From owner-freebsd-questions@FreeBSD.ORG Mon Oct 5 13:24:48 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA18D106566B for ; Mon, 5 Oct 2009 13:24:47 +0000 (UTC) (envelope-from apseudoutopia@gmail.com) Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by mx1.freebsd.org (Postfix) with ESMTP id 6A8B68FC27 for ; Mon, 5 Oct 2009 13:24:47 +0000 (UTC) Received: by bwz27 with SMTP id 27so2287006bwz.43 for ; Mon, 05 Oct 2009 06:24:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=ughANCupiy0ne+O5fr12aI9PAvnokA/JK0r8kI5WoCU=; b=bJ6fEEgv7CXa0Wys10z1uJYKINTgdBOGxnwgcYgsygCTkdpjLwiFNIg9KMZMo2NhJH dCzNcqHjijFfZk3wdnywb5ifztWxEcRDlWnJn7qeg8Wm4caOAJk8KvqFV22qSK/9R5eJ E1Ihd8nknEMU4loHC4FKOh9081KAYfcW/uMXs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; b=qO0yRFA3Z1+dviIlT64TfziwIgWRcVN9IVmsTD56SCfW4pov8FayFxlm4euhnHu4Ns yo0FOAF2etCSmkJzirSWaZQNTIryyjPGbB3v+WT7iZumLEbTCFJ7WHDS4LYejNEeGPHD 4k5zKBlKEBBne5AfwtM+t16Y3QEHLiU2pPAKA= MIME-Version: 1.0 Received: by 10.204.7.88 with SMTP id c24mr4019903bkc.176.1254749086178; Mon, 05 Oct 2009 06:24:46 -0700 (PDT) In-Reply-To: <27ade5280910050619v6bd48173sb5099ba79c5ca1d3@mail.gmail.com> References: <27ade5280910050108w212a8d85h6071b5211f19425f@mail.gmail.com> <200910050951.n959pkRA059227@lurza.secnetix.de> <27ade5280910050619v6bd48173sb5099ba79c5ca1d3@mail.gmail.com> From: APseudoUtopia Date: Mon, 5 Oct 2009 09:24:26 -0400 Message-ID: <27ade5280910050624w366d05f1yf9db6158db626ba3@mail.gmail.com> To: freebsd-questions@freebsd.org, olli@lurza.secnetix.de Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: Jails: /bin/tcsh: Permission Denied X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 13:24:48 -0000 On Mon, Oct 5, 2009 at 9:19 AM, APseudoUtopia wro= te: > On Mon, Oct 5, 2009 at 5:51 AM, Oliver Fromme wr= ote: >> APseudoUtopia wrote: >> =C2=A0> I'm setting up jails on my system. I started with a httpd jail f= or >> =C2=A0> nginx and php to run in. I used ezjail to create it. I went thro= ugh >> =C2=A0> all the steps, and got a jail setup and working. I've logged in = and >> =C2=A0> out several times and installed a couple ports within the jail. = I then >> =C2=A0> added a non-privileged user by running "adduser" as root. Howeve= r, >> =C2=A0> that is when the problem came up. For some reason, I cannot swit= ch to >> =C2=A0> the unprivileged user. The shell is giving me a "Permission Deni= ed" >> =C2=A0> error. >> >> What are the permissions on /bin/tcsh inside the jail? >> Is it executable? =C2=A0Are the permissions of all of its >> libraries correct? =C2=A0("ldd /bin/tcsh" will list the libs.) >> Are the permissions on the home directory correct? >> >> If everything else fails, trace the shell inside the jail >> (with strace, truss or ktrace). =C2=A0It will list the exact >> system call that fails. >> >> By the way, I recommend that jails which contain daemons >> (such as webservers, databases etc.) do not contain login >> accounts. =C2=A0In fact, I never put /bin/tcsh inside a jail >> that contains a webserver. =C2=A0Apache certainly doesn't need >> it. =C2=A0Some ports do need /bin/csh during the build process, >> but for building ports I recommend to use a separate jail >> anyway, create packages and pkg_add them in the actual >> webserver jail. >> >> Just my 2 cents. >> >> Best regards >> =C2=A0 Oliver >> >> > > Hi, > > Thanks for the tips. I'm new to jails, and I didn't think it was > possible to build a jail without tcsh. What shell do you use then? > Just /bin/sh? > > /bin/tcsh works for fine for root. I log into the jail by using the > "ezjail-admin console" option, which in turn executes /usr/bin/login. > It logs in as root with a working tcsh shell. I've even changed the > prompt of the shell in /root/.cshrc within the jail. I don't think > it's the tcsh binary itself, rather some other permission. However, > the information you asked for is below. > > As a matter-of-fact, I first ran into this problem when my web server > (nginx) received a "permission denied" error for every file. =C2=A0While > debugging it, I was asked to su to the "www" user. This is when I ran > into this problem of getting a permission denied error for tcsh. > > -r-xr-xr-x =C2=A02 root =C2=A0wheel =C2=A0311400 Oct =C2=A05 05:34 /bin/t= csh > > /bin/tcsh: > =C2=A0 =C2=A0 =C2=A0 =C2=A0libncurses.so.7 =3D> /lib/libncurses.so.7 (0x2= 80c5000) > =C2=A0 =C2=A0 =C2=A0 =C2=A0libcrypt.so.4 =3D> /lib/libcrypt.so.4 (0x28104= 000) > =C2=A0 =C2=A0 =C2=A0 =C2=A0libc.so.7 =3D> /lib/libc.so.7 (0x2811d000) > > -r--r--r-- =C2=A01 root =C2=A0wheel =C2=A0258572 Oct =C2=A05 05:34 /lib/l= ibncurses.so.7 > -r--r--r-- =C2=A01 root =C2=A0wheel =C2=A032020 Oct =C2=A05 05:34 /lib/li= bcrypt.so.4 > -r--r--r-- =C2=A01 root =C2=A0wheel =C2=A0993092 Oct =C2=A05 05:34 /lib/l= ibc.so.7 > > drwxr-xr-x =C2=A0 3 root =C2=A0wheel =C2=A0512 Oct =C2=A05 07:49 home > drwxr-xr-x =C2=A02 jailuser =C2=A0jailuser =C2=A0512 Oct =C2=A05 07:49 ja= iluser > > The truss trace is on a pastebin (the output seemed too long for an > email) located at http://pastebin.ca/1594445 > Sorry to reply again, but I have some further information. I used chpass to change the shell of the jailuser account. I tried /bin/sh, /bin/csh, /bin/tcsh, and /sbin/nologin. All of those gave the same "Permission denied" error. Even nologin gave "Permission denied" instead of "This account is currently not available."