When loggin in as "myuser", the pwd command however is *not* executed. The /var/log/auth.log says:
May 5 17:24:54 myhost jk_chrootsh: now entering jail /opt/myjail for user myuser (1001) with arguments
May 5 17:24:54 myhost jk_chrootsh: ERROR: failed to execute shell /usr/sbin/jk_lsh -c /bin/pwd for user myuser (1001), check the permissions and libraries of /opt/myjail//usr/sbin/jk_lsh -c /bin/pwd
When I check these files' rights they are readable and executable by anyone, as they should:
address@hidden:~# ls -l /opt/myjail/usr/sbin/jk_lsh /opt/myjail/bin/pwd
-rwxr-xr-x 1 root root 30376 Mar 14 20:34 /opt/myjail/bin/pwd
-rwxr-xr-x 1 root root 14984 May 5 16:32 /opt/myjail/usr/sbin/jk_lsh
I think I'm doing something wrong, but what is it? I might have a misperception of how jk_lsh works, but the jk_lsh(8) manpage makes me think I'm doing it right. When I omit the "-c /bin/pwd" part in /opt/myjail/etc/passwd (so I then have "myuser:x:1001:1001:,,,:/home/myuser:/usr/sbin/jk_lsh") like in many howtos, /var/log/auth.log says:
May 5 17:46:20 myhost jk_lsh: WARNING: user myuser (1001) tried to get an interactive shell session (/usr/sbin/jk_lsh), which is never allowed by jk_lsh
I managed to do it by using Bash instead of jk_lsh, and adding the lines "/bin/pwd" and "exit" to the user's .bashrc. But as I understand it, jk_lsh is better suitable for executing one command, and safer because it can only execute that command.
Have a nice day!