User Is Locked out of Own Home Folder

[BawdyAnarchist]

I was trying to open a spreadsheet inside of a jail as a user, with openoffice. Well, Openoffice crashed, and when I tried to jexec back into the user shell, I kept getting permission denied. So I root inside, ls -a the home folder. Permissions are "user:user", and the directory highlighted YELLOW??

The home directory is nullfs mounted into the jail, rw, from host. It is yellow from both the host and jail. And I noticed that the directory named "." (dot) (just the one-dot, not the two-dot) is also highlighted yellow.

Finally, this is a different yellow than devices inside of /dev. It's slightly darker yellow, with black lettering.

 

[chrbr]

As far as I understand there is no direct way for a user to access the jail by jexec(8). There is a tool sysutils/jailme/ which allows that in case the user name and id match. Strange, there is no man page. Therefore I post the output of the package information below.

pkg info jailme
jailme-0.2.0
Name           : jailme
Version        : 0.2.0
Installed on   : Tue Aug 25 18:06:31 2020 CEST
Origin         : sysutils/jailme
Architecture   : FreeBSD:12:amd64
Prefix         : /usr/local
Categories     : sysutils
Licenses       : BSD2CLAUSE
Maintainer     : freebsd-ports-maintainers@intermedix.com
WWW            : https://github.com/Intermedix/jailme
Comment        : Setuid version of jexec to allow normal users access to jails
Annotations    :
        FreeBSD_version: 1201000
        repo_type      : binary
        repository     : FreeBSD
Flat size      : 16.8KiB
Description    :
jailme is a modified version of FreeBSD's jexec.

This version is installed setuid and does some sanity checking
to ensure the username and UID match between the jail and the
host system.

WWW: https://github.com/Intermedix/jailme

Then jailme THEJAIL sh should open a shell running in the jail.

 

[BawdyAnarchist]

As far as I understand there is no direct way for a user to access the jail by jexec(8). There is a tool sysutils/jailme/ which allows that in case the user name and id match. Strange, there is no man page. Therefore I post the output of the package information below.

pkg info jailme
jailme-0.2.0
Name           : jailme
Version        : 0.2.0
Installed on   : Tue Aug 25 18:06:31 2020 CEST
Origin         : sysutils/jailme
Architecture   : FreeBSD:12:amd64
Prefix         : /usr/local
Categories     : sysutils
Licenses       : BSD2CLAUSE
Maintainer     : freebsd-ports-maintainers@intermedix.com
WWW            : https://github.com/Intermedix/jailme
Comment        : Setuid version of jexec to allow normal users access to jails
Annotations    :
        FreeBSD_version: 1201000
        repo_type      : binary
        repository     : FreeBSD
Flat size      : 16.8KiB
Description    :
jailme is a modified version of FreeBSD's jexec.

This version is installed setuid and does some sanity checking
to ensure the username and UID match between the jail and the
host system.

WWW: https://github.com/Intermedix/jailme

Then jailme THEJAIL sh should open a shell running in the jail.

Just to be specific, I said that i was trying to jexec back into the user *shell*. Which is definitely supported by jexec. I wasn't trying to launch openoffice from jexec. The only way to get a terminal inside the jail was to go as root.

More relevant than anything is the home folder of the user having the proper permissions, (no chflags or anything either), and of course, being highlighted yellow, whereas it was normal before the openoffice crash

 

[chrbr]

Just to be specific, I said that i was trying to jexec back into the user *shell*. Which is definitely supported by jexec.

I have expected that as well. But it did not work for me, too. I have just tried to jexec CLEANJAIL sh or jexec CLEANJAIL ls. The result is jexec: jail_attach(2): Operation not permitted.

I wasn't trying to launch openoffice from jexec. The only way to get a terminal inside the jail was to go as root.

The same here. May be someting has changed in the default jail behaviour. Or my memory is not well.

More relevant than anything is the home folder of the user having the proper permissions, (no chflags or anything either), and of course, being back highlighted yellow.

I am not sure about the colours because this can be a matter of configuration. I guess there is a crash file remaining which prevents Openoffice to restart. With ls -a the files starting with a dot show up, too.

About starting applications in a jail (just for information) - I use a browser in a jail and start it as
/usr/local/sbin/jailme fox firefox 2>/dev/null &. In the past that worked for office stuff in a jail as well.

 

[BawdyAnarchist]

I have expected that as well. But it did not work for me, too. I have just tried to jexec CLEANJAIL sh or jexec CLEANJAIL ls. The result is jexec: jail_attach(2): Operation not permitted.

The same here. May be someting has changed in the default jail behaviour. Or my memory is not well.

It sounds like a permssions problem. Are you root? Do you have chflags set? To check flags, run ls -lo /path/to/jail . You should see uarch and not schg , for the jail directory.

I am not sure about the colours because this can be a matter of configuration. I guess there is a crash file remaining which prevents Openoffice to restart. With ls -a the files starting with a dot show up, too.

It was most definitely a permissions problem with the user's /home/user/ directory and not openoffice. The highlight yellow indicated an abnormality that I've only seen previously when copying files from ext4 USB :: and since these files were recently copied from a ext4 USB, I'm going to assume a connection. But anyways, since no one responded with what is happening or how to fix it, I created a new home directory, and copied the files to it. Problem solved (at least for now).

About starting applications in a jail (just for information) - I use a browser in a jail and start it as
/usr/local/sbin/jailme fox firefox 2>/dev/null &. In the past that worked for office stuff in a jail as well.

FYI, you can use jexec to run most any program in a jail, but it requires a little script trick: jexec <jail> csh -c <program> This assumes you have the program installed in the jail. A more complete version looks more like this: jexec -l foxjail csh -c firefox > /dev/null/ 2>&1 &

I prefer not to install anything other than the bare minimum to the host, as these things increase attack surface. I install them to jails, and run them inside of jails.

 

[chrbr]

But anyways, since no one responded with what is happening or how to fix it, I created a new home directory, and copied the files to it. Problem solved (at least for now).

This is good to know.

You should see uarch and not schg , for the jail directory.

This looks fine on my system.

FYI, you can use jexec to run most any program in a jail, but it requires a little script trick: jexec <jail> csh -c <program>

This works for root but not on my normal account. Does that with for you as non-root?

This is my /etc/jail.conf

fox {
        path = "/usr/jails/fox";
        host.hostname = "fox";
        ip4.addr = "10.0.0.3";
        interface = "lo1";
        allow.raw_sockets = 1;
        exec.start = "/bin/sh /etc/rc";
        exec.stop = "/bin/sh /etc/rc.shutdown";
        devfs_ruleset = 5;
        mount.devfs;
        mount.fstab = "/etc/fstab.fox";
 }

And this is the /etc/rc.conf in the jail which is more or less a copy of an old ezjail config.

network_interfaces=""
rpcbind_enable="NO"
cron_flags="$cron_flgs -J 15"
syslogd_flags="-ss"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
sshd_enable="NO"
dbus_enable="YES"

I have found https://forums.freebsd.org/threads/unprivileged-jails.70176/ which also states that root privileges are required. But one proposal is to tweak exec.jail_user and exec.system_user. Additionally sysutils/jailme is suggested which works for me. But I would like to understand where is the difference between my setup and yours.

 

[BawdyAnarchist]

Well, if you don't have root, then I would consider adding your user account to the wheel group (if possible) so you can escalate as necessary.
I haven't attempted to create a user account on the host, I'm running host as root all the time, so I can't answer your question about jails with non-root. Maybe in a few weeks I'll think about a user account for host, but I have doubts that I could effectively operate without root, unless I really got my setup fine-tuned.

My setup involves a host that almost never connects to the internet. I created a bhyve virtual machine with PCI passthrough for the networking card. I have another VM for flash USB devices. From there, connections are routed to various tunnels (VPNs, Tor), firewalled, and then connected to downsteam jails where I do actual stuff (like chatting on open source forums). I have another jail merely for random browsing and research activities.

All of my jails are based on custom templates with similar functions. I have a base template, a networking template, and a GUI template with kde stuff installed. What's more, when I turn off the jail, everything but the home folder and some config stuff gets destroyed. When I start jails, a snapshot of the template is cloned, and the jail's home folder is remounted. This helps to ensure that any malware I might come across, is likely to be destroyed quickly.

I'm pushing a bit under 1000 lines of script to automate all this in the background. I haven't messed with EZjail or IOCAGE. I knew from the beginning that my requirements almost certainly wouldn't align, and I might as well script it from scratch. It's also been (and still is) an amazing learning experience. Good luck with figuring out why your jail won't start. Again, it's probably because you need root.

 

[chrbr]

I haven't attempted to create a user account on the host, I'm running host as root all the time, so I can't answer your question about jails with non-root.

Ok, then this is the misunderstanding. I thought you can jexec sh as normal user.

I'm pushing a bit under 1000 lines of script to automate all this in the background. I haven't messed with EZjail or IOCAGE. I knew from the beginning that my requirements almost certainly wouldn't align, and I might as well script it from scratch. It's also been (and still is) an amazing learning experience.

.
This sounds very good. I have started using sysutils/ezjail. But now I do that manually by creating a basejail and clone it using the features of ZFS. About starting applications in a jail I found https://forums.freebsd.org/threads/...-in-a-jail-using-iocage-and-ssh-jailme.53362/ very helpful. Basically it motivated me to start with jails.

Good luck with figuring out why your jail won't start. Again, it's probably because you need root.

sysutils/jailme works for me using the normal user account. By the way, the ssh method as described in the HowtoDo worked as well. But for x-forwarding took much more computing resources. It is fine with me. I with you success with your project!