Bug#835516: General: Incorrect permissions on /bin for Debian Jessie

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#835516: General: Incorrect permissions on /bin for Debian Jessie
From: Daniel Bareiro <dbareiro@opcion-libre.com.ar>
Date: Fri, 26 Aug 2016 09:36:12 -0300
Message-id: <[🔎] 20160826123611.GA5692@orion.freesoftware>
Reply-to: Daniel Bareiro <dbareiro@opcion-libre.com.ar>, 835516@bugs.debian.org

Package: general
Severity: important

Dear Debian developers,

I am currently testing ISPConfig with Debian Jessie and Jailkit.

Apparently the chrooted SSH users are not able to log on. I'm using
Debian GNU/Linux Jessie (8.5) with Jailkit 2.19. When reviewing
/var/log/auth.log at the time that the users try to connect via SSH, is
logged something as the following:

-------------------------------------------------------------------------
Jun 27 15:37:57 ispconfig jk_chrootsh[19240]: path /var/www/clients/client1/web7/bin/ is group writable
Jun 27 15:37:57 ispconfig jk_chrootsh[19240]: abort, /var/www/clients/client1/web7 is not a safe jail, check ownership and permissions.
-------------------------------------------------------------------------

Adding the following to
/usr/local/ispconfig/server/scripts/create_jailkit_chroot.sh solves the
problem:

chmod g-w $CHROOT_HOMEDIR/bin

I think that jailkit just copies the permissions that Debian has set as
default for /bin which are different now according to the jailkit shell.

There seems to be a difference in the permissions for stable compared to
oldstable:

-------------------------------------------------------------------------
root@pfc:~# cat /etc/debian_version
7.10
root@pfc:~# ls -ld /bin/
drwxr-xr-x 2 root root 4096 mar  6 16:14 /bin/
-------------------------------------------------------------------------

-------------------------------------------------------------------------
root@ispconfig:/var/www/clients/client1/web11# cat /etc/debian_version
8.5
root@ispconfig:/var/www/clients/client1/web11# ls -ld /bin/
drwxrwxr-x 2 root root 4096 Jun  9 16:20 /bin/
root@ispconfig:/var/www/clients/client1/web11# ls -ld ./bin/
drwxr-xr-x 2 root root 4096 Jun 28 15:37 ./bin/
-------------------------------------------------------------------------

Although I'm not sure why the Debian developers did this change or if it
is a bug.


Kind regards,
Daniel



-- System Information:
Debian Release: 8.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_AR.UTF-8, LC_CTYPE=es_AR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


-- 
Ing. Daniel Bareiro

Opción Libre - Soberanía tecnológica para su empresa
WWW: http://www.opcion-libre.com.ar
Tel: +54 11 5235-3090
Correo-e: contacto@opcion-libre.com.ar

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#835516: General: Incorrect permissions on /bin for Debian Jessie
  - From: Santiago Vila <sanvila@unex.es>
- Bug#835516: General: Incorrect permissions on /bin for Debian Jessie
  - From: Santiago Vila <sanvila@unex.es>

Prev by Date: Re: mk-build-deps cannot install particular version of Build-Depends packages
Next by Date: Re: Is missing SysV-init support a bug?
Previous by thread: Re: support for noatime
Next by thread: Bug#835516: General: Incorrect permissions on /bin for Debian Jessie
Index(es):
- Date
- Thread