OS centos 8 stream
Webmin latest since installed at 1 week ago.
We are using nginx bundle, latest webmin version, and no significant changes (almost clean install).
When jailing user we are getting this at /var/log/messages
abort, failed to set additional groups: operation not permitted
Verified /etc/passwd and /etc/group and all looks fine.
Couldn´t found any info about this issue to help me out sorting this issue.
I have spent some time today working on this.
Ended making jail working at centos8 removing jailkit 2.21 installed from the repo, and installing manually the 2.22 from the jailkit site.
Setup again the jk_init.ini with all my needs and working fine.
For centos8 was something like this (in case someone needs):
dnf -y remove jailkit
cd /root
wget https://olivier.sessink.nl/jailkit/jailkit-2.22.tar.gz
gunzip jailkit-2.22.tar.gz
tar --extract --file jailkit-2.22.tar
cd jailkit-2.22
ln --symbolic /usr/bin/python3 /usr/bin/python;
./configure
make install
and then the virtualmin commands virtualmin modify-domain --domain DOMAIN --enable-jail
Unfortunately i agree, but i installed a perfectly clean virtualmin at centos7 and another at centos8 todays morning, and jailed a test virtualserver on both.
Result: works at centos7 and does NOT work at centos8 (same permission issue).
After checking jailkit source code, my error happens when when looping through different groups.
Then compared both /etc/group. Perhaps some has wrong permissions (but i went almost to every, and checked, no luck).
Jailed a test site at one of my production instances and will leave this way for some weeks.
@Joe, I’m reproducing the same issue with all jailkit packages (installed from our repos) and a new Terminal module.
It fails with the following error:
Dec 17 15:29:00 rocky8-gpl.virtualmin.dev jk_chrootsh[62947]: now entering jail /home/chroot/1670523767140427 for user rocky8-gpl (1000) with arguments
Dec 17 15:29:00 rocky8-gpl.virtualmin.dev jk_chrootsh[62947]: abort, failed to set additional groups: Operation not permitted
However, if I download the latest Jailkit version 2.23 and build it from source, it just works fine. Also, if I download version 2.22 as source (which we currently provide in our repos) and install it from source, then it also works!
It seems that we have an on-going issue with our jailkit package? Maybe something is missing in package scriptlets? If that helps, here is the output of make install command, which installs a working Jailkit from source:
We finally sorted this issue out. I don’t understand what changed at the OS level to break it, but it did turn out to be a capabilities/setuid issue. I’ve fixed it in our package and also updated to the current 2.23 version of jailkit.
It should be available for all supported distros now (but pushing an update to binary repos is a manual process, so I may have missed something…if you’re on a supported, i.e. not EOL, distro and you don’t see a jailkit update in the next few minutes, let me know). Also note, old repos continue to be deprecated and will not receive the update; only vm6 and vm7 repos got it. But, I don’t think any systems using the old repos could be new enough to have this problem, as it was a change in host capabilities and setuid interact that led to the problem, I think.