this check can be relaxed indeed, it
should allow '-su' as well.
I've improved this in cvs, please test.
Olivier
On 06/03/2013 05:08 AM, Marcus wrote:
Hi Oliver,
I am having a lot of trouble getting "su - testuser" to work
if it includes a hyphen / dash ( I am trying to have the profile
run)
I know you mentioned "the jk_chrootsh code is very strict and
abort on anything that could be the start of hacking"
I looked at /var/log/auth.log and I am getting:
jk_chrootsh[25433]: abort, jk_chrootsh is called as -su
I am looking at the source file - jk_chrootsh.c for version
2.16 and I see this section which looks like where the error is
coming from around line 206:
if (strcmp(tmp,
PROGRAMNAME) != 0 && strcmp(tmp, "su")!= 0
&& (tmp[0] != '-' || strcmp(&tmp[1],
PROGRAMNAME))) {
DEBUG_MSG("wrong
name, tmp=%s, &tmp[1]=%s\n", tmp, &tmp[1]);
syslog(LOG_ERR,
"abort, "PROGRAMNAME" is called as %s", argv[0]);
exit(1);
}
It looks like it should allow "su" with "-" but it is not.
According to Rich's notes (if I am reading it correctly) he is
able to do it with the dash. Is this a bug in the code somehow?
I'm trying to test more and fix it. I am also trying to sign up
for the dev list because maybe that is a better place for this
question.
Thanks,
Marcus
that is probably because the jk_chrootsh
code is very strict and abort
on anything that could be the start of hacking. su does a
funny thing
when calling the shell. su <> -c <> is explicitly
enabled in the code
(earlier versions aborted on su -c too).
Olivier
On 05/30/2013 02:56 AM, Marcus Eting wrote:
Thanks Olivier and Rich. I changed the
shell for the user to bash in /home/jail/etc/etc so I can
SSH into the box as the user and the jail seems to be
working fine - I have a pretty good understanding of what's
going on with things so I think it is set up right.
However, I can't "su testuser" but I was able to run "su
testuser -c bash" to get the behavior I want - that bit of
progress was pretty exciting. Do you know why it won't work
without the "-c bash" ?
_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users
--
Bluefish website http://bluefish.openoffice.nl/
Blog http://oli4444.wordpress.com/
_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users
_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users