Jails: /bin/tcsh: Permission Denied

Oliver Fromme olli at lurza.secnetix.de
Mon Oct 5 14:06:56 UTC 2009

APseudoUtopia wrote:
 > > Thanks for the tips. I'm new to jails, and I didn't think it was
 > > possible to build a jail without tcsh. What shell do you use then?
 > > Just /bin/sh?

I never log into a jail.  There's no reason to do that.

However, usually /bin/sh is required to run scripts,
cron jobs and other things.  Also, some library functions
such as system(3) and popen(3) require /bin/sh.  Those
functions are used by many programs.  So, bascially,
you will almost always need to have /bin/sh in a jail.

But that doesn't mean that you have any login accounts
inside the jail.  Usually the passwd inside your jail
should only contain root and a few pseudo users.
The pseudo users (including root) should have no valid
password, no valid login shell, and in most cases no
valid home directory.  There's no reason to make things
easier for intruders.

Of course, that's only true for jails that contain
services (i.e. daemons).  If you want to put shell users
inside jails, that's a completely different thing.

(I'm not using ezjail, FWIW.)

 > > -r-xr-xr-x  2 root  wheel  311400 Oct  5 05:34 /bin/tcsh
 > > 
 > > /bin/tcsh:
 > >        libncurses.so.7 => /lib/libncurses.so.7 (0x280c5000)
 > >        libcrypt.so.4 => /lib/libcrypt.so.4 (0x28104000)
 > >        libc.so.7 => /lib/libc.so.7 (0x2811d000)
 > > 
 > > -r--r--r--  1 root  wheel  258572 Oct  5 05:34 /lib/libncurses.so.7
 > > -r--r--r--  1 root  wheel  32020 Oct  5 05:34 /lib/libcrypt.so.4
 > > -r--r--r--  1 root  wheel  993092 Oct  5 05:34 /lib/libc.so.7
 > > 
 > > drwxr-xr-x   3 root  wheel  512 Oct  5 07:49 home
 > > drwxr-xr-x  2 jailuser  jailuser  512 Oct  5 07:49 jailuser

Looks good.  The only thing I noticed is that your
/etc/login.conf.db doesn't seem to be world-readable.
It should have permissions 644, but has only 600.
However, I'm not sure if this might cause the kind
of problem you're seeing.  But fixing the permissions
is certainly worth a try.

 > > The truss trace is on a pastebin (the output seemed too long for an
 > > email) located at http://pastebin.ca/1594445

Other than that, I didn't notice anything unusual in
the trace.

 > Sorry to reply again, but I have some further information.
 > I used chpass to change the shell of the jailuser account. I tried
 > /bin/sh, /bin/csh, /bin/tcsh, and /sbin/nologin. All of those gave the
 > same "Permission denied" error. Even nologin gave "Permission denied"
 > instead of "This account is currently not available."

Yeah, when the trace aborts, it is still executing the
su binary.  It doesn't get as far as actually trying to
execute the shell.

Best regards

Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"We, the unwilling, led by the unknowing,
are doing the impossible for the ungrateful.
We have done so much, for so long, with so little,
we are now qualified to do anything with nothing."
        -- Mother Teresa

More information about the freebsd-questions mailing list