Date: Mon, 5 Oct 2009 09:19:51 -0400 From: APseudoUtopia <apseudoutopia@gmail.com> To: freebsd-questions@freebsd.org, olli@lurza.secnetix.de Subject: Re: Jails: /bin/tcsh: Permission Denied Message-ID: <27ade5280910050619v6bd48173sb5099ba79c5ca1d3@mail.gmail.com> In-Reply-To: <200910050951.n959pkRA059227@lurza.secnetix.de> References: <27ade5280910050108w212a8d85h6071b5211f19425f@mail.gmail.com> <200910050951.n959pkRA059227@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 5, 2009 at 5:51 AM, Oliver Fromme <olli@lurza.secnetix.de> wrot= e: > APseudoUtopia <apseudoutopia@gmail.com> wrote: > =C2=A0> I'm setting up jails on my system. I started with a httpd jail fo= r > =C2=A0> nginx and php to run in. I used ezjail to create it. I went throu= gh > =C2=A0> all the steps, and got a jail setup and working. I've logged in a= nd > =C2=A0> out several times and installed a couple ports within the jail. I= then > =C2=A0> added a non-privileged user by running "adduser" as root. However= , > =C2=A0> that is when the problem came up. For some reason, I cannot switc= h to > =C2=A0> the unprivileged user. The shell is giving me a "Permission Denie= d" > =C2=A0> error. > > What are the permissions on /bin/tcsh inside the jail? > Is it executable? =C2=A0Are the permissions of all of its > libraries correct? =C2=A0("ldd /bin/tcsh" will list the libs.) > Are the permissions on the home directory correct? > > If everything else fails, trace the shell inside the jail > (with strace, truss or ktrace). =C2=A0It will list the exact > system call that fails. > > By the way, I recommend that jails which contain daemons > (such as webservers, databases etc.) do not contain login > accounts. =C2=A0In fact, I never put /bin/tcsh inside a jail > that contains a webserver. =C2=A0Apache certainly doesn't need > it. =C2=A0Some ports do need /bin/csh during the build process, > but for building ports I recommend to use a separate jail > anyway, create packages and pkg_add them in the actual > webserver jail. > > Just my 2 cents. > > Best regards > =C2=A0 Oliver > > Hi, Thanks for the tips. I'm new to jails, and I didn't think it was possible to build a jail without tcsh. What shell do you use then? Just /bin/sh? /bin/tcsh works for fine for root. I log into the jail by using the "ezjail-admin console" option, which in turn executes /usr/bin/login. It logs in as root with a working tcsh shell. I've even changed the prompt of the shell in /root/.cshrc within the jail. I don't think it's the tcsh binary itself, rather some other permission. However, the information you asked for is below. As a matter-of-fact, I first ran into this problem when my web server (nginx) received a "permission denied" error for every file. While debugging it, I was asked to su to the "www" user. This is when I ran into this problem of getting a permission denied error for tcsh. -r-xr-xr-x 2 root wheel 311400 Oct 5 05:34 /bin/tcsh /bin/tcsh: libncurses.so.7 =3D> /lib/libncurses.so.7 (0x280c5000) libcrypt.so.4 =3D> /lib/libcrypt.so.4 (0x28104000) libc.so.7 =3D> /lib/libc.so.7 (0x2811d000) -r--r--r-- 1 root wheel 258572 Oct 5 05:34 /lib/libncurses.so.7 -r--r--r-- 1 root wheel 32020 Oct 5 05:34 /lib/libcrypt.so.4 -r--r--r-- 1 root wheel 993092 Oct 5 05:34 /lib/libc.so.7 drwxr-xr-x 3 root wheel 512 Oct 5 07:49 home drwxr-xr-x 2 jailuser jailuser 512 Oct 5 07:49 jailuser The truss trace is on a pastebin (the output seemed too long for an email) located at http://pastebin.ca/1594445
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27ade5280910050619v6bd48173sb5099ba79c5ca1d3>