Install without Jailed SSH

radexspox · February 6, 2025, 3:45pm

/etc/passwd

USERNAME:x:1003:1003:[email protected]:/home/username:/usr/sbin/jailbash nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

and the jail is running.

USERNAME     1  0.0  0.0   3360   144 ?        S    16:42   0:00 jailbash --ro-bind /usr /usr --ro-bind /lib /lib --ro-bind-try /lib64 /lib64 --tmpfs /usr/lib/modules --tmpfs /usr/lib/systemd --ro-bind /bin /bin --ro-bind /sbin /sbin --dir /var --dir /tmp --symlink ../tmp var/tmp --proc /proc --dev /dev --bind /home/USERNAME /home/USERNAME --ro-bind-try /etc/profile /etc/profile --ro-bind-try /etc/alternatives /etc/alternatives --ro-bind-try /etc/localtime /etc/localtime --ro-bind-try /etc/ld.so.cache /etc/ld.so.cache --ro-bind-try /etc/resolv.conf /etc/resolv.conf --ro-bind-try /etc/hosts /etc/hosts --ro-bind-try /etc/nsswitch.conf /etc/nsswitch.conf --ro-bind-try /etc/ssl /etc/ssl --ro-bind-try /etc/pki /etc/pki --ro-bind-try /etc/manpath.config /etc/manpath.config --bind-try /run/mysqld/mysqld.sock /run/mysqld/mysqld.sock --chdir /home/USERNAME --unshare-all --share-net --die-with-parent --dir /run/user/1003 --setenv XDG_RUNTIME_DIR /run/user/1003 --setenv PS1 USERNAME$  --file 11 /etc/passwd --file 12 /etc/group /bin/bash -l
USERNAME     14  0.0  0.0   6700  2236 ?        S+   16:47   0:00 grep jailbash

rjd22 · February 6, 2025, 3:52pm

That is odd, then the /var directory should be almost empty and /backup should not be linked. Something is going wrong but I don’t know what might be happening.

What OS are you running on, and is bwrap (bubblewrap) correctly installed?

Edit: are you testing this on sftp? I just checked and it looks like somehow sftp is circumvented. Does ssh work correctly for you?

radexspox · February 6, 2025, 4:05pm

Debian 12.9

Yes, it was with SFTP, tried only with SSH and cant enter the above metioned folders or edit/open files. So SSH is working normally.

rjd22 · February 6, 2025, 4:07pm

Thank you for testing. So if I understand right the SSH is working correctly under jailbash but SFTP is not.

I will make a patch to make sure that SFTP is also jailed when jailbash is enabled.

rjd22 · February 6, 2025, 7:33pm

I did some initial research but atm. it is not an easy fix. This is because of incompatibilities between chrooted sftp and jailed ssh.

Hopefully we can find a solution but don’t expect it fast.

radexspox · February 6, 2025, 9:01pm

np, but it would be good when it doesnt get forgotten like some other stuff

rjd22 · February 7, 2025, 11:32am

I’ve added a PR. But could you also test this on your side for me?

If you change the following line in /etc/ssh/sshd_config and restart ssh. Does the jailed container than work properly for sftp for you too?

Change: Subsystem sftp internal-sftp
To: Subsystem sftp /usr/lib/sftp-server

radexspox · February 7, 2025, 1:08pm

It´s working, only own home folder is visible and all important stuff not.

Mr.Yoyo · February 11, 2025, 4:50pm

Greetings. While I have no requirement for sshjail functionality, the system has automatically generated a directory at /srv/jail/user for the user account. Would it be safe to proceed with removing this directory?

eris · February 11, 2025, 5:01pm

It is also used for SFTP jail

Mr.Yoyo · February 16, 2025, 3:53pm

Erik sorry, English is not my native language, so I didn’t understand your answer. Can I safely delete the srv folder and disable jail in the settings?

linkp · February 16, 2025, 5:07pm

No. Do not just delete it.