0

As a part of a bigger setup (docker container with safe environment for running python scripts), I need to configure a jailed user. I have looked at different options and decided to try Jailkit. Unfortunately, I have a problem with trying to setup a jail for user - basically, a jail does not work for me at all. The steps I have done are:

#install jailkit
apt-get install -y wget make python2.7 gcc
wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
tar -xzvf jailkit-2.19.tar.gz
cd jailkit-2.19
./configure; make;
sudo checkinstall

# create new user
sudo adduser --disabled-password --gecos Python python

# create a jail for this user
sudo mkdir /home/tjail
sudo jk_init -v -j /home/tjail jk_lsh
sudo jk_init -v -j /home/tjail basicshell
sudo jk_jailuser -m -j /home/tjail python

Now I expected to try to login as this user:

sudo su - python

However, nothing happens after I execute this command, I'm not getting switched to the jailed user. Do you know, what could be wrong?

I'm using Ubuntu 12.04, but also have the same issue on 14.04...

UPDATE: /etc/password looks good:

python:x:1001:1001:Python,,,:/home/tjail/./home/python:/usr/sbin/jk_chrootsh

UPDATE 2: I have also tried changing /usr/sbin/jk_chrootsh to /bin/bash. Now I can su to this user, but then the jail seems not to be working. E.g., I can go to the real system root, browse real home, see settings in the /etc or read /etc/passwd file (normal one)...

Andrey Sapegin
  • 1,191
  • 2
  • 11
  • 27
  • can you check this users login shell? I assume it is set to something like `/sbin/nologin`. Try running this: `cat /etc/passwd | grep python`, you may need to change the shell using `usermod -s /bin/bash python` – Matt Clark May 20 '16 at 15:03
  • Are you sure the /bin/bash is needed there? Cause from the documentation I have read, jk_chrootsh should be fine (http://olivier.sessink.nl/jailkit/howtos_chroot_shell.html). Also, my final goal is having as minimal environment as possible. Actually, the docker container will be started, then 1 python script should be executed, and container destroyed after it. Shouldn't it work without bash? – Andrey Sapegin May 20 '16 at 15:50
  • Hey, sorry - I posted another comment jhust as SE had some downtime before, looks like it didnt go through. It looks like your users home directory is `/home/tjail/./home/python`, is this correct?? Or should it just be `/home/python`? – Matt Clark May 20 '16 at 16:27
  • '/home/tjail/./home/python' should be correct, since jailkit copies /home/python to /home/tjail. I have also tried changing /usr/sbin/jk_chrootsh to /bin/bash. Now I can su to this user, but then the jail seems not to be working. E.g., I can go to the real system root, browse real home, see setting in the etc or read /etc/passwd file (normal one)... – Andrey Sapegin May 23 '16 at 07:32
  • try `sudo strace su - python` and also check dmesg and other logs (eg. /var/log/secure or /var/log/auth.log) – Peter May 25 '16 at 14:27

0 Answers0