[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-users] How to allow a user from outside of jail to access a

From: Steve Mapes
Subject: Re: [Jailkit-users] How to allow a user from outside of jail to access a folder inside the jail?
Date: Fri, 14 Dec 2007 12:07:12 +0000
User-agent: Thunderbird (Windows/20071031)

I gave that a try, but I still get access denied problems

This is what I am trying to achieve

/jailroot/home/user1                         the jailusers folder.
/jailroot/home/user1/upload              The folder where they place items to be imported by the webuser account.  Owner is user1, group is "jailusers" which includes user1 and webuser
/www/uploads/user1                        A symlink to /jailroot/home/user1/upload/

When the user SCP's files to their "upload" folder the files will, of course, be available to them inside of the jail through their home folder, but also appear in the /www/uploads/user1 folder where I want the webuser account to access them from outside of the jail.  The problem is that the webuser gets permission denied even though they are a member of the same group as the jailuser and the group has read/write access to the files.

This is how I created the jail in the first place, perhaps I've missed something out

Create jail base
mkdir /jailroot
chown root:root /jailroot
chmod 0755 /jailroot
Add main requirements
jk_init -j /jail jk_lsh
jk_init -j /jailroot scp
Add extra commands required by WinSCP
jk_cp -v -f /home/jailroot /bin/bash
jk_cp -v -f /home/jailroot /bin/cp
jk_cp -v -f /home/jailroot /bin/mv
jk_cp -v -f /home/jailroot /bin/mkdir
jk_cp -v -f /home/jailroot /bin/rmdir
jk_cp -v -f /home/jailroot /bin/rm
Create new "jailusers" group adding in existing non-jailed "webuser"
vi /etc/group

Create new jailed account, forcing group to "jailusers"
adduser user1 -g XXXXX

Set initial password
passwd user1
Add to jail user
jk_jailuser -j /jailroot user1

Edit the config file (/jailroot/etc/jailkit/jk_lsh.ini)
paths= /usr/bin
executables= /usr/bin/scp
[group jailusers]
allowed_jails= /jailroot
skip_injail_passwd_check= 1

Point the user to use the right shell (/bin/bash for WinSCP)
vi /jailroot/etc/passwd
restart jk_socketd
killall jk_socketd

Create new uploads folder
mkdir /jailroot/home/user1/upload

Set Onwer + Initial permissions
chown user1:jailuser /jailroot/home/user1/upload
chmod 0660 upload

Create symlink for webuser to access the files from outside of the jail
ln -s /jailroot/home/user1/upload /www/uploads/user1

Olivier Sessink wrote:
Steven Mapes wrote:
I've setup a jail with restricted access which is working fine.  My users can connect and SCP their data onto the server, however I've now hit upon a requirement that I'm stuck with and was hoping for some advise / tips.

My jail is /jailroot
I have a folder /jailroot/home/user1/upload which is symlinked to /tmp/jailshare/pickup

Perhaps I don't understand your requirements correctly. But every non-jailed process that has the permissions to access that folder can access it.

Maybe I'm wrong, but I guess you're looking for a setup like this:

/jailroot/home/user1 is your users home directory
/jailroot/srv/upload is a directory accessible by user1 and webuser
user1 is jailed in /jailroot
webuser is a regular user

would that work?

I can access this find as root, but the problem is I need to have a cron running as the webservice that handles the files uploaded by the user.

and the cron process should run inside or outside the jail? what are the requirements for the cron process?


Jailkit-users mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]