Bug#835516: General: Incorrect permissions on /bin for Debian Jessie

[Santiago Vila <sanvila@unex.es>]

On Fri, Aug 26, 2016 at 09:36:12AM -0300, Daniel Bareiro wrote:
> 
> Package: general
> Severity: important
> 
> Dear Debian developers,
> 
> I am currently testing ISPConfig with Debian Jessie and Jailkit.
> 
> Apparently the chrooted SSH users are not able to log on. I'm using
> Debian GNU/Linux Jessie (8.5) with Jailkit 2.19. When reviewing
> /var/log/auth.log at the time that the users try to connect via SSH, is
> logged something as the following:
> 
> -------------------------------------------------------------------------
> Jun 27 15:37:57 ispconfig jk_chrootsh[19240]: path /var/www/clients/client1/web7/bin/ is group writable
> Jun 27 15:37:57 ispconfig jk_chrootsh[19240]: abort, /var/www/clients/client1/web7 is not a safe jail, check ownership and permissions.
> -------------------------------------------------------------------------
> 
> Adding the following to
> /usr/local/ispconfig/server/scripts/create_jailkit_chroot.sh solves the
> problem:
> 
> chmod g-w $CHROOT_HOMEDIR/bin
> 
> I think that jailkit just copies the permissions that Debian has set as
> default for /bin which are different now according to the jailkit shell.
> 
> There seems to be a difference in the permissions for stable compared to
> oldstable:
> 
> -------------------------------------------------------------------------
> root@pfc:~# cat /etc/debian_version
> 7.10
> root@pfc:~# ls -ld /bin/
> drwxr-xr-x 2 root root 4096 mar  6 16:14 /bin/
> -------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> root@ispconfig:/var/www/clients/client1/web11# cat /etc/debian_version
> 8.5
> root@ispconfig:/var/www/clients/client1/web11# ls -ld /bin/
> drwxrwxr-x 2 root root 4096 Jun  9 16:20 /bin/
> root@ispconfig:/var/www/clients/client1/web11# ls -ld ./bin/
> drwxr-xr-x 2 root root 4096 Jun 28 15:37 ./bin/
> -------------------------------------------------------------------------
> 
> Although I'm not sure why the Debian developers did this change or if it
> is a bug.

It would be a bug, yes, but that's not a change that we made.

A standard install of Debian jessie is usually made by a program
called debian-installer. This program runs from a bootable USB stick
(or from optical media) and uses a program called debootstrap to
install a minimal Debian system in the partition which will become the
root partition.

One of the very first packages that debootstrap installs is base-files,
which contains an empty usr/bin with correct persmissions. You can
check this by downloading the .deb package from any mirror:

# dpkg -c base-files_8+deb8u5_amd64.deb | grep usr/bin
drwxr-xr-x root/root         0 2016-05-30 06:18 ./usr/bin/


I don't know what exactly jailkit does to create a chroot, but since
AFAIK it's not packaged for Debian jessie, this could not be a bug
in the Debian distribution at all.

Please tell us a step by step recipe to reproduce this problem (not
just what you remember doing the last time, but something that works
when you start from scratch) and why do you think it is a bug in the
Debian distribution and maybe we could help.

Thanks.