Hi Olivier,
I see that you made a changet to also check for:
strcmp(tmp, "-su")!= 0
1. Thank you for making the recent changes in the cvs version of jailkit. "sudo - su testuser" now works on Ubuntu.
2. I have spent some time reading over the code for jk_chrootsh.c this afternoon. After reading up on the question http://unix.stackexchange.com/questions/38175/difference-between-login-shell-and-non-login-shell I understand why arg[0] can be not only jk_chrootsh but also su or -su and I was working on a similar workaround. I have to say I find the use of the tmp variable a little confusing - I see what it is doing, but I think it might be able to be coded and commented a little clearer.
3. One thing is still sort of broken, at least on Ubuntu - lines 553 - 560 of jk_chrootsh.c
/* now execute the jailed shell */ /*execl(pw->pw_shell, pw->pw_shell, NULL);*/ newargv = malloc0((argc+1)*sizeof(char *)); newargv[0] = shell; for (i=1;i<argc;i++) { newargv[i] = argv[i]; } execv(shell, newargv);
When the script uses execv to call shell it isn't passing argv[0] correctly. Basically, it is omitting the first character - which causes (in my case) bash to run as a non-login shell ALWAYS and so it only runs /etc/bash.bashrc and never /etc/profile
I'm not a pro at C but I am going to be working on trying to fix 553 - 560 and maybe try to make 199 - 210 a little more readable. Let me know your thoughts - and also if I should be using the jailkit-dev list instead of this one.
Thanks again for jailkit - the more I work with it the more I like it. Also, I got cron working.
this check can be relaxed indeed, it
should allow '-su' as well.
I've improved this in cvs, please test.
Olivier
On 06/03/2013 05:08 AM, Marcus wrote:
Hi Oliver,
I am having a lot of trouble getting "su - testuser" to work
if it includes a hyphen / dash ( I am trying to have the profile
run)
I know you mentioned "the jk_chrootsh code is very strict and
abort on anything that could be the start of hacking"
I looked at /var/log/auth.log and I am getting:
jk_chrootsh[25433]: abort, jk_chrootsh is called as -su
I am looking at the source file - jk_chrootsh.c for version
2.16 and I see this section which looks like where the error is
coming from around line 206:
if (strcmp(tmp,
PROGRAMNAME) != 0 && strcmp(tmp, "su")!= 0
&& (tmp[0] != '-' || strcmp(&tmp[1],
PROGRAMNAME))) {
DEBUG_MSG("wrong
name, tmp=%s, &tmp[1]=%s\n", tmp, &tmp[1]);
syslog(LOG_ERR,
"abort, "PROGRAMNAME" is called as %s", argv[0]);
exit(1);
}
It looks like it should allow "su" with "-" but it is not.
According to Rich's notes (if I am reading it correctly) he is
able to do it with the dash. Is this a bug in the code somehow?
I'm trying to test more and fix it. I am also trying to sign up
for the dev list because maybe that is a better place for this
question.
Thanks,
Marcus
that is probably because the jk_chrootsh
code is very strict and abort
on anything that could be the start of hacking. su does a
funny thing
when calling the shell. su <> -c <> is explicitly
enabled in the code
(earlier versions aborted on su -c too).
Olivier
On 05/30/2013 02:56 AM, Marcus Eting wrote:
Thanks Olivier and Rich. I changed the
shell for the user to bash in /home/jail/etc/etc so I can
SSH into the box as the user and the jail seems to be
working fine - I have a pretty good understanding of what's
going on with things so I think it is set up right.
However, I can't "su testuser" but I was able to run "su
testuser -c bash" to get the behavior I want - that bit of
progress was pretty exciting. Do you know why it won't work
without the "-c bash" ?
_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users
--
Bluefish website http://bluefish.openoffice.nl/
Blog http://oli4444.wordpress.com/
_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users
_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users
--
Bluefish website http://bluefish.openoffice.nl/
Blog http://oli4444.wordpress.com/
_______________________________________________ Jailkit-users mailing list address@hidden https://lists.nongnu.org/mailman/listinfo/jailkit-users
|