From: jailkit-users-bounces+address@hidden <jailkit-users-bounces+address@hidden> on behalf of Olivier
Sessink <address@hidden>
Sent: 09 March 2016 17:22
Subject: Re: [Jailkit-users] scp problem with jailkit
On 07-03-16 15:10, Johan Söderberg wrote:
When users who belong to group grp2 run scp with a wild card they get the following error:
scp address@hidden:testdir/* .
address@hidden's password:
scp: testdir/*: No such file or directory
However the directory exists and contains files:
address@hidden's password:
testfile2.txt 100% 0 0.0KB/s 00:00
The users who belong to group grp1 does not have the problem:
scp address@hidden:testdir/* .
address@hidden's password:
testfile1.txt 100% 0 0.0KB/s 00:00
testfile2.txt 100% 0 0.0KB/s 00:00
testfile3.txt 100% 0 0.0KB/s 00:00
you see the difference in the logging. jk_chrootsh logging is identical:
jk_chrootsh[16864]: now entering jail /opt/jails/jail1 for user tstusr1 (7000) with arguments -c scp -v -f testdir/*
jk_chrootsh[17241]: now entering jail /opt/jails/jail1 for user tstusr2 (7001) with arguments -c scp -v -f testdir/*
the next line is also identical:
jk_lsh[16864]: jk_lsh version 2.17, started
jk_lsh[17241]: jk_lsh version 2.17, started
but then the next line is different:
jk_lsh[16864]: executing command '/usr/bin/scp -v -f testdir/testfile1.txt testdir/testfile2.txt testdir/testfile3.txt' for user tstusr1 (7000)
jk_lsh[17241]: executing command '/usr/bin/scp -v -f testdir/*' for user tstusr2 (7001)
for tstusr1 the testdir/* is expanded to 3 files. But for tstusr2 it is not expanded at all. I see two causes:
- a very obscure bug in jailkit that is triggered in a way that this only happens for this second user
- the directory cannot be expanded, for example something is wrong with the permissions, or a typo in the directory name (the error message "No such file or directory" might be the correct error!!!)
can you check and double check the permissions and name of the home directory of user tstusr2 and the subdirectory testdir?
After adding "allow_word_expansion = 1" to the two groups I have in jk_lsh.ini it started working. So I think the bug is the other way around. The original jk_lsh.ini file looked like this:
[group grp1]
paths= /usr/bin, /usr/lib/
executables= /usr/bin/scp, /usr/libexec/openssh/sftp-server
[group grp2]
paths= /usr/bin, /usr/lib/
executables= /usr/bin/scp, /usr/libexec/openssh/sftp-server
With the above configuration and if allowed_word_expansion is by default 0 it still let's users who are members of the group grp1 to run scp with wildcards.
/Johan