Hi all! I am currently testing ISPConfig with Debian Jessie and Jailkit. Apparently the chrooted SSH users are not able to log on. I'm using Debian GNU/Linux Jessie (8.5) with Jailkit 2.19. When reviewing /var/log/auth.log at the time that the users try to connect via SSH, is logged something as the following: ------------------------------------------------------------------------- Jun 27 15:37:57 ispconfig jk_chrootsh[19240]: path /var/www/clients/client1/web7/bin/ is group writable Jun 27 15:37:57 ispconfig jk_chrootsh[19240]: abort, /var/www/clients/client1/web7 is not a safe jail, check ownership and permissions. ------------------------------------------------------------------------- Adding the following to /usr/local/ispconfig/server/scripts/create_jailkit_chroot.sh solves the problem: chmod g-w $CHROOT_HOMEDIR/bin I think that jailkit just copies the permissions that Debian has set as default for /bin which are different now according to the jailkit shell. There seems to be a difference in the permissions for stable compared to oldstable: ------------------------------------------------------------------------- root@pfc:~# cat /etc/debian_version 7.10 root@pfc:~# ls -ld /bin/ drwxr-xr-x 2 root root 4096 mar 6 16:14 /bin/ ------------------------------------------------------------------------- ------------------------------------------------------------------------- root@ispconfig:/var/www/clients/client1/web11# cat /etc/debian_version 8.5 root@ispconfig:/var/www/clients/client1/web11# ls -ld /bin/ drwxrwxr-x 2 root root 4096 Jun 9 16:20 /bin/ root@ispconfig:/var/www/clients/client1/web11# ls -ld ./bin/ drwxr-xr-x 2 root root 4096 Jun 28 15:37 ./bin/ ------------------------------------------------------------------------- Although I'm not sure why the Debian developers did this change or if it is a bug that should be reported. Any thoughts? Kind regards, Daniel
Attachment:
signature.asc
Description: OpenPGP digital signature