Resolved change home directory for a chrooted user

[mserra]

If we change de home directory for a chrooted user from /var/www/vhosts/domain.tld to /var/www/vhosts/domain.tld/another_dir, we cannot login and get this error...


ssh [email protected]
Password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-67-generic x86_64)

Last login: Mon Mar 22 17:05:03 2021 fromx.x.x.x
user with id=10003 and name=chrooteduser not found in chrooted passwd file
system error: No such file or directory
Connection to x.x.x.x closed.


We want to change the default home dir to avoid the connecting user see irrelevant directories like dev etc tmp usr var ... It's possible? It's a bug?

We are using plesk Version 18.0.34, last updated on Mar 11, 2021 12:34 PM on ubuntu 20.04.2

Thank's

 

[weltonw]

Not possible.

Chroot is basically creating a virtual shell environment. To do that, /var /etc /bin with some conf + binary files need to be present.

The user(s) are dictated by /etc/passwd. If your homedir is changed, /etc/passwd no longer exists in the chroot, so you won't be able to do anything

 

[mserra]

Not possible.

Chroot is basically creating a virtual shell environment. To do that, /var /etc /bin with some conf + binary files need to be present.

The user(s) are dictated by /etc/passwd. If your homedir is changed, /etc/passwd no longer exists in the chroot, so you won't be able to do anything

Ok, I understand.

Thank's for answer @john0001

 

[mserra]

Ok, I understand.

Thank's for answer @john0001

After thinking about it a little more ... I'm not sure that is not possible.

A regular user (no chrooted) can got a home directory outside /home why a chrooted can't?

We only want to change the home directory to a one level deeper (from /path/to/jail to /path/to/jail/another_dir), not to delete or change the directories and file inside the chrooted jail.

Are you sure is not possible? Thank's again

 

[weltonw]

After thinking about it a little more ... I'm not sure that is not possible.

A regular user (no chrooted) can got a home directory outside /home why a chrooted can't?

We only want to change the home directory to a one level deeper (from /path/to/jail to /path/to/jail/another_dir), not to delete or change the directories and file inside the chrooted jail.

Are you sure is not possible? Thank's again

Yes, I'm sure that's not possible.

A chroot requires all the required binaries that you want to run to be inside the chroot. If the chroot can access files outside the chroot, it's no longer secure.

You can change chdir to change where they start with, but that's a matter of simply doing cd / to undo it.

A regular user has a /home directory, and uses the Linux system binaries. If you deleted /bin /etc /var /usr /opt, your Linux system would no longer function

 

[mserra]

Thank's for reply john0001, but...

A chroot requires all the required binaries that you want to run to be inside the chroot. If the chroot can access files outside the chroot, it's no longer secure.

I don't want to access outside the chroot, read: "We only want to change the home directory to a one level deeper (from /path/to/jail to /path/to/jail/another_dir)" another_dir is inside the chroot, not outside.

You can change chdir to change where they start with, but that's a matter of simply doing cd / to undo it.

No problem. It's ok for us. We want to start the session on a 'clean' directory inside the chroot.

I'm really sure that is possible because I already do it on my local kde neon machine (from where I'm writing now). See attached GIF

 

[weltonw]

I see. That's a simple matter of changing the current working directory default.

It should be a config called ChrootDirectory

Edit: Disregard that.

See: How to change SFTP default directory

 

[mserra]

On my linux machine I only need to change the user homedir in /etc/passwd but in the plesk server this doesn't work (see the first message on this threat).

And I think it's a plesk limitation or restriction.

 

[weltonw]

What if you cat /etc/passwd inside the chroot? What's the output?

 

[mserra]

What if you cat /etc/passwd inside the chroot? What's the output?

I dont' have the cat command on the chroot jail but ls ...

$ ls /etc/passwd ls: cannot access '/etc/passwd': No such file or directory

 

[weltonw]

Are you creating your own chroot skeleton?

 

[mserra]

Are you creating your own chroot skeleton?

Yes on my local machine.

In plesk no.

 

[weltonw]

Yes on my local machine.

In plesk no.

If you're using Plesk's chroot skeleton w/ SSH, the passwd file should be there.

 

[mserra]

The previous output about /etc/passwd was on my local machine.

Here the plesk...

bash-5.0$ cat /etc/passwd root:*:0:0:Root:/:/bin/false chrooteduser:x:10003:1003::/:/bin/bash

 

[mserra]

I think the problem is related with the shell of this user (/opt/psa/bin/chrootsh) and the way plesk configure that, but I don't know where to find more info about chrootsh in plesk.

chrooteduser:x:10003:1003::[B]/var/www/vhosts/domain.tld/another_dir/[/B]:/opt/psa/bin/chrootsh

 

[mserra]

Oh ****! I found the solution!

Thank's john0001, after re-reading my own words I found the solution. Really easy... Edit as root the chrooted passwd file and change de home dir from / to /desired_home_folder

before...
bash-5.0$ cat /etc/passwd root:*:0:0:Root:/:/bin/false chrooteduser:x:10003:1003::/:/bin/bash

after...
bash-5.0$ cat /etc/passwd root:*:0:0:Root:/:/bin/false chrooteduser:x:10003:1003::/desired_home_folder:/bin/bash