jailkit-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-users] jk_lsh[7742]: cannot find user info for USER guest:

From: John Pilkington
Subject: Re: [Jailkit-users] jk_lsh[7742]: cannot find user info for USER guest: Success (2)
Date: Wed, 9 Jan 2019 17:01:35 +0000
Hello Olivier,

I think I've solved the problem with libnss_compat.so.2 and related files which are in /lib/arm-linux-gnueabifh/  by copying that directory into the jail and adding the path to jk_init.ini. The tracefile from strace now seems to show all these files are found.

But I'm still getting "Connection closed" after entering the password for guest. 

I think I can see what is going wrong. 

Lines 1260 - 1266 from the last tracefile read

lstat64("/srv/sftpjail", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/srv/sftpjail/dev/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/srv/sftpjail/etc/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/srv/sftpjail/lib/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/srv/sftpjail/usr/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/srv/sftpjail/bin/", 0x7e8636d8) = -1 ENOENT (No such file or directory)
lstat64("/srv/sftpjail/sbin/", 0x7e8636d8) = -1 ENOENT (No such file or directory)

It's the last two of these lines (1265, 1266): it should not be looking in /srv/sftpjail/bin/ in line 1265, or /srv/sftpjail/sbin/ in 1266.

I think it should be looking in /srv/sftpjail/usr/bin/ and /srv/sftpjail/usr/sbin. But I don't understand why it is trying to lstat these locations anyway? The paths in jk_init.ini and jk_lsh.ini look OK to me?

Am I in the right area for what is going wrong, and which instruction should I change to put things right?

Once again, many thanks for your kind help. I feel that progress has been made and probably it's nearly right now. Sorry I can't figure it out for myself.

Best wishes,

John





On Mon, Jan 7, 2019 at 8:12 PM John Pilkington <address@hidden> wrote:
Thank you so much, Olivier - I'll try that on Wednesday when I next get back to it.

John

On Mon, Jan 7, 2019 at 7:47 PM Olivier Sessink <address@hidden> wrote:
On 05-01-19 13:27, John Pilkington wrote:
> Hello Olivier, and Happy New Year! I imagine this email will do
> nothing to make it happier, but here goes ...
>
> You will remember that I had a problem with making an sftp/scp only
> shell for a jailed user. On starting an sftp session, the connection
> closes immediately upon entering the password, and it looks like
> getpwnam() succeeds, but not actually in the way it should.
>
> Thank you very much for kindly offering to look at the trace logs
> produced by strace. Thank you also for telling me about strace: I can
> see that it is a hugely powerful tool and I was also delighted to find
> that it is included in the Raspbian Stretch OS on my Raspberry Pis.
> But, yes, I think it needs more expertise than I have to interpret the
> output.
>
> So I followed your excellent instructions about debugging without a
> shell in the jail, and obtained seven tracefiles. I take the liberty
> of including them all below, but I suspect that the last one, 2544, is
> the important one. Originally, this had about 1000 lines of "BAD FILE
> DESCRIPTOR" from line 234. I've removed all except the first and last
> few, but obviously there is something wrong here, though I cannot work
> out what it might be.
>
> To remind you, I have user "guest" with password "guest" jailed
> in /srv/sftpjail/home/guest.
>
> I have picked out what seem to me cardinal events in tracefile.2544;
> I'll set them out here so that you can see I have done at least some
> work for myself!
>
> Line 29:    chdir("srv/sftpjail/./home/guest") looks OK
> Line 36:    /etc/ssh/sshrc  No such file or directory. This may be the
> first sign of trouble? Certainly there is no such file or directory,
> either in /srv/sftpjail/etc or in /etc/ssh. Should there be? And
> should it be at the "real" root or the jailed root?
> Line 195: open /etc/passwd, retunr value 3: looks OK?
> Line 210: open /etc/group, return value 3: looks OK?
> Line 220: open /etc/jailkit/jk.chrootsh.ini, return value 3: looks OK?
> Line 234 onwards: "BAD FILE DESCRIPTOR" Oh dear
>
> Line 267 (re-numbered) chroot("/srv/ftpjail"), looks like we haven't
> failed terminally yet? 
> Line 292 chdir("/home/guest")
>
> Line 503 exited with 2. I assume that from here we recurse back
> through the other processes, at some point undoing the chroot at line
> 267. I haven't found that.
>
> Olivier, I feel really bad asking you to look at this stuff. Please
> let me know if you see anything obvious here,  but I cannot ask you to
> spend a lot of time on it and will be very happy if you can just point
> me in the right direction. Am I anywhere near right in my interpretation?


can you check if libnss_compat.so.2 from your real system is copied into
the jail? This library is related to user logins. In the logs it seeks
this library in several locations, such as 
/usr/lib/arm-linux-gnueabihf/libnss_compat.so.2 and
/lib/tls/vfp/libnss_compat.so.2 /lib/libnss_compat.so.2

in jk_init.ini we only have /lib/x86_64-linux-gnu/libnss*.so.2 and
several other (such as i386) but you are running on a raspberry pi, so
there is no x86_64-linux-gnu directory. This could be the source of the
problem. (you might want to check jk_init.ini for more directories that
refer to x86_64)

Olivier



--
Bluefish website http://bluefish.openoffice.nl/
Blog http://oli4444.wordpress.com/



_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users

Attachment: jk_init.ini
Description: Binary data

Attachment: tracefile.24718
Description: Binary data

Attachment: jk_lsh.ini
Description: Binary data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]