When I tried to activate Chroot Jail by going to Virtualmin → Administrative Options → Edit Owner Limits → Other Restrictions and switching to YES → SAVE → It fails with following error,
Failed to save owner limits : Failed to enable chroot jail : Failed to initialize jail : ERROR: cannot lstat() /home/chroot/160153911650867 Traceback (most recent call last): File “/sbin/jk_init”, line 261, in main() File “/sbin/jk_init”, line 258, in main activateConfig(config, jail, args) File “/sbin/jk_init”, line 164, in activateConfig cfg.read([config[‘file’]]) File “/usr/lib64/python3.6/configparser.py”, line 697, in read self._read(fp, filename) File “/usr/lib64/python3.6/configparser.py”, line 1092, in _read fpname, lineno) configparser.DuplicateOptionError: While reading from ‘/etc/jailkit/jk_init.ini’ [line 118]: option ‘includesections’ in section ‘openvpn’ already exists
Can you help resolve this so Chroot Jail can be activated and users can’t access anything above/outside their home directory?
Thanks for that other link. Sorry the Virtualmin/Webmin just works fine so don’t need to create any tickets generally. It is just because of migration of server to different host provider needed quick help. Sure, will use that other link. Appreciate the same.
But the SFTP that was working before now stopped working. When I enter passphrase of SSH key then it waits for 20 seconds and times out. Root login works fine.
I thought may be the key got corrupted. So I again regenerated new key and replaced it with previous one. Tried to SFTP again, but again it is giving exactly same error of timeout after 20 seconds waiting.
I tried searching for this issue in forums but couldn’t find it.
Big problem happened when i enabled chroot jail through vmware option.
My website stopped working with error “SQLSTATE[HY000] [2002] No such file or directory SQLSTATE[HY000] [2002] No such file or directory”
Do you know what happened and how can I fix this website not working issue and the SFTP issue with Chroot Jail ?
I’m not sure how the website would be impacted at all. The web server isn’t subject to the jail, only the user logging into the shell would be.
Can you be more clear about what you mean when you say SFTP doesn’t work? Do you mean FTP with SSL (port 20/21) or do you mean FTP over SSH (port 22) or do you mean FTP over SSH (port 2222)? Each of those is quite different (the latter is provided by ProFTPd, while port 22 is served by OpenSSH). I ask because SFTP, as provided by ProFTPd on port 2222 also should not be impacted by the jail, at all, as it does not run the user’s shell and isn’t subject to the jail (ProFTPd provides its own “jail” implementation that is independent of jailkit).
So…I don’t know how either of those things could be broken by enabling a chroot jail for the shell.
We use jailkit for setting up the jail and for the capabilities-based wrapper, so the jailkit troubleshooting guide might help (assuming it’s something missing from the jail): https://olivier.sessink.nl/jailkit/howtos_debug_jails.html
But, we really need to figure out how either website or ProFTPd could possibly be impacted by the jail first, because I’m surprised they are. In the case of ProFTPd it really can’t be, and I’m sort of fuzzy on how web applications could be (they could maybe spawn a shell, and the jail is missing dependencies it needs, maybe, but that would be a pretty weird thing do to in a web app, I think, and potentially a security concern). I really don’t know. I kinda want to say it’s an unrelated issue, or only indirectly related.
That was my understanding was also that the website should not be affected by the Chroot Jail. At least never faced any such experience in past with manual Chroot Jail setup. But as soon as the Chroot Jail setting was toggled to NO and saved the website started working immediately. The website is hosted in /home/{user1}/public_html/ and user1 is also I think the apache user.
Regarding the SFTP, I meant FTP over SSH (port 22). SFTP (FTP over SSH) always is affected by Chroot Jail to my experience. A little error in Chroot Jail and SFTP broke to my experience in past.
So as soon as I turn on Chroot Jail via Virtualmin then website/sftp stop working and as soon as I turn off Chroot Jail then website/sftp starts working. Luckily I have test server setup identical and I can try it there and also collect logs keeping website/sftp down for longer. Is there any outputs or logs you think I should check to resolve this?
I can manually setup Chroot Jail which may take about 20 - 30 minutes, but problem is that following manual Chroot Jail means, I have to change the /home/{user1} directorty to have ownership root:{user1}, which is normally ok. But this fails the automatic SSL renewal because for auto renewal the /home/{user1} is expected to be owned by {user1}. Anyway, if Virtualmin’s Chroot Jail works then I would really prefer that.
I don’t remember details, but I’m pretty sure this is not OK. It’s been several years since I went through all the work on making jailkit work, but I recall this being something that needed to be resolved. I suspect it will impede or do something dangerous with regard to running web apps as the user.
Regardless, this is two different problems, so zeroing in on one will be helpful. What’s in the error_log when you try to use the app with the jail enabled?