x 5 root root 1937 Apr 28 2017 zcat root@webhost1:/var/www/clients/client1/web7/bin# Could I simply migrate the site to a new account, delete web40:client21 entirely and then on the entire /var/www/clients/: Code: find . -user web40 -exec chown root:root {} \; THX
No, because your find command will fail as soon as the user is removed. These steps might work: 1) Backup the website files. 2) Use the find command to fix the ownership of files. 3) Delete the website and recreate it. in case that ispconfig rejects to remove the website folder when you delete the site, remove it manually.