[Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS

jailkit-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS

From:	Ming Wu
Subject:	[Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8
Date:	Fri, 5 Mar 2021 22:03:59 -0500 (EST)
User-agent:	Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Follow-up Comment #2, bug #60178 (project jailkit):

Dear Olivier:

Thanks for your swift reply! Below are all the steps that I perfomed to make
the problem reappear.

are you sure jk_chrootsh is actually started?
        # ps -ef | grep jk_chrootsh
        root        1325    1260  0 02:59 pts/0    00:00:00 grep --color=auto
jk_chrootsh
do you get any logging from jk_chrootsh if you ssh into the account?
        ssh mike@192.168.1.115 # from ubuntu
        mike@192.168.1.115's password:
        Connection to 192.168.1.115 closed.
do you get the same logging if you sftp to that account?
        Where is the log file?
        # find / -iname "*auth.log*" # returns nothing

Ming Wu

--------------------
References:
1. https://olivier.sessink.nl/jailkit/howtos_sftp_scp_only.html
2. https://olivier.sessink.nl/jailkit/jailkit.8.html

# Add user mike
u=mike
adduser $u && echo "$u:$u" | chpasswd

# Initialise the jail
mkdir /srv/sftpjail
chown root:root /srv/sftpjail
chmod 0755 /srv/sftpjail
jk_init -v -j /srv/sftpjail jk_lsh sftp scp
jk_jailuser -m -j /srv/sftpjail mike
# see output of all commmands above at the end

# View info for mike
cat /etc/passwd | grep mike
mike:x:1006:1008::/srv/sftpjail/./home/mike:/usr/sbin/jk_chrootsh

cat /srv/sftpjail/etc/passwd | grep mike
mike:x:1006:1008::/home/mike:/usr/sbin/jk_lsh

cat /srv/sftpjail/etc/jailkit/jk_lsh.ini
[mike]
paths= /usr/lib/
executables= /usr/lib/sftp-server

# reboot CentOS 8 server
# jk_socketd stuff is not performed

# sftp on Ubuntu 20.04.2
sftp mike@192.168.1.115
mike@192.168.1.115's password:
Connected to 192.168.1.115.
sftp> pwd
Remote working directory: /srv/sftpjail/home/mike
sftp> cd /var/www/html
sftp> get index.php a.txt
Fetching /var/www/html/index.php to a.txt
/var/www/html/index.php                             100% 1228   133.9KB/s  
00:00
sftp> bye
# mike successfully downloaded a file from /var/www/html

# Some log info: auth.log is not present in CentOS 8
journalctl --since=-1h > jaillog.txt
cat jaillog.txt # output at the end


----------
# u=mike
# adduser $u && echo "$u:$u" | chpasswd
# mkdir /srv/sftpjail
# chown root:root /srv/sftpjail
# chmod 0755 /srv/sftpjail
# jk_init -v -j /srv/sftpjail jk_lsh sftp scp
Source file(s) /lib/libnsl.so.1 do not exist
Source file(s) /lib64/libnsl.so.1 do not exist
Source file(s) /lib/libnss*.so.2 do not exist
Creating symlink /srv/sftpjail/lib64 to usr/lib64
Create directory /srv/sftpjail/usr
Create directory /srv/sftpjail/usr/lib64
Creating symlink /srv/sftpjail/usr/lib64/libnss_compat.so.2 to
libnss_compat-2.28.so
Copying /lib64/libnss_compat-2.28.so to
/srv/sftpjail/usr/lib64/libnss_compat-2.28.so
Creating symlink /srv/sftpjail/usr/lib64/libc.so.6 to libc-2.28.so
Copying /lib64/libc-2.28.so to /srv/sftpjail/usr/lib64/libc-2.28.so
Creating symlink /srv/sftpjail/usr/lib64/ld-linux-x86-64.so.2 to ld-2.28.so
Copying /lib64/ld-2.28.so to /srv/sftpjail/usr/lib64/ld-2.28.so
Copying /lib64/libnss_sss.so.2 to /srv/sftpjail/usr/lib64/libnss_sss.so.2
Creating symlink /srv/sftpjail/usr/lib64/libnss_dns.so.2 to
libnss_dns-2.28.so
Copying /lib64/libnss_dns-2.28.so to
/srv/sftpjail/usr/lib64/libnss_dns-2.28.so
Creating symlink /srv/sftpjail/usr/lib64/libresolv.so.2 to libresolv-2.28.so
Copying /lib64/libresolv-2.28.so to /srv/sftpjail/usr/lib64/libresolv-2.28.so
Creating symlink /srv/sftpjail/usr/lib64/libnss_files.so.2 to
libnss_files-2.28.so
Copying /lib64/libnss_files-2.28.so to
/srv/sftpjail/usr/lib64/libnss_files-2.28.so
Copying /lib64/libnss_systemd.so.2 to
/srv/sftpjail/usr/lib64/libnss_systemd.so.2
Creating symlink /srv/sftpjail/usr/lib64/librt.so.1 to librt-2.28.so
Copying /lib64/librt-2.28.so to /srv/sftpjail/usr/lib64/librt-2.28.so
Creating symlink /srv/sftpjail/usr/lib64/libcap.so.2 to libcap.so.2.26
Copying /lib64/libcap.so.2.26 to /srv/sftpjail/usr/lib64/libcap.so.2.26
Creating symlink /srv/sftpjail/usr/lib64/libmount.so.1 to libmount.so.1.1.0
Copying /lib64/libmount.so.1.1.0 to /srv/sftpjail/usr/lib64/libmount.so.1.1.0
Creating symlink /srv/sftpjail/usr/lib64/libgcc_s.so.1 to
libgcc_s-8-20191121.so.1
Copying /lib64/libgcc_s-8-20191121.so.1 to
/srv/sftpjail/usr/lib64/libgcc_s-8-20191121.so.1
Creating symlink /srv/sftpjail/usr/lib64/libpthread.so.0 to
libpthread-2.28.so
Copying /lib64/libpthread-2.28.so to
/srv/sftpjail/usr/lib64/libpthread-2.28.so
Creating symlink /srv/sftpjail/usr/lib64/libblkid.so.1 to libblkid.so.1.1.0
Copying /lib64/libblkid.so.1.1.0 to /srv/sftpjail/usr/lib64/libblkid.so.1.1.0
Creating symlink /srv/sftpjail/usr/lib64/libuuid.so.1 to libuuid.so.1.3.0
Copying /lib64/libuuid.so.1.3.0 to /srv/sftpjail/usr/lib64/libuuid.so.1.3.0
Copying /lib64/libselinux.so.1 to /srv/sftpjail/usr/lib64/libselinux.so.1
Creating symlink /srv/sftpjail/usr/lib64/libpcre2-8.so.0 to
libpcre2-8.so.0.7.1
Copying /lib64/libpcre2-8.so.0.7.1 to
/srv/sftpjail/usr/lib64/libpcre2-8.so.0.7.1
Creating symlink /srv/sftpjail/usr/lib64/libdl.so.2 to libdl-2.28.so
Copying /lib64/libdl-2.28.so to /srv/sftpjail/usr/lib64/libdl-2.28.so
Copying /lib64/libnss_resolve.so.2 to
/srv/sftpjail/usr/lib64/libnss_resolve.so.2
Copying /lib64/libnss_myhostname.so.2 to
/srv/sftpjail/usr/lib64/libnss_myhostname.so.2
Source file(s) /lib/i386-linux-gnu/libnsl.so.1 do not exist
Source file(s) /lib/i386-linux-gnu/libnss*.so.2 do not exist
Source file(s) /lib/x86_64-linux-gnu/libnsl.so.1 do not exist
Source file(s) /lib/x86_64-linux-gnu/libnss*.so.2 do not exist
Source file(s) /lib/arm-linux-gnueabihf/libnss*.so.2 do not exist
Source file(s) /lib/arm-linux-gnueabihf/libnsl*.so.1 do not exist
Create directory /srv/sftpjail/etc
Copying /etc/nsswitch.conf to /srv/sftpjail/etc/nsswitch.conf
Copying /etc/ld.so.conf to /srv/sftpjail/etc/ld.so.conf
Creating symlink /srv/sftpjail/etc/localtime to
../usr/share/zoneinfo/Asia/Shanghai
Create directory /srv/sftpjail/usr/share
Create directory /srv/sftpjail/usr/share/zoneinfo
Create directory /srv/sftpjail/usr/share/zoneinfo/Asia
Copying /usr/share/zoneinfo/Asia/Shanghai to
/srv/sftpjail/usr/share/zoneinfo/Asia/Shanghai
Create directory /srv/sftpjail/usr/sbin
Copying /usr/sbin/jk_lsh to /srv/sftpjail/usr/sbin/jk_lsh
Create directory /srv/sftpjail/etc/jailkit
Copying /etc/jailkit/jk_lsh.ini to /srv/sftpjail/etc/jailkit/jk_lsh.ini
writing user root to /srv/sftpjail/etc/passwd
writing group root to /srv/sftpjail/etc/group
Source file(s) /lib/libnss_dns.so.2 do not exist
Source file(s) /lib/libnss_mdns*.so.2 do not exist
Copying /etc/resolv.conf to /srv/sftpjail/etc/resolv.conf
Copying /etc/host.conf to /srv/sftpjail/etc/host.conf
Copying /etc/hosts to /srv/sftpjail/etc/hosts
Copying /etc/protocols to /srv/sftpjail/etc/protocols
Copying /etc/services to /srv/sftpjail/etc/services
Source file(s) /usr/lib/sftp-server do not exist
Create directory /srv/sftpjail/usr/libexec
Create directory /srv/sftpjail/usr/libexec/openssh
Copying /usr/libexec/openssh/sftp-server to
/srv/sftpjail/usr/libexec/openssh/sftp-server
Creating symlink /srv/sftpjail/usr/lib64/libcrypto.so.1.1 to
libcrypto.so.1.1.1c
Copying /lib64/libcrypto.so.1.1.1c to
/srv/sftpjail/usr/lib64/libcrypto.so.1.1.1c
Creating symlink /srv/sftpjail/usr/lib64/libutil.so.1 to libutil-2.28.so
Copying /lib64/libutil-2.28.so to /srv/sftpjail/usr/lib64/libutil-2.28.so
Creating symlink /srv/sftpjail/usr/lib64/libz.so.1 to libz.so.1.2.11
Copying /lib64/libz.so.1.2.11 to /srv/sftpjail/usr/lib64/libz.so.1.2.11
Creating symlink /srv/sftpjail/usr/lib64/libcrypt.so.1 to libcrypt.so.1.1.0
Copying /lib64/libcrypt.so.1.1.0 to /srv/sftpjail/usr/lib64/libcrypt.so.1.1.0
Source file(s) /usr/lib/misc/sftp-server do not exist
Source file(s) /usr/libexec/sftp-server do not exist
Source file(s) /usr/lib/openssh/sftp-server do not exist
Creating device /srv/sftpjail/dev/urandom
Creating device /srv/sftpjail/dev/null
Create directory /srv/sftpjail/usr/bin
Copying /usr/bin/scp to /srv/sftpjail/usr/bin/scp
# jk_jailuser -m -j /srv/sftpjail mike

----------
cat jaillog.txt
Mar 06 02:38:54 tpc8 unix_chkpwd[1231]: account mike has password changed in
future
Mar 06 02:38:54 tpc8 sshd[1228]: Accepted password for mike from 192.168.1.112
port 56056 ssh2
Mar 06 02:38:54 tpc8 systemd[1]: Created slice User Slice of UID 1006.
Mar 06 02:38:54 tpc8 systemd[1]: Created slice
system-user\x2druntime\x2ddir.slice.
Mar 06 02:38:54 tpc8 systemd[1]: Started /run/user/1006 mount wrapper.
Mar 06 02:38:54 tpc8 systemd[1]: Starting User Manager for UID 1006...
Mar 06 02:38:54 tpc8 systemd-logind[728]: New session 1 of user mike.
Mar 06 02:38:54 tpc8 systemd[1]: Started Session 1 of user mike.
Mar 06 02:38:54 tpc8 unix_chkpwd[1235]: account mike has password changed in
future
Mar 06 02:38:54 tpc8 systemd[1233]: pam_unix(systemd-user:session): session
opened for user mike by (uid=0)
Mar 06 02:38:54 tpc8 systemd[1233]: dbus.socket: Cannot add dependency job,
ignoring: Access denied
Mar 06 02:38:54 tpc8 systemd[1233]: grub-boot-success.timer: Refusing to
start, unit to trigger not loaded.
Mar 06 02:38:54 tpc8 systemd[1233]: Failed to start Mark boot as successful
after the user session has run 2 minutes.
Mar 06 02:38:54 tpc8 systemd[1233]: Reached target Sockets.
Mar 06 02:38:54 tpc8 systemd[1233]: Reached target Timers.
Mar 06 02:38:54 tpc8 systemd[1233]: Reached target Paths.
Mar 06 02:38:54 tpc8 systemd[1233]: Reached target Basic System.
Mar 06 02:38:54 tpc8 systemd[1233]: Reached target Default.
Mar 06 02:38:54 tpc8 systemd[1233]: Startup finished in 206ms.
Mar 06 02:38:54 tpc8 systemd[1]: Started User Manager for UID 1006.
Mar 06 02:38:54 tpc8 sshd[1228]: pam_unix(sshd:session): session opened for
user mike by (uid=0)
Mar 06 02:39:15 tpc8 sshd[1241]: Received disconnect from 192.168.1.112 port
56056:11: disconnected by user
Mar 06 02:39:15 tpc8 sshd[1241]: Disconnected from user mike 192.168.1.112
port 56056
Mar 06 02:39:15 tpc8 sshd[1228]: pam_unix(sshd:session): session closed for
user mike
Mar 06 02:39:15 tpc8 systemd-logind[728]: Session 1 logged out. Waiting for
processes to exit.
Mar 06 02:39:15 tpc8 systemd-logind[728]: Removed session 1.
Mar 06 02:39:15 tpc8 systemd[1]: user-runtime-dir@1006.service: Unit not
needed anymore. Stopping.
Mar 06 02:39:15 tpc8 systemd[1]: Stopping User Manager for UID 1006...
Mar 06 02:39:15 tpc8 systemd[1233]: Failed to enqueue exit.target job: Access
denied
Mar 06 02:40:14 tpc8 sshd[1244]: Accepted password for root from 192.168.1.107
port 50339 ssh2
Mar 06 02:40:14 tpc8 systemd[1]: Created slice User Slice of UID 0.
Mar 06 02:40:14 tpc8 systemd[1]: Started /run/user/0 mount wrapper.
Mar 06 02:40:14 tpc8 systemd[1]: Starting User Manager for UID 0...
Mar 06 02:40:14 tpc8 systemd-logind[728]: New session 3 of user root.
Mar 06 02:40:14 tpc8 systemd[1]: Started Session 3 of user root.
Mar 06 02:40:14 tpc8 systemd[1249]: pam_unix(systemd-user:session): session
opened for user root by (uid=0)
Mar 06 02:40:15 tpc8 systemd[1249]: Reached target Paths.
Mar 06 02:40:15 tpc8 systemd[1249]: Reached target Timers.
Mar 06 02:40:15 tpc8 systemd[1249]: Starting D-Bus User Message Bus Socket.
Mar 06 02:40:15 tpc8 systemd[1249]: Listening on D-Bus User Message Bus
Socket.
Mar 06 02:40:15 tpc8 systemd[1249]: Reached target Sockets.
Mar 06 02:40:15 tpc8 systemd[1249]: Reached target Basic System.
Mar 06 02:40:15 tpc8 systemd[1249]: Reached target Default.
Mar 06 02:40:15 tpc8 systemd[1249]: Startup finished in 188ms.
Mar 06 02:40:15 tpc8 systemd[1]: Started User Manager for UID 0.
Mar 06 02:40:15 tpc8 sshd[1244]: pam_unix(sshd:session): session opened for
user root by (uid=0)

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?60178>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/05
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Olivier Sessink, 2021/03/05
  - [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu <=
    - [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Olivier Sessink, 2021/03/06
    - [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/06
    - [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/07
    - [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Olivier Sessink, 2021/03/07
    - [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/07
    - [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Olivier Sessink, 2021/03/07
    - [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/07

Prev by Date: [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8
Next by Date: [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8
Previous by thread: [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8
Next by thread: [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8
Index(es):
- Date
- Thread