Is it possible to enable sudo for a chrooted user (jailkit)?
I have nextcoud installed inside of a jailkit chrooted user and I am attempting to get the nextcloud occ command to work correctly. The normal required structure for nextcloud occ is: sudo -u www php occ integrity:check-core however due to ISPConfig's permissions structure which is as follows:
# ls -la /var/www/clients/client1/web17
total 60
drwxr-xr-x 15 root root 4096 Nov 12 15:12 .
drwxr-xr-x 9 root root 4096 Nov 12 14:50 ..
lrwxrwxrwx 1 root root 7 Nov 12 15:09 bin -> usr/bin
drwxr-xr-x 2 web17 client1 4096 Nov 12 14:50 cgi-bin
drwxr-xr-x 2 root root 4096 Nov 12 17:36 dev
drwxr-xr-x 8 root root 4096 Nov 12 15:12 etc
drwxr-xr-x 4 root root 4096 Nov 12 15:12 home
lrwxrwxrwx 1 root root 7 Nov 12 15:09 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Nov 12 15:09 lib64 -> usr/lib64
drwxr-xr-x 2 root root 4096 Nov 12 19:58 log
drwx--x--- 2 web17 client1 4096 Nov 12 20:05 private
drwx------ 2 web17 client1 4096 Nov 12 15:09 .ssh
drwxr-xr-x 2 root root 4096 Nov 12 14:55 ssl
drwxrwx--- 2 web17 client1 4096 Nov 12 20:09 tmp
drwxr-xr-x 8 root root 4096 Nov 12 15:09 usr
drwxr-xr-x 4 root root 4096 Nov 12 15:12 var
drwx--x--x 14 web17 client1 4096 Nov 12 20:09 web
drwx--x--- 2 web17 client1 4096 Nov 12 14:50 webdav
I should be able to execute nextcloud's occ command using
$ /bin/php7.3 ./occ integrity:check-core
but I get this error:
$ /bin/php7.3 ./occ integrity:check-core
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"user_ispconfig","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"appointments","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"apporder","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"audioplayer_editor","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"audioplayer_sonos","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"camerarawpreviews","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"serverDI","method":"","url":"--","message":"The requested alias \"PreviewManager\" is deprecated. Please request \"OCP\\IPreview\" directly. This alias will be removed in a future Nextcloud version.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"contacts","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"drawio","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"encryption","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"extract","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"files_sharing","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"keeweb","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"maps","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":2,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"filesystem","method":"","url":"--","message":"Storage wrapper 'sharepermissions' was not registered via the 'OC_Filesystem - preSetup' hook which could cause potential problems.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"user_usage_report","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"metadata","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"ocdownloader","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"scanner","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"suspicious_login","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"transmission","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"video_converter","method":"","url":"--","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"news","method":"","url":"--","message":"new parser added : FeedIo\\Standard\\Json","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"news","method":"","url":"--","message":"new parser added : FeedIo\\Standard\\Atom","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"news","method":"","url":"--","message":"new parser added : FeedIo\\Standard\\Rss","userAgent":"--","version":"21.0.3.1"}
{"reqId":"Ykl9R7TRQ6T1TbaJjz1m","level":0,"time":"2021-11-17T14:40:05+00:00","remoteAddr":"","user":"--","app":"news","method":"","url":"--","message":"new parser added : FeedIo\\Standard\\Rdf","userAgent":"--","version":"21.0.3.1"}
Your data directory is invalid
Ensure there is a file called ".ocdata" in the root of the data directory.
Cannot create "data" directory
This can usually be fixed by giving the webserver write access to the root directory. See https://docs.nextcloud.com/server/21/go.php?to=admin-dir_permissions
An unhandled exception has been thrown:
Exception: Environment not properly prepared. in /web/lib/private/Console/Application.php:168
Stack trace:
#0 /web/console.php(99): OC\Console\Application->loadCommands(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#1 /web/occ(11): require_once('/web/console.ph...')
So now, I have attempted to install sudo into the jailkit and added "web17" to the sudoes group (I know this is dangerous, I am on a test server, if I can get it to work, I want to restrict web17 user to using a single command for nextcloud)
In any case, I installed sudo into the jailkit according to this thread.
https://www.howtoforge.com/community/threads/add-more-applications-to-shell-user-jailkit-chroot.76409/
# jk_cp -j /var/www/clients/client3/web8/ /usr/bin/sudo
but now every time I execute:
$ sudo /bin/php7.3 ./occ integrity:check-core
I get sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Is there a security feature that disallows me from running sudo inside the jailkit?
Did I add sudo to jailkit incorrectly?
