Hi all
OS centos 8 stream
Webmin latest since installed at 1 week ago.
We are using nginx bundle, latest webmin version, and no significant changes (almost clean install).
When jailing user we are getting this at /var/log/messages
abort, failed to set additional groups: operation not permitted
Verified /etc/passwd and /etc/group and all looks fine.
Couldn´t found any info about this issue to help me out sorting this issue.
Does anyone face this?
Regards
You really need to include your OS and version when asking a question like this.
Hi Joe
True, sorry.
Updated question
OS centos 8 stream
Webmin latest since installed at 1 week ago.
Regards
This seems like a capabilities issue, but I’m pretty sure our Jailkit package sets capabilities right.
Is it possible you’ve got SELinux enabled?
It is disabled. It is probably the first thing i do when setting things up, even before installing virtualmin.
But verified and is disabled.
I looked to all generated files, all permissions looks normal to be… Content of /etc/groups, /etc/passwd all fine.
Will continue digging this.
I have spent some time today working on this.
Ended making jail working at centos8 removing jailkit 2.21 installed from the repo, and installing manually the 2.22 from the jailkit site.
Setup again the jk_init.ini with all my needs and working fine.
For centos8 was something like this (in case someone needs):
dnf -y remove jailkit
cd /root
wget https://olivier.sessink.nl/jailkit/jailkit-2.22.tar.gz
gunzip jailkit-2.22.tar.gz
tar --extract --file jailkit-2.22.tar
cd jailkit-2.22
ln --symbolic /usr/bin/python3 /usr/bin/python;
./configure
make install
and then the virtualmin commands
virtualmin modify-domain --domain DOMAIN --enable-jail
Thank you Joe for your replies.
Regards Bruno
I never recommend from-source installs on production servers.
But, if an update fixes it, I can update our package when I get some free time.
Unfortunately i agree, but i installed a perfectly clean virtualmin at centos7 and another at centos8 todays morning, and jailed a test virtualserver on both.
Result: works at centos7 and does NOT work at centos8 (same permission issue).
After checking jailkit source code, my error happens when when looping through different groups.
Then compared both /etc/group. Perhaps some has wrong permissions (but i went almost to every, and checked, no luck).
Jailed a test site at one of my production instances and will leave this way for some weeks.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
@Joe, I’m reproducing the same issue with all jailkit packages (installed from our repos) and a new Terminal module.
It fails with the following error:
Dec 17 15:29:00 rocky8-gpl.virtualmin.dev jk_chrootsh[62947]: now entering jail /home/chroot/1670523767140427 for user rocky8-gpl (1000) with arguments
Dec 17 15:29:00 rocky8-gpl.virtualmin.dev jk_chrootsh[62947]: abort, failed to set additional groups: Operation not permitted
However, if I download the latest Jailkit version 2.23 and build it from source, it just works fine. Also, if I download version 2.22 as source (which we currently provide in our repos) and install it from source, then it also works!
It seems that we have an on-going issue with our jailkit package? Maybe something is missing in package scriptlets? If that helps, here is the output of make install command, which installs a working Jailkit from source:
[root@rocky8-gpl jailkit-2.23]# make install
/usr/bin/install -c -d -m 755 /etc/jailkit/
for file in jk_check.ini jk_init.ini jk_lsh.ini jk_socketd.ini jk_chrootsh.ini jk_update.ini jk_uchroot.ini ; do \
if [ -f /etc/jailkit/${file} ]; then \
/usr/bin/install -c -m 0644 ini/${file} /etc/jailkit/${file}.dist ;\
else \
/usr/bin/install -c -m 0644 ini/${file} /etc/jailkit/ ;\
fi ;\
done
make[1]: Entering directory '/root/jailkit-2.23/src'
gcc -g -O2 -Wall -pipe -pthread -DINIPREFIX=\"/etc/jailkit\" -c -o jk_socketd.o jk_socketd.c
gcc -g -O2 -Wall -pipe -pthread -DINIPREFIX=\"/etc/jailkit\" -c -o jk_lib.o jk_lib.c
gcc -g -O2 -Wall -pipe -pthread -DINIPREFIX=\"/etc/jailkit\" -c -o utils.o utils.c
gcc -g -O2 -Wall -pipe -pthread -DINIPREFIX=\"/etc/jailkit\" -c -o iniparser.o iniparser.c
gcc -o jk_socketd jk_socketd.o jk_lib.o utils.o iniparser.o -pthread
gcc -g -O2 -Wall -pipe -pthread -DINIPREFIX=\"/etc/jailkit\" -c -o jk_lsh.o jk_lsh.c
In function ‘expand_executable_w_path’,
inlined from ‘main’ at jk_lsh.c:296:8:
jk_lsh.c:128:14: warning: ‘strncpy’ specified bound depends on the length of the source argument [-Wstringop-overflow=]
newpath = strncpy(newpath, *path, tlen+1); /* the +1 is not needed, but gcc will complain that
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
jk_lsh.c: In function ‘main’:
jk_lsh.c:125:15: note: length computed here
int tlen = strlen(*path);
^~~~~~~~~~~~~
gcc -g -O2 -Wall -pipe -pthread -DINIPREFIX=\"/etc/jailkit\" -c -o wordexp.o wordexp.c
gcc -o jk_lsh jk_lsh.o iniparser.o jk_lib.o utils.o wordexp.o -pthread
gcc -g -O2 -Wall -pipe -pthread -DINIPREFIX=\"/etc/jailkit\" -c -o jk_chrootsh.o jk_chrootsh.c
gcc -g -O2 -Wall -pipe -pthread -DINIPREFIX=\"/etc/jailkit\" -c -o passwdparser.o passwdparser.c
gcc -o jk_chrootsh jk_chrootsh.o iniparser.o jk_lib.o utils.o passwdparser.o -pthread
gcc -g -O2 -Wall -pipe -pthread -DINIPREFIX=\"/etc/jailkit\" -c -o jk_chrootlaunch.o jk_chrootlaunch.c
gcc -o jk_chrootlaunch jk_chrootlaunch.o jk_lib.o utils.o -pthread
gcc -g -O2 -Wall -pipe -pthread -DINIPREFIX=\"/etc/jailkit\" -c -o jk_uchroot.o jk_uchroot.c
gcc -o jk_uchroot jk_uchroot.o iniparser.o jk_lib.o utils.o -pthread
gcc -g -O2 -Wall -pipe -pthread -DINIPREFIX=\"/etc/jailkit\" -c -o jk_procmailwrapper.o jk_procmailwrapper.c
gcc -o jk_procmailwrapper jk_procmailwrapper.o jk_lib.o utils.o -pthread
/usr/bin/install -c -d -m 755 /usr
/usr/bin/install -c -d -m 755 /usr/bin
/usr/bin/install -c -d -m 755 /usr/sbin
/usr/bin/install -c -m 0755 jk_socketd /usr/sbin/
/usr/bin/install -c -m 0755 jk_chrootlaunch /usr/sbin/
/usr/bin/install -c -m 0755 jk_lsh /usr/sbin/
/usr/bin/install -c -m 4755 jk_chrootsh /usr/sbin/
/usr/bin/install -c -m 4755 jk_uchroot /usr/bin/
if [ -z "" ]; then \
/usr/bin/install -c -m 4755 jk_procmailwrapper /usr/sbin/ ;\
fi
make[1]: Leaving directory '/root/jailkit-2.23/src'
make[1]: Entering directory '/root/jailkit-2.23/py'
sed -e "s!PREFIX='/usr'!PREFIX='/usr'!" \
-e "s!INIPREFIX='/etc/jailkit'!INIPREFIX='/etc/jailkit'!" \
-e "s!LIBDIR='[a-z/]*'!LIBDIR='/usr/share/jailkit'!" \
-e "s!EXEPREFIX='[a-z/]*'!EXEPREFIX='/usr'!" \
-e "s:#!/usr/bin/python:#!/usr/bin/python:" < jk_cp.in > jk_cp
sed -e "s!PREFIX='/usr'!PREFIX='/usr'!" \
-e "s!INIPREFIX='/etc/jailkit'!INIPREFIX='/etc/jailkit'!" \
-e "s!LIBDIR='[a-z/]*'!LIBDIR='/usr/share/jailkit'!" \
-e "s!EXEPREFIX='[a-z/]*'!EXEPREFIX='/usr'!" \
-e "s:#!/usr/bin/python:#!/usr/bin/python:" < jk_init.in > jk_init
sed -e "s!PREFIX='/usr'!PREFIX='/usr'!" \
-e "s!INIPREFIX='/etc/jailkit'!INIPREFIX='/etc/jailkit'!" \
-e "s!LIBDIR='[a-z/]*'!LIBDIR='/usr/share/jailkit'!" \
-e "s!EXEPREFIX='[a-z/]*'!EXEPREFIX='/usr'!" \
-e "s:#!/usr/bin/python:#!/usr/bin/python:" < jk_check.in > jk_check
sed -e "s!PREFIX='/usr'!PREFIX='/usr'!" \
-e "s!INIPREFIX='/etc/jailkit'!INIPREFIX='/etc/jailkit'!" \
-e "s!LIBDIR='[a-z/]*'!LIBDIR='/usr/share/jailkit'!" \
-e "s!EXEPREFIX='[a-z/]*'!EXEPREFIX='/usr'!" \
-e "s:#!/usr/bin/python:#!/usr/bin/python:" < jk_jailuser.in > jk_jailuser
sed -e "s!PREFIX='/usr'!PREFIX='/usr'!" \
-e "s!INIPREFIX='/etc/jailkit'!INIPREFIX='/etc/jailkit'!" \
-e "s!LIBDIR='[a-z/]*'!LIBDIR='/usr/share/jailkit'!" \
-e "s!EXEPREFIX='[a-z/]*'!EXEPREFIX='/usr'!" \
-e "s:#!/usr/bin/python:#!/usr/bin/python:" < jk_list.in > jk_list
sed -e "s!PREFIX='/usr'!PREFIX='/usr'!" \
-e "s!INIPREFIX='/etc/jailkit'!INIPREFIX='/etc/jailkit'!" \
-e "s!LIBDIR='[a-z/]*'!LIBDIR='/usr/share/jailkit'!" \
-e "s!EXEPREFIX='[a-z/]*'!EXEPREFIX='/usr'!" \
-e "s:#!/usr/bin/python:#!/usr/bin/python:" < jk_update.in > jk_update
/usr/bin/python -c "import py_compile;py_compile.compile('jk_lib.py', cfile='jk_lib.py' + 'c')"
/usr/bin/install -c -d -m 755 /usr/sbin
for file in jk_cp jk_init jk_check jk_jailuser jk_list jk_update; do \
/usr/bin/install -c -m 0755 ${file} /usr/sbin/ ; \
done
/usr/bin/install -c -d -m 755 /usr/share/jailkit
/usr/bin/install -c -m 0644 jk_lib.py /usr/share/jailkit/
/usr/bin/install -c -m 0644 jk_lib.pyc /usr/share/jailkit/
make[1]: Leaving directory '/root/jailkit-2.23/py'
make[1]: Entering directory '/root/jailkit-2.23/man'
gzip -9 < jk_chrootsh.8 > jk_chrootsh.8.gz
gzip -9 < jk_uchroot.8 > jk_uchroot.8.gz
gzip -9 < jk_lsh.8 > jk_lsh.8.gz
gzip -9 < jk_socketd.8 > jk_socketd.8.gz
gzip -9 < jk_init.8 > jk_init.8.gz
gzip -9 < jk_check.8 > jk_check.8.gz
gzip -9 < jk_cp.8 > jk_cp.8.gz
gzip -9 < jk_chrootlaunch.8 > jk_chrootlaunch.8.gz
gzip -9 < jk_jailuser.8 > jk_jailuser.8.gz
gzip -9 < jk_list.8 > jk_list.8.gz
gzip -9 < jk_update.8 > jk_update.8.gz
gzip -9 < jailkit.7 > jailkit.7.gz
/usr/bin/install -c -d -m 755 /usr/share/man/man8/
for file in jk_chrootsh.8.gz jk_uchroot.8.gz jk_lsh.8.gz jk_socketd.8.gz jk_init.8.gz jk_check.8.gz jk_cp.8.gz jk_chrootlaunch.8.gz jk_jailuser.8.gz jk_list.8.gz jk_update.8.gz ; do \
/usr/bin/install -c -m 0644 ${file} /usr/share/man/man8/ ;\
done
/usr/bin/install -c -d -m 755 /usr/share/man/man7/
/usr/bin/install -c -m 0644 jailkit.7.gz /usr/share/man/man7/
make[1]: Leaving directory '/root/jailkit-2.23/man'
# test if the jk_chrootsh is already in /etc/shells
# this previously had @echo but that fails on FreeBSD
if test -w /etc/shells; then \
if ! grep /usr/sbin/jk_chrootsh /etc/shells ; then \
echo "appending /usr/sbin/jk_chroots to /etc/shells";\
echo /usr/sbin/jk_chrootsh >> /etc/shells ;\
fi \
fi
/usr/sbin/jk_chrootsh
We finally sorted this issue out. I don’t understand what changed at the OS level to break it, but it did turn out to be a capabilities/setuid issue. I’ve fixed it in our package and also updated to the current 2.23 version of jailkit.
It should be available for all supported distros now (but pushing an update to binary repos is a manual process, so I may have missed something…if you’re on a supported, i.e. not EOL, distro and you don’t see a jailkit update in the next few minutes, let me know). Also note, old repos continue to be deprecated and will not receive the update; only vm6 and vm7 repos got it. But, I don’t think any systems using the old repos could be new enough to have this problem, as it was a change in host capabilities and setuid interact that led to the problem, I think.