From owner-freebsd-questions@FreeBSD.ORG Mon Oct 5 13:20:13 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21D7C106568D for ; Mon, 5 Oct 2009 13:20:13 +0000 (UTC) (envelope-from apseudoutopia@gmail.com) Received: from mail-fx0-f222.google.com (mail-fx0-f222.google.com [209.85.220.222]) by mx1.freebsd.org (Postfix) with ESMTP id A077C8FC12 for ; Mon, 5 Oct 2009 13:20:12 +0000 (UTC) Received: by fxm22 with SMTP id 22so2958935fxm.36 for ; Mon, 05 Oct 2009 06:20:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=6hQy5hcLttGzmtxfHYp9EbgA7cW+k2uR4ChiavEfjtQ=; b=G5OF3T0ZdiSm+2BeNQzUFw0Tol2yD95LuNEvkf/MC88OzCeSTZPF3BpAjeeeFPMUrl 9nMe7r3Mfh9BfLi6DXStj+XrNq7OeIvWIhFiY8BR03vog2Hzjfw7fkKpv6ucUsSB6pdQ MmMY+s8zRJZI0m+wlJulWbktmvsxhsiLHCnHw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; b=kJn+q71uwa9LdlfMiE8ncdGjPSosy2jIiamobqKIQQ7u1aJiNsSLyFM3rVaxTsvIyO 0uX4cnEIzI0hv9x0ZkDEslX+qkf8ln/lCFuMrSgMkjVIdXaA55PHCZiCUzmR1LUG/LTO qN4bweBl/FRaq7ovVmVUjfHEGairldjb6A35Q= MIME-Version: 1.0 Received: by 10.204.162.143 with SMTP id v15mr4018060bkx.50.1254748811566; Mon, 05 Oct 2009 06:20:11 -0700 (PDT) In-Reply-To: <200910050951.n959pkRA059227@lurza.secnetix.de> References: <27ade5280910050108w212a8d85h6071b5211f19425f@mail.gmail.com> <200910050951.n959pkRA059227@lurza.secnetix.de> From: APseudoUtopia Date: Mon, 5 Oct 2009 09:19:51 -0400 Message-ID: <27ade5280910050619v6bd48173sb5099ba79c5ca1d3@mail.gmail.com> To: freebsd-questions@freebsd.org, olli@lurza.secnetix.de Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: Jails: /bin/tcsh: Permission Denied X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 13:20:13 -0000 On Mon, Oct 5, 2009 at 5:51 AM, Oliver Fromme wrot= e: > APseudoUtopia wrote: > =C2=A0> I'm setting up jails on my system. I started with a httpd jail fo= r > =C2=A0> nginx and php to run in. I used ezjail to create it. I went throu= gh > =C2=A0> all the steps, and got a jail setup and working. I've logged in a= nd > =C2=A0> out several times and installed a couple ports within the jail. I= then > =C2=A0> added a non-privileged user by running "adduser" as root. However= , > =C2=A0> that is when the problem came up. For some reason, I cannot switc= h to > =C2=A0> the unprivileged user. The shell is giving me a "Permission Denie= d" > =C2=A0> error. > > What are the permissions on /bin/tcsh inside the jail? > Is it executable? =C2=A0Are the permissions of all of its > libraries correct? =C2=A0("ldd /bin/tcsh" will list the libs.) > Are the permissions on the home directory correct? > > If everything else fails, trace the shell inside the jail > (with strace, truss or ktrace). =C2=A0It will list the exact > system call that fails. > > By the way, I recommend that jails which contain daemons > (such as webservers, databases etc.) do not contain login > accounts. =C2=A0In fact, I never put /bin/tcsh inside a jail > that contains a webserver. =C2=A0Apache certainly doesn't need > it. =C2=A0Some ports do need /bin/csh during the build process, > but for building ports I recommend to use a separate jail > anyway, create packages and pkg_add them in the actual > webserver jail. > > Just my 2 cents. > > Best regards > =C2=A0 Oliver > > Hi, Thanks for the tips. I'm new to jails, and I didn't think it was possible to build a jail without tcsh. What shell do you use then? Just /bin/sh? /bin/tcsh works for fine for root. I log into the jail by using the "ezjail-admin console" option, which in turn executes /usr/bin/login. It logs in as root with a working tcsh shell. I've even changed the prompt of the shell in /root/.cshrc within the jail. I don't think it's the tcsh binary itself, rather some other permission. However, the information you asked for is below. As a matter-of-fact, I first ran into this problem when my web server (nginx) received a "permission denied" error for every file. While debugging it, I was asked to su to the "www" user. This is when I ran into this problem of getting a permission denied error for tcsh. -r-xr-xr-x 2 root wheel 311400 Oct 5 05:34 /bin/tcsh /bin/tcsh: libncurses.so.7 =3D> /lib/libncurses.so.7 (0x280c5000) libcrypt.so.4 =3D> /lib/libcrypt.so.4 (0x28104000) libc.so.7 =3D> /lib/libc.so.7 (0x2811d000) -r--r--r-- 1 root wheel 258572 Oct 5 05:34 /lib/libncurses.so.7 -r--r--r-- 1 root wheel 32020 Oct 5 05:34 /lib/libcrypt.so.4 -r--r--r-- 1 root wheel 993092 Oct 5 05:34 /lib/libc.so.7 drwxr-xr-x 3 root wheel 512 Oct 5 07:49 home drwxr-xr-x 2 jailuser jailuser 512 Oct 5 07:49 jailuser The truss trace is on a pastebin (the output seemed too long for an email) located at http://pastebin.ca/1594445