Hi Olivier,
Here is my suggested fix. I have done the variable declarations right inline with the code so they are all together, and I'm sure there are lots of things that can be cleaned up, but it seems to work very well for me:
Testing it with the bash files echoing their paths shows that it is working:
address@hidden:/tmp/dev4/jailkit# su - jane /home/jail/etc/profile /home/jail/etc/bash.bashrc /home/jane/.profile /home/jane/.bashrc address@hidden:~$ logout
address@hidden:/tmp/dev4/jailkit# su jane /home/jail/etc/bash.bashrc /home/jane/.bashrc address@hidden:~$ exit address@hidden:/tmp/dev4/jailkit#
Best, M
Hi Olivier,
I see that you made a changet to also check for:
strcmp(tmp, "-su")!= 0
1. Thank you for making the recent changes in the cvs version of jailkit. "sudo - su testuser" now works on Ubuntu.
2. I have spent some time reading over the code for jk_chrootsh.c this afternoon. After reading up on the question http://unix.stackexchange.com/questions/38175/difference-between-login-shell-and-non-login-shell I understand why arg[0] can be not only jk_chrootsh but also su or -su and I was working on a similar workaround. I have to say I find the use of the tmp variable a little confusing - I see what it is doing, but I think it might be able to be coded and commented a little clearer.
3. One thing is still sort of broken, at least on Ubuntu - lines 553 - 560 of jk_chrootsh.c
/* now execute the jailed shell */ /*execl(pw->pw_shell, pw->pw_shell, NULL);*/ newargv = malloc0((argc+1)*sizeof(char *)); newargv[0] = shell; for (i=1;i<argc;i++) { newargv[i] = argv[i]; } execv(shell, newargv);
When the script uses execv to call shell it isn't passing argv[0] correctly. Basically, it is omitting the first character - which causes (in my case) bash to run as a non-login shell ALWAYS and so it only runs /etc/bash.bashrc and never /etc/profile
I'm not a pro at C but I am going to be working on trying to fix 553 - 560 and maybe try to make 199 - 210 a little more readable. Let me know your thoughts - and also if I should be using the jailkit-dev list instead of this one.
Thanks again for jailkit - the more I work with it the more I like it. Also, I got cron working.
this check can be relaxed indeed, it
should allow '-su' as well.
I've improved this in cvs, please test.
Olivier
On 06/03/2013 05:08 AM, Marcus wrote:
Hi Oliver,
I am having a lot of trouble getting "su - testuser" to work
if it includes a hyphen / dash ( I am trying to have the profile
run)
I know you mentioned "the jk_chrootsh code is very strict and
abort on anything that could be the start of hacking"
I looked at /var/log/auth.log and I am getting:
jk_chrootsh[25433]: abort, jk_chrootsh is called as -su
I am looking at the source file - jk_chrootsh.c for version
2.16 and I see this section which looks like where the error is
coming from around line 206:
if (strcmp(tmp,
PROGRAMNAME) != 0 && strcmp(tmp, "su")!= 0
&& (tmp[0] != '-' || strcmp(&tmp[1],
PROGRAMNAME))) {
DEBUG_MSG("wrong
name, tmp=%s, &tmp[1]=%s\n", tmp, &tmp[1]);
syslog(LOG_ERR,
"abort, "PROGRAMNAME" is called as %s", argv[0]);
exit(1);
}
It looks like it should allow "su" with "-" but it is not.
According to Rich's notes (if I am reading it correctly) he is
able to do it with the dash. Is this a bug in the code somehow?
I'm trying to test more and fix it. I am also trying to sign up
for the dev list because maybe that is a better place for this
question.
Thanks,
Marcus
that is probably because the jk_chrootsh
code is very strict and abort
on anything that could be the start of hacking. su does a
funny thing
when calling the shell. su <> -c <> is explicitly
enabled in the code
(earlier versions aborted on su -c too).
Olivier
On 05/30/2013 02:56 AM, Marcus Eting wrote:
Thanks Olivier and Rich. I changed the
shell for the user to bash in /home/jail/etc/etc so I can
SSH into the box as the user and the jail seems to be
working fine - I have a pretty good understanding of what's
going on with things so I think it is set up right.
However, I can't "su testuser" but I was able to run "su
testuser -c bash" to get the behavior I want - that bit of
progress was pretty exciting. Do you know why it won't work
without the "-c bash" ?
_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users
--
Bluefish website http://bluefish.openoffice.nl/
Blog http://oli4444.wordpress.com/
_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users
_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users
--
Bluefish website http://bluefish.openoffice.nl/
Blog http://oli4444.wordpress.com/
_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users
|