Issue [PPM-2537] error to set chrooted ssh access

[MicheleP]

Server operating system version

Centos 7

Plesk version and microupdate number

18.0.47

I'm trying to set /bin/bash (chrooted) acces for a new domain
But I get:
Error: System user update is failed: chrootmng failed: Safe link creation from '/var/www/vhosts/chroot/etc/resolv.conf' to '/var/www/vhosts/domain/etc/resolv.conf' failed: Operation not permitted chrootmng[25539]: Failed to create chroot environment: Failed to create link '/var/www/vhosts/domain/etc/resolv.conf':Operation not permitted

where domain is for the real domain

There is a solution?
Thanks

 

[IgorG]

Try to repair vhosts permissions with

# plesk repair fs domain.com
# plesk repair web domain.com

 

[MicheleP]

Hi, done but nothing .... same result

 

[MicheleP]

I've used another server and it works, but if connect in ssh I can see all files also of other subscriptions
Why? Is it normal?
What is the setting to limit the user to his website folder and files?

 

[MicheleP]

Solved, I was logging as root.
However with the correct user I can connect in SFTP but not with SSH
Probably there is something I'm doing wrong?

 

[MicheleP]

ok solved on this server
but on the first I get the same error

Error: System user update is failed: chrootmng failed: Safe link creation from '/var/www/vhosts/chroot/etc/resolv.conf' to '/var/www/vhosts/domain/etc/resolv.conf' failed: Operation not permitted chrootmng[25539]: Failed to create chroot environment: Failed to create link '/var/www/vhosts/domain/etc/resolv.conf':Operation not permitted

 

[MicheleP]

A note, all this is to have a simple functional SFTP account, but why plesk doesnt enable SFTP on the additional FTP users??
This way I 'm giving also ssh acces to the user, that I dont want, because the ftp user must not see what is in the folders up level.
Ando so I need to create a domain for this (that however is not a good idea).
And If I need more SFTP users (and I need more SFTP users) I must create additional domains for every FTP user!
This is a nonsense if it works. When it doenst work, as in this case, it is a delirium, as I must change server (!!) to have an SFTP account

 

[Bitpalast]

but why plesk doesnt enable SFTP on the additional FTP users??

FTP and SFTP are two different things. SFTP ist actually not FTP, but SSH. On top of an SSH connection the FTP protocol is run. For most applications an FTP user does not need SSH access. An SFTP user would automatically gain SSH access to the server which may not be desirable in most cases. Maybe FTPS (FTP with SSL) can also fulfill your requirements?

I could imagine a radio selector or checkbox where - when someone creates a new FTP account - he can also opt to give the same user SSH access (hence SFTP access). If you think that this is something that makes Plesk a better product, maybe you can create a case here:

Feature Suggestions: Top (2022 ideas) – Your Ideas for Plesk

 

[MicheleP]

Hi, I need SFTP accounts becouse I'm requested SFTP accounts
There is no personal preferences in this. I've been request this, I've seen that plesk "can" do it, and so ok we can do it.
Didn't know all this ...
Those cannot be seen as personal requests but as basic features that use standard and protocols, in particular for security

And as for your suggestion, it would be a very simple and good solution.
But sadly, I think that this will not even be read
There is yet a very similar request to what I "ask" (among many others) from 2013 (!!!) with 349 votes (how many more votes wants plesk??)
Enable chrooted sftp for more than one user per account

 

[Nik G]

https://kcs-search.k8s.plesk.ru/article/preview/213912005

 

[Kaspar]

https://kcs-search.k8s.plesk.ru/article/preview/213912005

@Nik G thats not a public link

 

[Nik G]

1. Download and unpack the script:
   # curl -LO https://plesk.zendesk.com/hc/article_attachments/360009752840/213912005_clone_shell.tar.gz
   # tar xf 213912005_clone_shell.tar.gz
2. Run the script providing the names of additional users:
   # ./213912005_clone_shell.sh examplecom1 examplecom2
   Changing examplecom1 shell from /bin/false to /usr/local/psa/bin/chrootsh
   Adding examplecom1 to the chrooted passwd file
   Changing examplecom2 shell from /bin/false to /usr/local/psa/bin/chrootsh
   Adding examplecom2 to the chrooted passwd file

but be careful. it is really dirty and may lead you to the dark side.
please apply on your own risk only!