[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS
From: |
Ming Wu |
Subject: |
[Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8 |
Date: |
Fri, 5 Mar 2021 22:03:59 -0500 (EST) |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 |
Follow-up Comment #2, bug #60178 (project jailkit):
Dear Olivier:
Thanks for your swift reply! Below are all the steps that I perfomed to make
the problem reappear.
are you sure jk_chrootsh is actually started?
# ps -ef | grep jk_chrootsh
root 1325 1260 0 02:59 pts/0 00:00:00 grep --color=auto
jk_chrootsh
do you get any logging from jk_chrootsh if you ssh into the account?
ssh mike@192.168.1.115 # from ubuntu
mike@192.168.1.115's password:
Connection to 192.168.1.115 closed.
do you get the same logging if you sftp to that account?
Where is the log file?
# find / -iname "*auth.log*" # returns nothing
Ming Wu
--------------------
References:
1. https://olivier.sessink.nl/jailkit/howtos_sftp_scp_only.html
2. https://olivier.sessink.nl/jailkit/jailkit.8.html
# Add user mike
u=mike
adduser $u && echo "$u:$u" | chpasswd
# Initialise the jail
mkdir /srv/sftpjail
chown root:root /srv/sftpjail
chmod 0755 /srv/sftpjail
jk_init -v -j /srv/sftpjail jk_lsh sftp scp
jk_jailuser -m -j /srv/sftpjail mike
# see output of all commmands above at the end
# View info for mike
cat /etc/passwd | grep mike
mike:x:1006:1008::/srv/sftpjail/./home/mike:/usr/sbin/jk_chrootsh
cat /srv/sftpjail/etc/passwd | grep mike
mike:x:1006:1008::/home/mike:/usr/sbin/jk_lsh
cat /srv/sftpjail/etc/jailkit/jk_lsh.ini
[mike]
paths= /usr/lib/
executables= /usr/lib/sftp-server
# reboot CentOS 8 server
# jk_socketd stuff is not performed
# sftp on Ubuntu 20.04.2
sftp mike@192.168.1.115
mike@192.168.1.115's password:
Connected to 192.168.1.115.
sftp> pwd
Remote working directory: /srv/sftpjail/home/mike
sftp> cd /var/www/html
sftp> get index.php a.txt
Fetching /var/www/html/index.php to a.txt
/var/www/html/index.php 100% 1228 133.9KB/s
00:00
sftp> bye
# mike successfully downloaded a file from /var/www/html
# Some log info: auth.log is not present in CentOS 8
journalctl --since=-1h > jaillog.txt
cat jaillog.txt # output at the end
----------
# u=mike
# adduser $u && echo "$u:$u" | chpasswd
# mkdir /srv/sftpjail
# chown root:root /srv/sftpjail
# chmod 0755 /srv/sftpjail
# jk_init -v -j /srv/sftpjail jk_lsh sftp scp
Source file(s) /lib/libnsl.so.1 do not exist
Source file(s) /lib64/libnsl.so.1 do not exist
Source file(s) /lib/libnss*.so.2 do not exist
Creating symlink /srv/sftpjail/lib64 to usr/lib64
Create directory /srv/sftpjail/usr
Create directory /srv/sftpjail/usr/lib64
Creating symlink /srv/sftpjail/usr/lib64/libnss_compat.so.2 to
libnss_compat-2.28.so
Copying /lib64/libnss_compat-2.28.so to
/srv/sftpjail/usr/lib64/libnss_compat-2.28.so
Creating symlink /srv/sftpjail/usr/lib64/libc.so.6 to libc-2.28.so
Copying /lib64/libc-2.28.so to /srv/sftpjail/usr/lib64/libc-2.28.so
Creating symlink /srv/sftpjail/usr/lib64/ld-linux-x86-64.so.2 to ld-2.28.so
Copying /lib64/ld-2.28.so to /srv/sftpjail/usr/lib64/ld-2.28.so
Copying /lib64/libnss_sss.so.2 to /srv/sftpjail/usr/lib64/libnss_sss.so.2
Creating symlink /srv/sftpjail/usr/lib64/libnss_dns.so.2 to
libnss_dns-2.28.so
Copying /lib64/libnss_dns-2.28.so to
/srv/sftpjail/usr/lib64/libnss_dns-2.28.so
Creating symlink /srv/sftpjail/usr/lib64/libresolv.so.2 to libresolv-2.28.so
Copying /lib64/libresolv-2.28.so to /srv/sftpjail/usr/lib64/libresolv-2.28.so
Creating symlink /srv/sftpjail/usr/lib64/libnss_files.so.2 to
libnss_files-2.28.so
Copying /lib64/libnss_files-2.28.so to
/srv/sftpjail/usr/lib64/libnss_files-2.28.so
Copying /lib64/libnss_systemd.so.2 to
/srv/sftpjail/usr/lib64/libnss_systemd.so.2
Creating symlink /srv/sftpjail/usr/lib64/librt.so.1 to librt-2.28.so
Copying /lib64/librt-2.28.so to /srv/sftpjail/usr/lib64/librt-2.28.so
Creating symlink /srv/sftpjail/usr/lib64/libcap.so.2 to libcap.so.2.26
Copying /lib64/libcap.so.2.26 to /srv/sftpjail/usr/lib64/libcap.so.2.26
Creating symlink /srv/sftpjail/usr/lib64/libmount.so.1 to libmount.so.1.1.0
Copying /lib64/libmount.so.1.1.0 to /srv/sftpjail/usr/lib64/libmount.so.1.1.0
Creating symlink /srv/sftpjail/usr/lib64/libgcc_s.so.1 to
libgcc_s-8-20191121.so.1
Copying /lib64/libgcc_s-8-20191121.so.1 to
/srv/sftpjail/usr/lib64/libgcc_s-8-20191121.so.1
Creating symlink /srv/sftpjail/usr/lib64/libpthread.so.0 to
libpthread-2.28.so
Copying /lib64/libpthread-2.28.so to
/srv/sftpjail/usr/lib64/libpthread-2.28.so
Creating symlink /srv/sftpjail/usr/lib64/libblkid.so.1 to libblkid.so.1.1.0
Copying /lib64/libblkid.so.1.1.0 to /srv/sftpjail/usr/lib64/libblkid.so.1.1.0
Creating symlink /srv/sftpjail/usr/lib64/libuuid.so.1 to libuuid.so.1.3.0
Copying /lib64/libuuid.so.1.3.0 to /srv/sftpjail/usr/lib64/libuuid.so.1.3.0
Copying /lib64/libselinux.so.1 to /srv/sftpjail/usr/lib64/libselinux.so.1
Creating symlink /srv/sftpjail/usr/lib64/libpcre2-8.so.0 to
libpcre2-8.so.0.7.1
Copying /lib64/libpcre2-8.so.0.7.1 to
/srv/sftpjail/usr/lib64/libpcre2-8.so.0.7.1
Creating symlink /srv/sftpjail/usr/lib64/libdl.so.2 to libdl-2.28.so
Copying /lib64/libdl-2.28.so to /srv/sftpjail/usr/lib64/libdl-2.28.so
Copying /lib64/libnss_resolve.so.2 to
/srv/sftpjail/usr/lib64/libnss_resolve.so.2
Copying /lib64/libnss_myhostname.so.2 to
/srv/sftpjail/usr/lib64/libnss_myhostname.so.2
Source file(s) /lib/i386-linux-gnu/libnsl.so.1 do not exist
Source file(s) /lib/i386-linux-gnu/libnss*.so.2 do not exist
Source file(s) /lib/x86_64-linux-gnu/libnsl.so.1 do not exist
Source file(s) /lib/x86_64-linux-gnu/libnss*.so.2 do not exist
Source file(s) /lib/arm-linux-gnueabihf/libnss*.so.2 do not exist
Source file(s) /lib/arm-linux-gnueabihf/libnsl*.so.1 do not exist
Create directory /srv/sftpjail/etc
Copying /etc/nsswitch.conf to /srv/sftpjail/etc/nsswitch.conf
Copying /etc/ld.so.conf to /srv/sftpjail/etc/ld.so.conf
Creating symlink /srv/sftpjail/etc/localtime to
../usr/share/zoneinfo/Asia/Shanghai
Create directory /srv/sftpjail/usr/share
Create directory /srv/sftpjail/usr/share/zoneinfo
Create directory /srv/sftpjail/usr/share/zoneinfo/Asia
Copying /usr/share/zoneinfo/Asia/Shanghai to
/srv/sftpjail/usr/share/zoneinfo/Asia/Shanghai
Create directory /srv/sftpjail/usr/sbin
Copying /usr/sbin/jk_lsh to /srv/sftpjail/usr/sbin/jk_lsh
Create directory /srv/sftpjail/etc/jailkit
Copying /etc/jailkit/jk_lsh.ini to /srv/sftpjail/etc/jailkit/jk_lsh.ini
writing user root to /srv/sftpjail/etc/passwd
writing group root to /srv/sftpjail/etc/group
Source file(s) /lib/libnss_dns.so.2 do not exist
Source file(s) /lib/libnss_mdns*.so.2 do not exist
Copying /etc/resolv.conf to /srv/sftpjail/etc/resolv.conf
Copying /etc/host.conf to /srv/sftpjail/etc/host.conf
Copying /etc/hosts to /srv/sftpjail/etc/hosts
Copying /etc/protocols to /srv/sftpjail/etc/protocols
Copying /etc/services to /srv/sftpjail/etc/services
Source file(s) /usr/lib/sftp-server do not exist
Create directory /srv/sftpjail/usr/libexec
Create directory /srv/sftpjail/usr/libexec/openssh
Copying /usr/libexec/openssh/sftp-server to
/srv/sftpjail/usr/libexec/openssh/sftp-server
Creating symlink /srv/sftpjail/usr/lib64/libcrypto.so.1.1 to
libcrypto.so.1.1.1c
Copying /lib64/libcrypto.so.1.1.1c to
/srv/sftpjail/usr/lib64/libcrypto.so.1.1.1c
Creating symlink /srv/sftpjail/usr/lib64/libutil.so.1 to libutil-2.28.so
Copying /lib64/libutil-2.28.so to /srv/sftpjail/usr/lib64/libutil-2.28.so
Creating symlink /srv/sftpjail/usr/lib64/libz.so.1 to libz.so.1.2.11
Copying /lib64/libz.so.1.2.11 to /srv/sftpjail/usr/lib64/libz.so.1.2.11
Creating symlink /srv/sftpjail/usr/lib64/libcrypt.so.1 to libcrypt.so.1.1.0
Copying /lib64/libcrypt.so.1.1.0 to /srv/sftpjail/usr/lib64/libcrypt.so.1.1.0
Source file(s) /usr/lib/misc/sftp-server do not exist
Source file(s) /usr/libexec/sftp-server do not exist
Source file(s) /usr/lib/openssh/sftp-server do not exist
Creating device /srv/sftpjail/dev/urandom
Creating device /srv/sftpjail/dev/null
Create directory /srv/sftpjail/usr/bin
Copying /usr/bin/scp to /srv/sftpjail/usr/bin/scp
# jk_jailuser -m -j /srv/sftpjail mike
----------
cat jaillog.txt
Mar 06 02:38:54 tpc8 unix_chkpwd[1231]: account mike has password changed in
future
Mar 06 02:38:54 tpc8 sshd[1228]: Accepted password for mike from 192.168.1.112
port 56056 ssh2
Mar 06 02:38:54 tpc8 systemd[1]: Created slice User Slice of UID 1006.
Mar 06 02:38:54 tpc8 systemd[1]: Created slice
system-user\x2druntime\x2ddir.slice.
Mar 06 02:38:54 tpc8 systemd[1]: Started /run/user/1006 mount wrapper.
Mar 06 02:38:54 tpc8 systemd[1]: Starting User Manager for UID 1006...
Mar 06 02:38:54 tpc8 systemd-logind[728]: New session 1 of user mike.
Mar 06 02:38:54 tpc8 systemd[1]: Started Session 1 of user mike.
Mar 06 02:38:54 tpc8 unix_chkpwd[1235]: account mike has password changed in
future
Mar 06 02:38:54 tpc8 systemd[1233]: pam_unix(systemd-user:session): session
opened for user mike by (uid=0)
Mar 06 02:38:54 tpc8 systemd[1233]: dbus.socket: Cannot add dependency job,
ignoring: Access denied
Mar 06 02:38:54 tpc8 systemd[1233]: grub-boot-success.timer: Refusing to
start, unit to trigger not loaded.
Mar 06 02:38:54 tpc8 systemd[1233]: Failed to start Mark boot as successful
after the user session has run 2 minutes.
Mar 06 02:38:54 tpc8 systemd[1233]: Reached target Sockets.
Mar 06 02:38:54 tpc8 systemd[1233]: Reached target Timers.
Mar 06 02:38:54 tpc8 systemd[1233]: Reached target Paths.
Mar 06 02:38:54 tpc8 systemd[1233]: Reached target Basic System.
Mar 06 02:38:54 tpc8 systemd[1233]: Reached target Default.
Mar 06 02:38:54 tpc8 systemd[1233]: Startup finished in 206ms.
Mar 06 02:38:54 tpc8 systemd[1]: Started User Manager for UID 1006.
Mar 06 02:38:54 tpc8 sshd[1228]: pam_unix(sshd:session): session opened for
user mike by (uid=0)
Mar 06 02:39:15 tpc8 sshd[1241]: Received disconnect from 192.168.1.112 port
56056:11: disconnected by user
Mar 06 02:39:15 tpc8 sshd[1241]: Disconnected from user mike 192.168.1.112
port 56056
Mar 06 02:39:15 tpc8 sshd[1228]: pam_unix(sshd:session): session closed for
user mike
Mar 06 02:39:15 tpc8 systemd-logind[728]: Session 1 logged out. Waiting for
processes to exit.
Mar 06 02:39:15 tpc8 systemd-logind[728]: Removed session 1.
Mar 06 02:39:15 tpc8 systemd[1]: user-runtime-dir@1006.service: Unit not
needed anymore. Stopping.
Mar 06 02:39:15 tpc8 systemd[1]: Stopping User Manager for UID 1006...
Mar 06 02:39:15 tpc8 systemd[1233]: Failed to enqueue exit.target job: Access
denied
Mar 06 02:40:14 tpc8 sshd[1244]: Accepted password for root from 192.168.1.107
port 50339 ssh2
Mar 06 02:40:14 tpc8 systemd[1]: Created slice User Slice of UID 0.
Mar 06 02:40:14 tpc8 systemd[1]: Started /run/user/0 mount wrapper.
Mar 06 02:40:14 tpc8 systemd[1]: Starting User Manager for UID 0...
Mar 06 02:40:14 tpc8 systemd-logind[728]: New session 3 of user root.
Mar 06 02:40:14 tpc8 systemd[1]: Started Session 3 of user root.
Mar 06 02:40:14 tpc8 systemd[1249]: pam_unix(systemd-user:session): session
opened for user root by (uid=0)
Mar 06 02:40:15 tpc8 systemd[1249]: Reached target Paths.
Mar 06 02:40:15 tpc8 systemd[1249]: Reached target Timers.
Mar 06 02:40:15 tpc8 systemd[1249]: Starting D-Bus User Message Bus Socket.
Mar 06 02:40:15 tpc8 systemd[1249]: Listening on D-Bus User Message Bus
Socket.
Mar 06 02:40:15 tpc8 systemd[1249]: Reached target Sockets.
Mar 06 02:40:15 tpc8 systemd[1249]: Reached target Basic System.
Mar 06 02:40:15 tpc8 systemd[1249]: Reached target Default.
Mar 06 02:40:15 tpc8 systemd[1249]: Startup finished in 188ms.
Mar 06 02:40:15 tpc8 systemd[1]: Started User Manager for UID 0.
Mar 06 02:40:15 tpc8 sshd[1244]: pam_unix(sshd:session): session opened for
user root by (uid=0)
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?60178>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/05
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Olivier Sessink, 2021/03/05
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8,
Ming Wu <=
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Olivier Sessink, 2021/03/06
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/06
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/07
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Olivier Sessink, 2021/03/07
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/07
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Olivier Sessink, 2021/03/07
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/07