Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 5 Oct 2009 09:24:26 -0400
From:      APseudoUtopia <apseudoutopia@gmail.com>
To:        freebsd-questions@freebsd.org, olli@lurza.secnetix.de
Subject:   Re: Jails: /bin/tcsh: Permission Denied
Message-ID:  <27ade5280910050624w366d05f1yf9db6158db626ba3@mail.gmail.com>
In-Reply-To: <27ade5280910050619v6bd48173sb5099ba79c5ca1d3@mail.gmail.com>
References:  <27ade5280910050108w212a8d85h6071b5211f19425f@mail.gmail.com>  <200910050951.n959pkRA059227@lurza.secnetix.de> <27ade5280910050619v6bd48173sb5099ba79c5ca1d3@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 5, 2009 at 9:19 AM, APseudoUtopia <apseudoutopia@gmail.com> wro=
te:
> On Mon, Oct 5, 2009 at 5:51 AM, Oliver Fromme <olli@lurza.secnetix.de> wr=
ote:
>> APseudoUtopia <apseudoutopia@gmail.com> wrote:
>> =C2=A0> I'm setting up jails on my system. I started with a httpd jail f=
or
>> =C2=A0> nginx and php to run in. I used ezjail to create it. I went thro=
ugh
>> =C2=A0> all the steps, and got a jail setup and working. I've logged in =
and
>> =C2=A0> out several times and installed a couple ports within the jail. =
I then
>> =C2=A0> added a non-privileged user by running "adduser" as root. Howeve=
r,
>> =C2=A0> that is when the problem came up. For some reason, I cannot swit=
ch to
>> =C2=A0> the unprivileged user. The shell is giving me a "Permission Deni=
ed"
>> =C2=A0> error.
>>
>> What are the permissions on /bin/tcsh inside the jail?
>> Is it executable? =C2=A0Are the permissions of all of its
>> libraries correct? =C2=A0("ldd /bin/tcsh" will list the libs.)
>> Are the permissions on the home directory correct?
>>
>> If everything else fails, trace the shell inside the jail
>> (with strace, truss or ktrace). =C2=A0It will list the exact
>> system call that fails.
>>
>> By the way, I recommend that jails which contain daemons
>> (such as webservers, databases etc.) do not contain login
>> accounts. =C2=A0In fact, I never put /bin/tcsh inside a jail
>> that contains a webserver. =C2=A0Apache certainly doesn't need
>> it. =C2=A0Some ports do need /bin/csh during the build process,
>> but for building ports I recommend to use a separate jail
>> anyway, create packages and pkg_add them in the actual
>> webserver jail.
>>
>> Just my 2 cents.
>>
>> Best regards
>> =C2=A0 Oliver
>>
>>
>
> Hi,
>
> Thanks for the tips. I'm new to jails, and I didn't think it was
> possible to build a jail without tcsh. What shell do you use then?
> Just /bin/sh?
>
> /bin/tcsh works for fine for root. I log into the jail by using the
> "ezjail-admin console" option, which in turn executes /usr/bin/login.
> It logs in as root with a working tcsh shell. I've even changed the
> prompt of the shell in /root/.cshrc within the jail. I don't think
> it's the tcsh binary itself, rather some other permission. However,
> the information you asked for is below.
>
> As a matter-of-fact, I first ran into this problem when my web server
> (nginx) received a "permission denied" error for every file. =C2=A0While
> debugging it, I was asked to su to the "www" user. This is when I ran
> into this problem of getting a permission denied error for tcsh.
>
> -r-xr-xr-x =C2=A02 root =C2=A0wheel =C2=A0311400 Oct =C2=A05 05:34 /bin/t=
csh
>
> /bin/tcsh:
> =C2=A0 =C2=A0 =C2=A0 =C2=A0libncurses.so.7 =3D> /lib/libncurses.so.7 (0x2=
80c5000)
> =C2=A0 =C2=A0 =C2=A0 =C2=A0libcrypt.so.4 =3D> /lib/libcrypt.so.4 (0x28104=
000)
> =C2=A0 =C2=A0 =C2=A0 =C2=A0libc.so.7 =3D> /lib/libc.so.7 (0x2811d000)
>
> -r--r--r-- =C2=A01 root =C2=A0wheel =C2=A0258572 Oct =C2=A05 05:34 /lib/l=
ibncurses.so.7
> -r--r--r-- =C2=A01 root =C2=A0wheel =C2=A032020 Oct =C2=A05 05:34 /lib/li=
bcrypt.so.4
> -r--r--r-- =C2=A01 root =C2=A0wheel =C2=A0993092 Oct =C2=A05 05:34 /lib/l=
ibc.so.7
>
> drwxr-xr-x =C2=A0 3 root =C2=A0wheel =C2=A0512 Oct =C2=A05 07:49 home
> drwxr-xr-x =C2=A02 jailuser =C2=A0jailuser =C2=A0512 Oct =C2=A05 07:49 ja=
iluser
>
> The truss trace is on a pastebin (the output seemed too long for an
> email) located at http://pastebin.ca/1594445
>

Sorry to reply again, but I have some further information.

I used chpass to change the shell of the jailuser account. I tried
/bin/sh, /bin/csh, /bin/tcsh, and /sbin/nologin. All of those gave the
same "Permission denied" error. Even nologin gave "Permission denied"
instead of "This account is currently not available."



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27ade5280910050624w366d05f1yf9db6158db626ba3>