Date: Mon, 5 Oct 2009 09:19:51 -0400 From: APseudoUtopia <apseudoutopia@gmail.com> To: freebsd-questions@freebsd.org, olli@lurza.secnetix.de Subject: Re: Jails: /bin/tcsh: Permission Denied Message-ID: <27ade5280910050619v6bd48173sb5099ba79c5ca1d3@mail.gmail.com> In-Reply-To: <200910050951.n959pkRA059227@lurza.secnetix.de> References: <27ade5280910050108w212a8d85h6071b5211f19425f@mail.gmail.com> <200910050951.n959pkRA059227@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 5, 2009 at 5:51 AM, Oliver Fromme <olli@lurza.secnetix.de> wrot=
e:
> APseudoUtopia <apseudoutopia@gmail.com> wrote:
> =C2=A0> I'm setting up jails on my system. I started with a httpd jail fo=
r
> =C2=A0> nginx and php to run in. I used ezjail to create it. I went throu=
gh
> =C2=A0> all the steps, and got a jail setup and working. I've logged in a=
nd
> =C2=A0> out several times and installed a couple ports within the jail. I=
then
> =C2=A0> added a non-privileged user by running "adduser" as root. However=
,
> =C2=A0> that is when the problem came up. For some reason, I cannot switc=
h to
> =C2=A0> the unprivileged user. The shell is giving me a "Permission Denie=
d"
> =C2=A0> error.
>
> What are the permissions on /bin/tcsh inside the jail?
> Is it executable? =C2=A0Are the permissions of all of its
> libraries correct? =C2=A0("ldd /bin/tcsh" will list the libs.)
> Are the permissions on the home directory correct?
>
> If everything else fails, trace the shell inside the jail
> (with strace, truss or ktrace). =C2=A0It will list the exact
> system call that fails.
>
> By the way, I recommend that jails which contain daemons
> (such as webservers, databases etc.) do not contain login
> accounts. =C2=A0In fact, I never put /bin/tcsh inside a jail
> that contains a webserver. =C2=A0Apache certainly doesn't need
> it. =C2=A0Some ports do need /bin/csh during the build process,
> but for building ports I recommend to use a separate jail
> anyway, create packages and pkg_add them in the actual
> webserver jail.
>
> Just my 2 cents.
>
> Best regards
> =C2=A0 Oliver
>
>
Hi,
Thanks for the tips. I'm new to jails, and I didn't think it was
possible to build a jail without tcsh. What shell do you use then?
Just /bin/sh?
/bin/tcsh works for fine for root. I log into the jail by using the
"ezjail-admin console" option, which in turn executes /usr/bin/login.
It logs in as root with a working tcsh shell. I've even changed the
prompt of the shell in /root/.cshrc within the jail. I don't think
it's the tcsh binary itself, rather some other permission. However,
the information you asked for is below.
As a matter-of-fact, I first ran into this problem when my web server
(nginx) received a "permission denied" error for every file. While
debugging it, I was asked to su to the "www" user. This is when I ran
into this problem of getting a permission denied error for tcsh.
-r-xr-xr-x 2 root wheel 311400 Oct 5 05:34 /bin/tcsh
/bin/tcsh:
libncurses.so.7 =3D> /lib/libncurses.so.7 (0x280c5000)
libcrypt.so.4 =3D> /lib/libcrypt.so.4 (0x28104000)
libc.so.7 =3D> /lib/libc.so.7 (0x2811d000)
-r--r--r-- 1 root wheel 258572 Oct 5 05:34 /lib/libncurses.so.7
-r--r--r-- 1 root wheel 32020 Oct 5 05:34 /lib/libcrypt.so.4
-r--r--r-- 1 root wheel 993092 Oct 5 05:34 /lib/libc.so.7
drwxr-xr-x 3 root wheel 512 Oct 5 07:49 home
drwxr-xr-x 2 jailuser jailuser 512 Oct 5 07:49 jailuser
The truss trace is on a pastebin (the output seemed too long for an
email) located at http://pastebin.ca/1594445
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27ade5280910050619v6bd48173sb5099ba79c5ca1d3>