From MAILER-DAEMON Thu Sep 03 11:06:15 2009 Received: from mailman by lists.gnu.org with archive (Exim 4.43) id 1MjDt9-0003sv-FW for mharc-jailkit-users@gnu.org; Thu, 03 Sep 2009 11:06:15 -0400 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1MjDt7-0003s0-7l for jailkit-users@nongnu.org; Thu, 03 Sep 2009 11:06:13 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1MjDt2-0003po-8h for jailkit-users@nongnu.org; Thu, 03 Sep 2009 11:06:12 -0400 Received: from [199.232.76.173] (port=36426 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1MjDt2-0003ph-2N for jailkit-users@nongnu.org; Thu, 03 Sep 2009 11:06:08 -0400 Received: from mxp1.isis.unc.edu ([152.2.2.159]:49118 helo=mxpm.isis.unc.edu) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1MjDt1-0005MK-FH for jailkit-users@nongnu.org; Thu, 03 Sep 2009 11:06:07 -0400 Received: from smtp.unc.edu (smtpsrv2.isis.unc.edu [152.2.2.250]) by mxp1 (8.14.3/8.14.3) with ESMTP id n83F5Pxt024609 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 3 Sep 2009 11:05:46 -0400 Received: from bc16-n13.isis.unc.edu (bc16-n13.isis.unc.edu [152.2.0.253]) by smtp.unc.edu (8.14.3/8.14.3) with ESMTP id n83F5PGH023936 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 3 Sep 2009 11:05:25 -0400 (EDT) Date: Thu, 3 Sep 2009 11:05:25 -0400 (EDT) From: Paul Mitchell X-X-Sender: pmitchel@bc16-n13.isis.unc.edu To: jailkit-users@nongnu.org Subject: Re: [Jailkit-users] Adding a user to jail In-Reply-To: <49356.195.240.135.94.1251549794.squirrel@olivierthuis.sessink.nl> Message-ID: References: <47122.66.105.133.51.1240240065.squirrel@joealdeguer.com> <49ECBB7C.6080505@bluefish.openoffice.nl> <49356.195.240.135.94.1251549794.squirrel@olivierthuis.sessink.nl> User-Agent: Alpine 2.00 (LRH 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2009-09-03_06:2009-09-01, 2009-09-03, 2009-09-03 signatures=0 X-Proofpoint-Spam-Details: rule=uncdefault_notspam policy=uncdefault score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0908210000 definitions=main-0909030086 X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6, seldom 2.4 (older, 4) X-BeenThere: jailkit-users@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jailkit-users@nongnu.org List-Id: jailkit-users.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2009 15:06:13 -0000 On Sat, 29 Aug 2009, Olivier Sessink wrote: >> ldconfig: Can't open configuration file /etc/ld.so.conf: No such file or >> directory > > ldconfig is run for the jail, so it is referring to /home/jail/etc/ld.so.conf Hello All, Somehow I missed this comment! The problem resolved itself when I copied /etc/ld.so.conf.d (and it's contents) into /home/jail/etc. > you did not specify any jailkit section in your jk_init commandline. > Perhaps you wanted limitedshell in there too? Yes, that got moved in when I made ld.so.conf work. > > did you enable logging in the jail? either use jk_socketd or configure > your syslog to properly open /home/jail/dev/log I just enabled it, I'm getting the following error when I try and log in: WARNING: user pmitchel (11782) tried to get an interactive shell session (/usr/sbin/jk_lsh), which is never allowed by jk_lsh This is confusing! Paul ============================================================================== Paul Mitchell Enterprise Systems email: pmitchel@email.unc.edu NOTE: new location: 440 Franklin, cubby 1213 NOTE: new desk phone: 919 962-2521 (Is here!^) ============================================================================== From MAILER-DAEMON Thu Sep 03 11:46:14 2009 Received: from mailman by lists.gnu.org with archive (Exim 4.43) id 1MjEVp-0001sp-U6 for mharc-jailkit-users@gnu.org; Thu, 03 Sep 2009 11:46:13 -0400 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1MjEVo-0001qI-C6 for jailkit-users@nongnu.org; Thu, 03 Sep 2009 11:46:12 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1MjEVj-0001i7-7T for jailkit-users@nongnu.org; Thu, 03 Sep 2009 11:46:11 -0400 Received: from [199.232.76.173] (port=47665 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1MjEVi-0001hT-Pq for jailkit-users@nongnu.org; Thu, 03 Sep 2009 11:46:06 -0400 Received: from mxp0.isis.unc.edu ([152.2.2.149]:38071 helo=mxpm.isis.unc.edu) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1MjEVi-00056R-EA for jailkit-users@nongnu.org; Thu, 03 Sep 2009 11:46:06 -0400 Received: from smtp.unc.edu (smtpsrv2.isis.unc.edu [152.2.2.250]) by mxp0 (8.14.3/8.14.3) with ESMTP id n83Fk4g1020370 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 3 Sep 2009 11:46:04 -0400 Received: from bc16-n13.isis.unc.edu (bc16-n13.isis.unc.edu [152.2.0.253]) by smtp.unc.edu (8.14.3/8.14.3) with ESMTP id n83Fk4gV005018 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 3 Sep 2009 11:46:04 -0400 (EDT) Date: Thu, 3 Sep 2009 11:46:03 -0400 (EDT) From: Paul Mitchell X-X-Sender: pmitchel@bc16-n13.isis.unc.edu To: jailkit-users@nongnu.org Subject: Re: [Jailkit-users] Adding a user to jail In-Reply-To: Message-ID: References: <47122.66.105.133.51.1240240065.squirrel@joealdeguer.com> <49ECBB7C.6080505@bluefish.openoffice.nl> <49356.195.240.135.94.1251549794.squirrel@olivierthuis.sessink.nl> User-Agent: Alpine 2.00 (LRH 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2009-09-03_06:2009-09-01, 2009-09-03, 2009-09-03 signatures=0 X-Proofpoint-Spam-Details: rule=uncdefault_notspam policy=uncdefault score=2 spamscore=2 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0908210000 definitions=main-0909030092 X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6, seldom 2.4 (older, 4) X-BeenThere: jailkit-users@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jailkit-users@nongnu.org List-Id: jailkit-users.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2009 15:46:12 -0000 On Thu, 3 Sep 2009, Paul Mitchell wrote: > WARNING: user pmitchel (11782) tried to get an interactive shell session > (/usr/sbin/jk_lsh), which is never allowed by jk_lsh > This is confusing! Note: I tried sftp and it allowed me to get and put a file! (I'll probably get scp to work as well, once I update the /home/jail/etc/jailkit/jk_lsh.ini file - the error was: WARNING: user pmitchel (11782) tried to run 'scp -t drop', which is not allowed according to /etc/jailkit/jk_lsh.ini). and my jk_lsh.ini is: [pmitchel] paths= /usr/lib/ executables= /usr/libexec/openssh/sftp-server, /usr/bin/scp, /usr/lib/sftp-server allow_word_expansion = 0 umask = 002 sftp is the primary purpose of the jailkit on this server, so I'm pretty relieved. There is one more task, however: It appears that one can create groups in jailkit - I have two sepearate users, both in the same department, which need to upload files into a common space. We have a large amount of space NFS mounted from a SUN thumper, but it lies outside of the /home/jail directory. I imagine there's no method for making a soft or hard link to this space (since that would sort of defeat the idea of a jail). Should I just declare this space my jail? Thanks for your help, Paul ============================================================================== Paul Mitchell Enterprise Systems email: pmitchel@email.unc.edu NOTE: new location: 440 Franklin, cubby 1213 NOTE: new desk phone: 919 962-2521 (Is here!^) ============================================================================== From MAILER-DAEMON Thu Sep 03 14:45:56 2009 Received: from mailman by lists.gnu.org with archive (Exim 4.43) id 1MjHJk-0001fb-JX for mharc-jailkit-users@gnu.org; Thu, 03 Sep 2009 14:45:56 -0400 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1MjHJi-0001eJ-O9 for jailkit-users@nongnu.org; Thu, 03 Sep 2009 14:45:54 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1MjHJg-0001ci-Oo for jailkit-users@nongnu.org; Thu, 03 Sep 2009 14:45:54 -0400 Received: from [199.232.76.173] (port=35580 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1MjHJg-0001cb-I9 for jailkit-users@nongnu.org; Thu, 03 Sep 2009 14:45:52 -0400 Received: from smtp.speedxs.nl ([83.98.255.13]:54121) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1MjHJg-0007Ks-19 for jailkit-users@nongnu.org; Thu, 03 Sep 2009 14:45:52 -0400 Received: from cort.fakenet (unknown [83.98.244.209]) by smtp.speedxs.nl (Postfix) with ESMTP id E941F2C001 for ; Thu, 3 Sep 2009 20:45:46 +0200 (CEST) Received: from [192.168.13.18] (unknown [192.168.13.18]) by cort.fakenet (Postfix) with ESMTP id 4B4ADBA0CB for ; Thu, 3 Sep 2009 20:46:49 +0200 (CEST) Message-ID: <4AA00EDD.6070409@bluefish.openoffice.nl> Date: Thu, 03 Sep 2009 20:45:49 +0200 From: Olivier Sessink User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: jailkit-users@nongnu.org Subject: Re: [Jailkit-users] Adding a user to jail References: <47122.66.105.133.51.1240240065.squirrel@joealdeguer.com> <49ECBB7C.6080505@bluefish.openoffice.nl> <49356.195.240.135.94.1251549794.squirrel@olivierthuis.sessink.nl> In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6 (newer, 3) X-BeenThere: jailkit-users@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jailkit-users@nongnu.org List-Id: jailkit-users.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2009 18:45:55 -0000 Paul Mitchell wrote: > On Thu, 3 Sep 2009, Paul Mitchell wrote: > >> WARNING: user pmitchel (11782) tried to get an interactive shell >> session (/usr/sbin/jk_lsh), which is never allowed by jk_lsh > >> This is confusing! an interactive shell is a shell like bash/ksh/etc. that waits for your input. jk_lsh is a shell that will only immediately start another executable given on the commandline. If it is started without an executable on the commandline it will give this error. What did you do that produced this log message? > Note: I tried sftp and it allowed me to get and put a file! (I'll > probably get scp to work as well, once I update the > /home/jail/etc/jailkit/jk_lsh.ini file - the error was: > > WARNING: user pmitchel (11782) tried to run 'scp -t drop', which is not > allowed according to /etc/jailkit/jk_lsh.ini). > > and my jk_lsh.ini is: > > [pmitchel] > paths= /usr/lib/ > executables= /usr/libexec/openssh/sftp-server, /usr/bin/scp, > /usr/lib/sftp-server > allow_word_expansion = 0 > umask = 002 I assume you are referring to /home/jail/etc/jailkit/jk_lsh.ini ? can you see if adding /usr/bin to 'paths' helps? > sftp is the primary purpose of the jailkit on this server, so I'm pretty > relieved. There is one more task, however: > > It appears that one can create groups in jailkit - I have two sepearate > users, both in the same department, which need to upload files into a > common space. you can, just like normal groups. You need to copy the right pieces of /etc/group to /etc/group to make it work. > We have a large amount of space NFS mounted from a SUN thumper, but it > lies outside of the /home/jail directory. I imagine there's no method > for making a soft or hard link to this space (since that would sort of > defeat the idea of a jail). Should I just declare this space my jail? you concluded right ;-) just mount the NFS share inside the jail. If you want you can add 'noexec' and 'nosuid' mount options (not sure if these are valid for nfs mounts, but give it a try). Olivier From MAILER-DAEMON Thu Sep 03 14:59:47 2009 Received: from mailman by lists.gnu.org with archive (Exim 4.43) id 1MjHX9-0001j7-N4 for mharc-jailkit-users@gnu.org; Thu, 03 Sep 2009 14:59:47 -0400 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1MjHX9-0001ix-05 for jailkit-users@nongnu.org; Thu, 03 Sep 2009 14:59:47 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1MjHX4-0001h7-FX for jailkit-users@nongnu.org; Thu, 03 Sep 2009 14:59:46 -0400 Received: from [199.232.76.173] (port=56391 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1MjHX4-0001h4-9A for jailkit-users@nongnu.org; Thu, 03 Sep 2009 14:59:42 -0400 Received: from mxp3.isis.unc.edu ([152.2.2.161]:49092 helo=mxpm.isis.unc.edu) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1MjHX3-00013r-Rz for jailkit-users@nongnu.org; Thu, 03 Sep 2009 14:59:42 -0400 Received: from smtp.unc.edu (smtpsrv3.isis.unc.edu [152.2.2.251]) by mxp3.isis.unc.edu (8.14.3/8.14.3) with ESMTP id n83IxcUl004376 for ; Thu, 3 Sep 2009 14:59:39 -0400 Received: from bc16-n13.isis.unc.edu (bc16-n13.isis.unc.edu [152.2.0.253]) by smtp.unc.edu (8.14.3/8.14.3) with ESMTP id n83IuHEu004220 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 3 Sep 2009 14:56:18 -0400 (EDT) Date: Thu, 3 Sep 2009 14:56:16 -0400 (EDT) From: Paul Mitchell X-X-Sender: pmitchel@bc16-n13.isis.unc.edu To: jailkit-users@nongnu.org Subject: Re: [Jailkit-users] Adding a user to jail In-Reply-To: <4AA00EDD.6070409@bluefish.openoffice.nl> Message-ID: References: <47122.66.105.133.51.1240240065.squirrel@joealdeguer.com> <49ECBB7C.6080505@bluefish.openoffice.nl> <49356.195.240.135.94.1251549794.squirrel@olivierthuis.sessink.nl> <4AA00EDD.6070409@bluefish.openoffice.nl> User-Agent: Alpine 2.00 (LRH 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2009-09-03_06:2009-09-01, 2009-09-03, 2009-09-03 signatures=0 X-Proofpoint-Spam-Details: rule=uncdefault_notspam policy=uncdefault score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0908210000 definitions=main-0909030127 X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6, seldom 2.4 (older, 4) X-BeenThere: jailkit-users@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jailkit-users@nongnu.org List-Id: jailkit-users.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2009 18:59:47 -0000 On Thu, 3 Sep 2009, Olivier Sessink wrote: > an interactive shell is a shell like bash/ksh/etc. that waits for your input. > jk_lsh is a shell that will only immediately start another executable given > on the commandline. If it is started without an executable on the commandline > it will give this error. What did you do that produced this log message? Hello Olivier, my command: scp pmitchel@152.2.163.203:getit . the error: WARNING: user pmitchel (11782) tried to run 'scp -f getit', which is not allowed according to /etc/jailkit/jk_lsh.ini or scp test pmitchel@152.2.163.203:drop pmitchel@152.2.163.203's password: lost connection Sep 3 18:49:08 elndz01m jk_lsh[24368]: WARNING: user pmitchel (11782) tried to run 'scp -t drop', which is not allowed according to /etc/jailkit/jk_lsh.ini >> >> WARNING: user pmitchel (11782) tried to run 'scp -t drop', which is not >> allowed according to /etc/jailkit/jk_lsh.ini). >> >> and my jk_lsh.ini is: >> >> [pmitchel] >> paths= /usr/lib/ >> executables= /usr/libexec/openssh/sftp-server, /usr/bin/scp, >> /usr/lib/sftp-server >> allow_word_expansion = 0 >> umask = 002 > > I assume you are referring to /home/jail/etc/jailkit/jk_lsh.ini ? can you see > if adding /usr/bin to 'paths' helps? My current jk_lsh.ini looks like: [pmitchel] paths= /usr/bin, /usr/lib/ executables= /usr/bin/scp, /usr/lib/sftp-server, /usr/lib/openssh/sftp-server, /usr/libexec/openssh/sftp-server allow_word_expansion = 0 umask = 002 As it turns out, my users are using an and SSH/sftp client which jailkit doesn't allow in. (I can run sftp form a unix command line, however, and it works - but my users will be, for the most part, running windows). > >> sftp is the primary purpose of the jailkit on this server, so I'm pretty > you can, just like normal groups. You need to copy the right pieces of > /etc/group to /etc/group to make it work. Ok, thanks. > > just mount the NFS share inside the jail. If you want you can add 'noexec' > and 'nosuid' mount options (not sure if these are valid for nfs mounts, but > give it a try). great, thanks. If I can get the scp/ssh option to work, then I can go on holiday! (to Ireland, yet). Paul> ============================================================================== Paul Mitchell Enterprise Systems email: pmitchel@email.unc.edu NOTE: new location: 440 Franklin, cubby 1213 NOTE: new desk phone: 919 962-2521 (Is here!^) ============================================================================== From MAILER-DAEMON Fri Sep 04 11:38:14 2009 Received: from mailman by lists.gnu.org with archive (Exim 4.43) id 1Mjare-000738-MG for mharc-jailkit-users@gnu.org; Fri, 04 Sep 2009 11:38:14 -0400 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Mjard-000730-80 for jailkit-users@nongnu.org; Fri, 04 Sep 2009 11:38:13 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1Mjara-00072i-S5 for jailkit-users@nongnu.org; Fri, 04 Sep 2009 11:38:11 -0400 Received: from [199.232.76.173] (port=45018 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Mjara-00072d-L5 for jailkit-users@nongnu.org; Fri, 04 Sep 2009 11:38:10 -0400 Received: from mx20.gnu.org ([199.232.41.8]:48786) by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1Mjara-0008JL-6U for jailkit-users@nongnu.org; Fri, 04 Sep 2009 11:38:10 -0400 Received: from smtp.speedxs.nl ([83.98.255.13]) by mx20.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1MjarZ-00009X-6i for jailkit-users@nongnu.org; Fri, 04 Sep 2009 11:38:09 -0400 Received: from cort.fakenet (unknown [83.98.244.209]) by smtp.speedxs.nl (Postfix) with ESMTP id 645B06902A for ; Fri, 4 Sep 2009 17:38:04 +0200 (CEST) Received: from olivierthuis.sessink.nl (localhost [127.0.0.1]) by cort.fakenet (Postfix) with ESMTP id D1300BA0CB for ; Fri, 4 Sep 2009 17:39:14 +0200 (CEST) Received: from 83.160.248.82 (SquirrelMail authenticated user olivier) by olivierthuis.sessink.nl with HTTP; Fri, 4 Sep 2009 17:39:14 +0200 (CEST) Message-ID: <1162.83.160.248.82.1252078754.squirrel@olivierthuis.sessink.nl> In-Reply-To: References: <47122.66.105.133.51.1240240065.squirrel@joealdeguer.com> <49ECBB7C.6080505@bluefish.openoffice.nl> <49356.195.240.135.94.1251549794.squirrel@olivierthuis.sessink.nl> <4AA00EDD.6070409@bluefish.openoffice.nl> Date: Fri, 4 Sep 2009 17:39:14 +0200 (CEST) Subject: Re: [Jailkit-users] Adding a user to jail From: "Olivier Sessink" To: jailkit-users@nongnu.org User-Agent: SquirrelMail/1.4.13 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 X-Priority: 3 (Normal) Importance: Normal Content-Transfer-Encoding: quoted-printable X-Detected-Operating-System: by mx20.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6, seldom 2.4 (older, 4) X-BeenThere: jailkit-users@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jailkit-users@nongnu.org List-Id: jailkit-users.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Sep 2009 15:38:13 -0000 > On Thu, 3 Sep 2009, Olivier Sessink wrote: > As it turns out, my users are using an and SSH/sftp client which jailki= t > doesn't allow in. (I can run sftp form a unix command line, however, a= nd > it works - but my users will be, for the most part, running windows). I know 'WinSCP' has an option (the default) sftp with fallback that doesn't work because it tries to get an interactive shell first before starting the sftp session. If you use 'sftp without fallback' it works. For other clients I assume they have similar options. Olivier From MAILER-DAEMON Sat Sep 19 03:44:56 2009 Received: from mailman by lists.gnu.org with archive (Exim 4.43) id 1Moucq-0006FX-6Z for mharc-jailkit-users@gnu.org; Sat, 19 Sep 2009 03:44:56 -0400 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Mouco-0006FG-Ar for jailkit-users@nongnu.org; Sat, 19 Sep 2009 03:44:54 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1Moucl-0006F4-Rs for jailkit-users@nongnu.org; Sat, 19 Sep 2009 03:44:53 -0400 Received: from [199.232.76.173] (port=32997 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Moucl-0006F1-PL for jailkit-users@nongnu.org; Sat, 19 Sep 2009 03:44:51 -0400 Received: from mx20.gnu.org ([199.232.41.8]:5417) by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1Moucl-0001eY-1K for jailkit-users@nongnu.org; Sat, 19 Sep 2009 03:44:51 -0400 Received: from ey-out-1920.google.com ([74.125.78.150]) by mx20.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1Moucj-0008V2-2y for jailkit-users@nongnu.org; Sat, 19 Sep 2009 03:44:49 -0400 Received: by ey-out-1920.google.com with SMTP id 13so443661eye.14 for ; Sat, 19 Sep 2009 00:44:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=P1aJGOILK9EdSPcxqDAoL+ClZzPj+m1SE8wmUvCKYzw=; b=YIw4Ud0gPaBR/SK9kzpZW0Xrit+IVtZlhTW9OgPxRZ9I3KdQtktF+KNggyGdjS2AI+ uAV1eo5AEEbAEs7kYmxI/xz13idwZA0tafwyJ6jtsjODxsfs3T0113nkee2PbKAMRWIY ej5Rro5a9qn5z/eta3PuJ2GZ+YPZvPuiaTnG8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; b=Kp8dmRRI3JsJYX9w90HWIsQmzb06GPVXNG5zNl7ZkLhZZ3YDlvp/fCPZwxBvIQCs3G NKN92bt9iiIh5hmxIpDWZ/WYGQ6zAb2kJUFSdMxCfOdgVtM+9lnp5omC63GASSnTIuQb 9we1zmf+QgwRItIKVdcUnB+7JzHApVXVDsfm8= MIME-Version: 1.0 Sender: asereda@gmail.com Received: by 10.211.129.20 with SMTP id g20mr445033ebn.14.1253346287069; Sat, 19 Sep 2009 00:44:47 -0700 (PDT) Date: Sat, 19 Sep 2009 03:44:47 -0400 X-Google-Sender-Auth: 190daf383df68f37 Message-ID: <2c2d11140909190044h83df587t10c380b85ee4ebf3@mail.gmail.com> From: Andrei Sereda To: jailkit-users@nongnu.org Content-Type: text/plain; charset=ISO-8859-1 X-detected-operating-system: by mx20.gnu.org: GNU/Linux 2.6 (newer, 2) X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6, seldom 2.4 (older, 4) Subject: [Jailkit-users] jk_chrootlaunch and STDERR X-BeenThere: jailkit-users@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jailkit-users@nongnu.org List-Id: jailkit-users.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Sep 2009 07:44:54 -0000 Hello everybody, I'm trying to chroot a java process and having some troubles. Will be glad if you can help me. Basically it drills down to having a process output information to STDERR. I've done a simple script print-echo: #!/bin/bash echo >&1 "Echo to STDOUT" echo >&2 "Echo to STDERR" When executing the script as 'jk_chrootlaunch -j /srv/java -u test -x /srv/java/home/test/print-echo' the output is [root@srv ~]# jk_chrootlaunch -j /srv/java -u test -x /srv/java/home/test/print-echo Echo to STDOUT while for direct call /srv/java/home/test/print-echo the result is (as expected) [root@srv ~]# /srv/java/home/test/print-echo Echo to STDOUT Echo to STDERR using strace reveals the common error : -1 EBADF (Bad file descriptor) I know that jailkit closes all descriptors except stdin, stdout and stderr but, still, it is supposed to work ? see jk_chrootlaunch.c source: /* open file descriptors can be used to break out of a chroot, so we close all of them, except for stdin,stdout and stderr */ while (i-- > 2) { while (close(i) != 0 && errno == EINTR); } Thanks for your help, Andrei. From MAILER-DAEMON Sun Sep 20 16:54:09 2009 Received: from mailman by lists.gnu.org with archive (Exim 4.43) id 1MpTQ9-0001PZ-Rx for mharc-jailkit-users@gnu.org; Sun, 20 Sep 2009 16:54:09 -0400 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1MpTQ8-0001Ou-14 for jailkit-users@nongnu.org; Sun, 20 Sep 2009 16:54:08 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1MpTQ4-0001LK-OO for jailkit-users@nongnu.org; Sun, 20 Sep 2009 16:54:07 -0400 Received: from [199.232.76.173] (port=55926 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1MpTQ4-0001Ku-EP for jailkit-users@nongnu.org; Sun, 20 Sep 2009 16:54:04 -0400 Received: from smtp.speedxs.nl ([83.98.255.14]:57138) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1MpTQ4-0005q5-1F for jailkit-users@nongnu.org; Sun, 20 Sep 2009 16:54:04 -0400 Received: from cort.fakenet (unknown [83.98.244.209]) by smtp.speedxs.nl (Postfix) with ESMTP id EE6AA67005 for ; Sun, 20 Sep 2009 22:50:22 +0200 (CEST) Received: from [192.168.0.210] (cort.fakenet [192.168.0.210]) by cort.fakenet (Postfix) with ESMTP id 96B83BA02B for ; Sun, 20 Sep 2009 22:54:59 +0200 (CEST) Message-ID: <4AB696A3.200@bluefish.openoffice.nl> Date: Sun, 20 Sep 2009 22:54:59 +0200 From: Olivier Sessink User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: jailkit-users@nongnu.org Subject: Re: [Jailkit-users] jk_chrootlaunch and STDERR References: <2c2d11140909190044h83df587t10c380b85ee4ebf3@mail.gmail.com> In-Reply-To: <2c2d11140909190044h83df587t10c380b85ee4ebf3@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6 (newer, 2) X-BeenThere: jailkit-users@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jailkit-users@nongnu.org List-Id: jailkit-users.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Sep 2009 20:54:08 -0000 Andrei Sereda wrote: > Hello everybody, > > I'm trying to chroot a java process and having some troubles. Will be > glad if you can help me. > > Basically it drills down to having a process output information to > STDERR. I've done a simple script print-echo: [..] > see jk_chrootlaunch.c source: > /* open file descriptors can be used to break out of a chroot, so we > close all of them, except for stdin,stdout and stderr */ > while (i-- > 2) { > while (close(i) != 0 && errno == EINTR); > } you're correct, the loop is incorrect, it closes i=2 which is stderr. fixed in cvs thanks for reporting Olivier