[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Jailkit-users] Question about jk_lsh usage

From: Paco Willers
Subject: [Jailkit-users] Question about jk_lsh usage
Date: Tue, 5 May 2015 18:06:31 +0200


I can't get jk_lsh to work, and I am probably doing something wrong. As a test I wish a jailed user to see the results of the pwd command after which the connection is closed. In real life I would like to automatically execute a different command with some arguments, but let's use pwd as an example.

I added the pwd command to /opt/myjail/etc/jailkit/jk_lsh.ini as follows:

paths = /bin
executables = /bin/pwd

Then I edited the user's shell in /opt/myjail/etc/passwd as follows:

myuser:x:1001:1001:,,,:/home/myuser:/usr/sbin/jk_lsh -c /bin/pwd

When loggin in as "myuser", the pwd command however is *not* executed. The /var/log/auth.log says:

May  5 17:24:54 myhost jk_chrootsh[933]: now entering jail /opt/myjail for user myuser (1001) with arguments
May  5 17:24:54 myhost jk_chrootsh[933]: ERROR: failed to execute shell /usr/sbin/jk_lsh -c /bin/pwd for user myuser (1001), check the permissions and libraries of /opt/myjail//usr/sbin/jk_lsh -c /bin/pwd

When I check these files' rights they are readable and executable by anyone, as they should:

address@hidden:~# ls -l /opt/myjail/usr/sbin/jk_lsh /opt/myjail/bin/pwd
-rwxr-xr-x 1 root root 30376 Mar 14 20:34 /opt/myjail/bin/pwd
-rwxr-xr-x 1 root root 14984 May  5 16:32 /opt/myjail/usr/sbin/jk_lsh

I think I'm doing something wrong, but what is it? I might have a misperception of how jk_lsh works, but the jk_lsh(8) manpage makes me think I'm doing it right. When I omit the "-c /bin/pwd" part in /opt/myjail/etc/passwd (so I then have "myuser:x:1001:1001:,,,:/home/myuser:/usr/sbin/jk_lsh") like in many howtos, /var/log/auth.log says:

May  5 17:46:20 myhost jk_lsh[985]: WARNING: user myuser (1001) tried to get an interactive shell session (/usr/sbin/jk_lsh), which is never allowed by jk_lsh

I managed to do it by using Bash instead of jk_lsh, and adding the lines "/bin/pwd" and "exit" to the user's .bashrc. But as I understand it, jk_lsh is better suitable for executing one command, and safer because it can only execute that command.

Have a nice day!


reply via email to

[Prev in Thread] Current Thread [Next in Thread]