Jails: /bin/tcsh: Permission Denied
olli at lurza.secnetix.de
Mon Oct 5 14:06:56 UTC 2009
> > Thanks for the tips. I'm new to jails, and I didn't think it was
> > possible to build a jail without tcsh. What shell do you use then?
> > Just /bin/sh?
I never log into a jail. There's no reason to do that.
However, usually /bin/sh is required to run scripts,
cron jobs and other things. Also, some library functions
such as system(3) and popen(3) require /bin/sh. Those
functions are used by many programs. So, bascially,
you will almost always need to have /bin/sh in a jail.
But that doesn't mean that you have any login accounts
inside the jail. Usually the passwd inside your jail
should only contain root and a few pseudo users.
The pseudo users (including root) should have no valid
password, no valid login shell, and in most cases no
valid home directory. There's no reason to make things
easier for intruders.
Of course, that's only true for jails that contain
services (i.e. daemons). If you want to put shell users
inside jails, that's a completely different thing.
(I'm not using ezjail, FWIW.)
> > -r-xr-xr-x 2 root wheel 311400 Oct 5 05:34 /bin/tcsh
> > /bin/tcsh:
> > libncurses.so.7 => /lib/libncurses.so.7 (0x280c5000)
> > libcrypt.so.4 => /lib/libcrypt.so.4 (0x28104000)
> > libc.so.7 => /lib/libc.so.7 (0x2811d000)
> > -r--r--r-- 1 root wheel 258572 Oct 5 05:34 /lib/libncurses.so.7
> > -r--r--r-- 1 root wheel 32020 Oct 5 05:34 /lib/libcrypt.so.4
> > -r--r--r-- 1 root wheel 993092 Oct 5 05:34 /lib/libc.so.7
> > drwxr-xr-x 3 root wheel 512 Oct 5 07:49 home
> > drwxr-xr-x 2 jailuser jailuser 512 Oct 5 07:49 jailuser
Looks good. The only thing I noticed is that your
/etc/login.conf.db doesn't seem to be world-readable.
It should have permissions 644, but has only 600.
However, I'm not sure if this might cause the kind
of problem you're seeing. But fixing the permissions
is certainly worth a try.
> > The truss trace is on a pastebin (the output seemed too long for an
> > email) located at http://pastebin.ca/1594445
Other than that, I didn't notice anything unusual in
> Sorry to reply again, but I have some further information.
> I used chpass to change the shell of the jailuser account. I tried
> /bin/sh, /bin/csh, /bin/tcsh, and /sbin/nologin. All of those gave the
> same "Permission denied" error. Even nologin gave "Permission denied"
> instead of "This account is currently not available."
Yeah, when the trace aborts, it is still executing the
su binary. It doesn't get as far as actually trying to
execute the shell.
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
"We, the unwilling, led by the unknowing,
are doing the impossible for the ungrateful.
We have done so much, for so long, with so little,
we are now qualified to do anything with nothing."
-- Mother Teresa
More information about the freebsd-questions