Date: Mon, 5 Oct 2009 09:24:26 -0400 From: APseudoUtopia <apseudoutopia@gmail.com> To: freebsd-questions@freebsd.org, olli@lurza.secnetix.de Subject: Re: Jails: /bin/tcsh: Permission Denied Message-ID: <27ade5280910050624w366d05f1yf9db6158db626ba3@mail.gmail.com> In-Reply-To: <27ade5280910050619v6bd48173sb5099ba79c5ca1d3@mail.gmail.com> References: <27ade5280910050108w212a8d85h6071b5211f19425f@mail.gmail.com> <200910050951.n959pkRA059227@lurza.secnetix.de> <27ade5280910050619v6bd48173sb5099ba79c5ca1d3@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 5, 2009 at 9:19 AM, APseudoUtopia <apseudoutopia@gmail.com> wrote:
> On Mon, Oct 5, 2009 at 5:51 AM, Oliver Fromme <olli@lurza.secnetix.de> wrote:
>> APseudoUtopia <apseudoutopia@gmail.com> wrote:
>> > I'm setting up jails on my system. I started with a httpd jail for
>> > nginx and php to run in. I used ezjail to create it. I went through
>> > all the steps, and got a jail setup and working. I've logged in and
>> > out several times and installed a couple ports within the jail. I then
>> > added a non-privileged user by running "adduser" as root. However,
>> > that is when the problem came up. For some reason, I cannot switch to
>> > the unprivileged user. The shell is giving me a "Permission Denied"
>> > error.
>>
>> What are the permissions on /bin/tcsh inside the jail?
>> Is it executable? Are the permissions of all of its
>> libraries correct? ("ldd /bin/tcsh" will list the libs.)
>> Are the permissions on the home directory correct?
>>
>> If everything else fails, trace the shell inside the jail
>> (with strace, truss or ktrace). It will list the exact
>> system call that fails.
>>
>> By the way, I recommend that jails which contain daemons
>> (such as webservers, databases etc.) do not contain login
>> accounts. In fact, I never put /bin/tcsh inside a jail
>> that contains a webserver. Apache certainly doesn't need
>> it. Some ports do need /bin/csh during the build process,
>> but for building ports I recommend to use a separate jail
>> anyway, create packages and pkg_add them in the actual
>> webserver jail.
>>
>> Just my 2 cents.
>>
>> Best regards
>> Oliver
>>
>>
>
> Hi,
>
> Thanks for the tips. I'm new to jails, and I didn't think it was
> possible to build a jail without tcsh. What shell do you use then?
> Just /bin/sh?
>
> /bin/tcsh works for fine for root. I log into the jail by using the
> "ezjail-admin console" option, which in turn executes /usr/bin/login.
> It logs in as root with a working tcsh shell. I've even changed the
> prompt of the shell in /root/.cshrc within the jail. I don't think
> it's the tcsh binary itself, rather some other permission. However,
> the information you asked for is below.
>
> As a matter-of-fact, I first ran into this problem when my web server
> (nginx) received a "permission denied" error for every file. While
> debugging it, I was asked to su to the "www" user. This is when I ran
> into this problem of getting a permission denied error for tcsh.
>
> -r-xr-xr-x 2 root wheel 311400 Oct 5 05:34 /bin/tcsh
>
> /bin/tcsh:
> libncurses.so.7 => /lib/libncurses.so.7 (0x280c5000)
> libcrypt.so.4 => /lib/libcrypt.so.4 (0x28104000)
> libc.so.7 => /lib/libc.so.7 (0x2811d000)
>
> -r--r--r-- 1 root wheel 258572 Oct 5 05:34 /lib/libncurses.so.7
> -r--r--r-- 1 root wheel 32020 Oct 5 05:34 /lib/libcrypt.so.4
> -r--r--r-- 1 root wheel 993092 Oct 5 05:34 /lib/libc.so.7
>
> drwxr-xr-x 3 root wheel 512 Oct 5 07:49 home
> drwxr-xr-x 2 jailuser jailuser 512 Oct 5 07:49 jailuser
>
> The truss trace is on a pastebin (the output seemed too long for an
> email) located at http://pastebin.ca/1594445
>
Sorry to reply again, but I have some further information.
I used chpass to change the shell of the jailuser account. I tried
/bin/sh, /bin/csh, /bin/tcsh, and /sbin/nologin. All of those gave the
same "Permission denied" error. Even nologin gave "Permission denied"
instead of "This account is currently not available."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27ade5280910050624w366d05f1yf9db6158db626ba3>