jailkit-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-users] is it possible to "sudo su - user" to a jailkit user

From: Marcus
Subject: Re: [Jailkit-users] is it possible to "sudo su - user" to a jailkit user?
Date: Mon, 3 Jun 2013 19:30:29 -0400
Hi Olivier,

I see that you made a changet to also check for:

strcmp(tmp, "-su")!= 0

1. Thank you for making the recent changes in the cvs version of jailkit. "sudo - su testuser" now works on Ubuntu.

2. I have spent some time reading over the code for jk_chrootsh.c this afternoon. After reading up on the question http://unix.stackexchange.com/questions/38175/difference-between-login-shell-and-non-login-shell I understand why arg[0]  can be not only jk_chrootsh but also su or -su and I was working on a similar workaround. I have to say I find the use of the tmp variable a little confusing - I see what it is doing, but I think it might be able to be coded and commented a little clearer.

3. One thing is still sort of broken, at least on Ubuntu - lines 553 - 560 of jk_chrootsh.c


/* now execute the jailed shell */
/*execl(pw->pw_shell, pw->pw_shell, NULL);*/
newargv = malloc0((argc+1)*sizeof(char *));
newargv[0] = shell;
for (i=1;i<argc;i++) {
newargv[i] = argv[i];
}
execv(shell, newargv);


When the script uses execv to call shell it isn't passing argv[0] correctly. Basically, it is omitting the first character - which causes (in my case) bash to run as a non-login shell ALWAYS and so it only runs /etc/bash.bashrc and never /etc/profile

I'm not a pro at C but I am going to be working on trying to fix 553 - 560 and maybe try to make 199 - 210 a little more readable. Let me know your thoughts - and also if I should be using the jailkit-dev list instead of this one.

Thanks again for jailkit - the more I work with it the more I like it. Also, I got cron working.








On Jun 3, 2013, at 4:25 PM, Olivier Sessink <address@hidden> wrote:

this check can be relaxed indeed, it should allow '-su' as well.

I've improved this in cvs, please test.

Olivier

On 06/03/2013 05:08 AM, Marcus wrote:
Hi Oliver,

I am having a lot of trouble getting "su - testuser" to work if it includes a hyphen / dash ( I am trying to have the profile run)

I know you mentioned "the jk_chrootsh code is very strict and abort on anything that could be the start of hacking"

I looked at /var/log/auth.log and I am getting:

jk_chrootsh[25433]: abort, jk_chrootsh is called as -su

I am looking at the source file - jk_chrootsh.c for version 2.16 and I see this section which looks like where the error is coming from around line 206:

        if (strcmp(tmp, PROGRAMNAME) != 0 && strcmp(tmp, "su")!= 0 && (tmp[0] != '-' || strcmp(&tmp[1], PROGRAMNAME))) {
                DEBUG_MSG("wrong name, tmp=%s, &tmp[1]=%s\n", tmp, &tmp[1]);
                syslog(LOG_ERR, "abort, "PROGRAMNAME" is called as %s", argv[0]);
                exit(1);
        }   


It looks like it should allow "su" with "-" but it is not. According to Rich's notes (if I am reading it correctly) he is able to do it with the dash. Is this a bug in the code somehow? I'm trying to test more and fix it. I am also trying to sign up for the dev list because maybe that is a better place for this question.

Thanks,
Marcus



On May 30, 2013, at 5:14 PM, Olivier Sessink <address@hidden> wrote:

that is probably because the jk_chrootsh code is very strict and abort
on anything that could be the start of hacking. su does a funny thing
when calling the shell. su <> -c <> is explicitly enabled in the code
(earlier versions aborted on su -c too).

Olivier

On 05/30/2013 02:56 AM, Marcus Eting wrote:
Thanks Olivier and Rich. I changed the shell for the user to bash in /home/jail/etc/etc so I can SSH into the box as the user and the jail seems to be working fine - I have a pretty good understanding of what's going on with things so I think it is set up right.

However, I can't "su testuser" but  I was able to run "su testuser -c bash" to get the behavior I want  - that bit of progress was pretty exciting. Do you know why it won't work without the "-c bash" ?
_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users


--
Bluefish website http://bluefish.openoffice.nl/
Blog http://oli4444.wordpress.com/


_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users



_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users



-- 
Bluefish website http://bluefish.openoffice.nl/
Blog http://oli4444.wordpress.com/
_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users

reply via email to
[Prev in Thread] Current Thread [Next in Thread]