Date: Mon, 5 Oct 2009 16:06:38 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: apseudoutopia@gmail.com (APseudoUtopia) Cc: freebsd-questions@freebsd.org Subject: Re: Jails: /bin/tcsh: Permission Denied Message-ID: <200910051406.n95E6cFD013583@lurza.secnetix.de> In-Reply-To: <27ade5280910050624w366d05f1yf9db6158db626ba3@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
APseudoUtopia wrote: > > Thanks for the tips. I'm new to jails, and I didn't think it was > > possible to build a jail without tcsh. What shell do you use then? > > Just /bin/sh? I never log into a jail. There's no reason to do that. However, usually /bin/sh is required to run scripts, cron jobs and other things. Also, some library functions such as system(3) and popen(3) require /bin/sh. Those functions are used by many programs. So, bascially, you will almost always need to have /bin/sh in a jail. But that doesn't mean that you have any login accounts inside the jail. Usually the passwd inside your jail should only contain root and a few pseudo users. The pseudo users (including root) should have no valid password, no valid login shell, and in most cases no valid home directory. There's no reason to make things easier for intruders. Of course, that's only true for jails that contain services (i.e. daemons). If you want to put shell users inside jails, that's a completely different thing. (I'm not using ezjail, FWIW.) > > -r-xr-xr-x 2 root wheel 311400 Oct 5 05:34 /bin/tcsh > > > > /bin/tcsh: > > libncurses.so.7 => /lib/libncurses.so.7 (0x280c5000) > > libcrypt.so.4 => /lib/libcrypt.so.4 (0x28104000) > > libc.so.7 => /lib/libc.so.7 (0x2811d000) > > > > -r--r--r-- 1 root wheel 258572 Oct 5 05:34 /lib/libncurses.so.7 > > -r--r--r-- 1 root wheel 32020 Oct 5 05:34 /lib/libcrypt.so.4 > > -r--r--r-- 1 root wheel 993092 Oct 5 05:34 /lib/libc.so.7 > > > > drwxr-xr-x 3 root wheel 512 Oct 5 07:49 home > > drwxr-xr-x 2 jailuser jailuser 512 Oct 5 07:49 jailuser Looks good. The only thing I noticed is that your /etc/login.conf.db doesn't seem to be world-readable. It should have permissions 644, but has only 600. However, I'm not sure if this might cause the kind of problem you're seeing. But fixing the permissions is certainly worth a try. > > The truss trace is on a pastebin (the output seemed too long for an > > email) located at http://pastebin.ca/1594445 Other than that, I didn't notice anything unusual in the trace. > Sorry to reply again, but I have some further information. > > I used chpass to change the shell of the jailuser account. I tried > /bin/sh, /bin/csh, /bin/tcsh, and /sbin/nologin. All of those gave the > same "Permission denied" error. Even nologin gave "Permission denied" > instead of "This account is currently not available." Yeah, when the trace aborts, it is still executing the su binary. It doesn't get as far as actually trying to execute the shell. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "We, the unwilling, led by the unknowing, are doing the impossible for the ungrateful. We have done so much, for so long, with so little, we are now qualified to do anything with nothing." -- Mother Teresa
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200910051406.n95E6cFD013583>