[SOLVED] Centos 7 / Plesk 12 Chroot Not Working. | Users breaking out of chroot directory.

[J.Wick]

Hi, I just migrated servers and now when logging in with chroot users, they can navigate all over the file system. I'm using Centos 7 w/ Plesk 12.0.18.

Any help in resetting permissions with chroot would be appreciated!

 

[UFHH01]

Hi SpyderZ,

did you use "/usr/local/psa/bin/repair --restore-vhosts-permissions" already?

For further CLI commands, regarding "chroot" management, please have a look at:

Reference for Command Line Utilities, Plesk 12.0 for Linux​

... and use for example the search word "chroot".

 

[J.Wick]

Hi SpyderZ,

did you use "/usr/local/psa/bin/repair --restore-vhosts-permissions" already?

For further CLI commands, regarding "chroot" management, please have a look at:

Reference for Command Line Utilities, Plesk 12.0 for Linux​

... and use for example the search word "chroot".

Yes, I ran that command. When I disable all access through the Plesk Web Hosting Access, I'm still able to login to the server. I did a bootstrap repair as well.

Had these errors at the end of the process on Centos 7

which: no unrar in (/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin)

Trying to install sftp-server binary into chroot environment... cp: cannot stat 'internal-sftp': No such file or directory

done

/var/www/vhosts/chrootinternal-sftp: inode/directory; charset=binary
probably it will not work in chrooted accounts

WARNING!

Some problems are found during register /var/www/vhosts/chrootinternal-sftp in chrooted environment(see log file: /var/log/plesk/install/plesk-whc-installation.log)

Continue...

cp: cannot stat '/lib/ld-linux*': No such file or directory
cp: cannot stat '/lib/libnss_*.so.2': No such file or directory
'/lib64/libnss_myhostname.so.2' -> '/var/www/vhosts/chroot/lib64/libnss_myhostname.so.2'
'/var/www/vhosts/chroot/etc/resolv.conf' => '/etc/resolv.conf'

done

Checking that /usr/local/psa/bin/chrootsh registered as login shell...

/usr/local/psa/bin/chrootsh already registered as a login shell

 

[J.Wick]

Hi SpyderZ,

did you use "/usr/local/psa/bin/repair --restore-vhosts-permissions" already?

For further CLI commands, regarding "chroot" management, please have a look at:

Reference for Command Line Utilities, Plesk 12.0 for Linux​

... and use for example the search word "chroot".

OK, I've managed to get it down to one error, while running bootstrap repair.


Trying to install sftp-server binary into chroot environment... Warning: sftp-server binary not found

+ sftp connections will not be available for chrooted accounts


In my sshd_config

Subsystem sftp /usr/libexec/openssh/sftp-server

I verified the directory and file location on Centos 7. I don't know why bootstrap is complaining about this. It also explains why I can't login with chroot, but can with bash.

 

[J.Wick]

SOLVED

The bootstraprepair.sh file is programmed to filter out spaces in the sshd_config file, not tabs, which is what stock Centos 7 comes with.

In my sshd_config

Subsystem sftp /usr/libexec/openssh/sftp-server

I changed them to spaces and bootstraprepair worked properly and installed the sftp-server properly into the chroot.

Subsystem sftp /usr/libexec/openssh/sftp-server

I also ran reconfigure domains,
/usr/local/psa/admin/sbin/httpdmng --reconfigure-all

Reset permissions,
/usr/local/psa/bin/repair --restore-vhosts-permissions

Stopped and restarted sshd and Plesk, and everything is now connecting and functioning as designed.

This is a bug in the bootstraperrepair script, where extra code should be added to compensate incase of tabs vs. spaces for the sftp-server subsystem line.