Chroot-jail password problem

Similar Messages

• [solved] nginx chroot jail: open() "/run/nginx.pid" Permission denied

  I used the perl script from the nginx wiki to configure chroot jail and also configured the nginx systemd unit file. When I try to start the service I get
  # systemctl start nginx
  Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.
  # systemctl status nginx.service
  nginx.service - A high performance web server and a reverse proxy server in chroot jail
  Loaded: loaded (/etc/systemd/system/nginx.service; enabled)
  Active: failed (Result: exit-code) since tis 2013-05-07 20:58:49 CEST; 4s ago
  Process: 418 ExecStartPre=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g pid /run/nginx.pid; daemon on; master_process on; (code=exited
  , status=1/FAILURE)
  Executing the ExecStartPre line produces the open error.
  # /usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
  nginx: [emerg] open() "/run/nginx.pid" failed (13: Permission denied)
  What could be causing this?
  Here's my nginx.service
  # cat /etc/systemd/system/nginx.service
  [Unit]
  Description=A high performance web server and a reverse proxy server in chroot jail
  After=syslog.target network.target
  [Service]
  Type=forking
  PIDFile=/srv/http/run/nginx.pid
  ExecStartPre=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
  ExecStart=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'
  ExecReload=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload
  ExecStop=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid;' -s quit
  [Install]
  WantedBy=multi-user.target
  /srv/http/run
  # ls -ahl /srv/http/run/
  totalt 8,0K
  drwxr-xr-x 2 root root 4,0K 7 maj 20.53 ./
  dr-x--x--x 9 root root 4,0K 7 maj 20.16 ../
  -rw-r--r-- 1 root root 0 7 maj 20.53 nginx.pid
  edit:
  # chroot --userspec http:http /srv/http /usr/sbin/nginx
  nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
  I tried to change the port to 8080 and got
  # chroot --userspec http:http /srv/http /usr/sbin/nginx
  nginx: [emerg] open("/dev/null") failed (13: Permission denied)
  solution:
  The problem was due to the partition being mounted nodev,nosuid.
  Last edited by seron (2013-05-08 11:25:12)

  I know this post is quite old but I wanted to say thank you to the author that you posted this solution. THANKS!!!

• About chroot jails and ACL

  I want to run rtorrent in a chroot jail. Correct me if wrong, but jailing rtorrent would consume much more RAM cause rtorrent will not use libraries that it needs and may be already in memory.
  So I wonder, why people just don't create a new user, install ACL, block everything to that user but read access to /lib and some config files, and execute permission to only the needed binaries. It would be easy to do since as I understand if you block all /bin permissions to the restricted user, all future files there will inherit those permissions. The only problem I see is that if you update, you will have to set some permissions again, easily fixed with a script. ACL seems much more easier to setup than chroot jails!
  When you run rtorrent under that restricted user, even if rtorrent is exploited, the attacker will not be able to do much, as ACL will not let him execute but basic commands.
  So, why is it that people seem to prefer chroot jails? Does installing ACL has some kind of performance penalty?

  _Mike_ wrote:Does installing ACL has some kind of performance penalty?
  Do you mean Mandatory Access Control? Filesystem ACL is already installed on every Linux system.
  When you run rtorrent under that restricted user, even if rtorrent is exploited, the attacker will not be able to do much, as ACL will not let him execute but basic commands.
  Chroot jails were not created to be used as a security tool and are very easy to break out of. Filesystem ACL is very limited in scope and also provides little security.
  You might want to look into using Mandatory Access Control (MAC) which is available with TOMOYO Linux, AppArmor, SELinux or SMACK. SELinux is the most powerful, but will take a long time to master. TOMOYO Linux is easier to use and the relevant packages are already in [community]. See the wiki page for more information.
  All MAC implementations have a small degree of performance penalty. SELinux probably has the greatest penalty, but overall you probably won't notice anything with any of the implementations.
  Last edited by jnguyen (2011-04-13 06:48:36)

• SFTP only access in chrooted jail?

  Hi
  I'm trying to make it so a user only has sftp access in a chrooted jail.
  I've tried following a couple walkthroughs with no success
  http://www.macresearch.org/restricted-sftp-mac-os-x-leopard
  http://www.debian-administration.org/articles/590
  This is 10.6.2 Server.
  I created my user and ran the following steps as root.
  chmod g-w /
  chmod g-w /Volumes/HD
  chown root /Volumes/HD
  mkdir /Volumes/HD/user_dir
  chown user /Volumes/HD/user_dir
  chmod 700 /Volumes/HD/user_dir
  I've added this to my sshd.config file:
  # override default of no subsystems
  #Subsystem sftp /usr/libexec/sftp-server
  Subsystem sftp internal-sftp
  Match User user
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /Volumes/HD
  ForceCommand internal-sftp
  Here is what I get when I try to ssh or sftp:
  sftp user@localhost
  Connecting to localhost...
  Password:
  Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
  Connection closed
  Any helps is greatly appreciated.
  Thanks.

  hmmm strange. think i figured it out.
  finall went with
  Subsystem sftp internal-sftp
  Match User user
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /chroot
  ForceCommand internal-sftp
  create a new dir chroot and another dir inside it.
  the Chroot must be own by root and groups or other cannot have write access to any of it.
  the dir i created inside chroot is chmod 700 and owned by my user.
  it looks like because ChrootDirectory must have the directory own by root and unwritable by others, you can't direct your user directly to their locked down dir. they must sftp in to chroot then cd to their folder.
  not sure how to get around this.

• I have a password problem. After importing data and settings from one MacBook Pro to a new one, I have to put my iCloud password in when re-starting, but the password from the old computer in when waking the computer from sleep.

  I have a password problem. After importing data and settings from one MacBook Pro to a new one, I have to put my iCloud password in when re-starting the new computer, but the password from the old computer in when waking the computer from sleep. I want to use my iCloud password on both computers consistently. How can I fix this?

  The only other place to change a password for the computer login is in Users & Groups preferences. But I don't really know enough here to fix your problem. You can try fixing the keychain:
  iCloud- Frequently asked questions about iCloud Keychain
  Tutorial: Resolving Keychain Issues
  If you can't access your keychain, or forget your password If you can't get into your keychain file because you've forgotten your password or the keychain file appears to be corrupt, there are a couple of options.
  First, if you've forgotten your password, you can use the "Keychain First Aid" utility to make the keychain password the same as the login password. This can be accomplished via the following process:
    1. Open Keychain Access (located in Applications/Utilities)
    2. Go to the "Keychain Access" menu and select "Preferences"
    3. Click the "First Aid" tab
    4. Make sure the "Synchronize login keychain password" box is checked
    5. Close the Preferences window
    6. Go to the "Keychain Access" menu and select "Keychain First Aid"
    7. Enter your username and password
    8. Click the "Repair" button
  The second option is to completely delete your keychain then recreate it. This routine is useful if your keychain appears to be corrupt or otherwise inaccessible. This can be accomplished as follows:
    1. Launch Keychain Access (located in Applications/Utilities)
    2. Click "Show Keychains" in the lower-left corner of the window.
    3. Select the problematic keychain from the left-hand pane.
    4. Navigate to the "File" menu and select "Delete Keychain '(name of keychain)'"
    5. Check all options for deletion and press "OK"
    6. Create a new keychain by going to the "File" menu, then "New" and selecting
        "New Keychain"
    7. You can now make this keychain your default if you desire by selecting it, then
        going to the "File" menu and selecting "Make '(name of keychain)' Default"
  Login as root and perform repair In some cases, problems with keychains can only be resolved when logged in as the root user.
  First, you want to enable the root user:
    1. OS X Mountain Lion: Enable and disable the root user
    2. OS X Lion: Enable and disable the root user
    3. Mac OS X 10.6: Enabling the root user
    4. Enabling and using the "root" user in Mac OS X
  After enabling the root user, and logging in under this account, again open Keychain Access. First attempt repairs using Keychain First Aid, and failing that, delete then recreate the keychain as described above while logged in as root.
  Persistently asked for stored passwords If you are persistently asked for passwords in various applications that you have specified should be remembered in a keychain, your "login" keychain may not be active for one reason or another.
  Navigate to ~/Library/Keychains/ (this is the Library folder inside your user's home folder). Find the file named "login.keychain" and double-click it.
  Failing that, select the "login" keychain within the Keychain Access application and make sure it is the default keychain by going to the "File" menu and selecting "Make 'Login' Default"
  Turn off Keychain synchronization in applications having problems If specific applications are experiencing issues when accessing password-protected material, the Keychain may be to blame.
  The above comes from an article published on MacFixit.com.

• WRT110 WIFI password problem

  Hi Everyone,
  I've got a very strange problem.  First, I indicated WPA under Wireless Security section and typed in my passphrase.  However when connecting to my wireless network name my passphrase never worked.  Second, I completely disabled security and tried to simply connect without any passphrase, but I was still being asked for a passphrase nonetheless.  I checked and double-checked and saved settings making sure security was disabled, but I was still being asked for a passphrase when choosing my wireless network!
  I could probably restore my WRT110 to factory settings, however I don't want to loose other configurations like certain open ports and IP addresses I opened up for firewall.
  Is there a way for me to resolve my WiFI password problem without restoring to factory default?  I just need to figure out how to make the WiFi passpharse work.  Here's what I have there:
  Security Mode: WPA Personal
  Encryption: TKIP
  Passphrase: 0sunspot0
  Key Renewal: 3600 seconds
  However, when I pick my wireless network and try to connect to it by typing in 0sunspot0, I get authentication failure!
  Am I doing something wrong?
  Thanks,
  Victor.
  Solved!
  Go to Solution.

  I have misplaced all relevant info. for my router.  I am trying to connect to a mini ipad.  What do I need?
  Is the router up and running and you would only want to add a device wirelessly? If so, you may access the setup page as sabretooth has said. To check the wireless settings, you may check this link, http://kb.linksys.com/Linksys/ukp.aspx?vw=1&docid=476326f36c294e579ba6691a8db5411e_3698.xml&pid=80&r...

• Sys password problem "INSUFFICIENT PRIVELEGES"

  hi,
  This is with refernece to my earlier post, i can now login as a DBA thry OS authentication.
  Re: sys password problem
  but now i try to vreate a new password file and it successfully created using orapwd....
  but when i try to login as a sys user thru oracle authentication i couldn't because i am getting an error
  "INSUFFICIENT PRIVELEGES"
  and another thing i would like to know do i have to shutdown the database or not for the same.

  Please review the document link sent earlier
  Setting REMOTE_LOGIN_ PASSWORDFILE
  In addition to creating the password file, you must also set the initialization parameter REMOTE_LOGIN_PASSWORDFILE to the appropriate value. The values recognized are:
  NONE: Setting this parameter to NONE causes Oracle Database to behave as if the password file does not exist. That is, no privileged connections are allowed over nonsecure connections.
  EXCLUSIVE: (The default) An EXCLUSIVE password file can be used with only one instance of one database. Only an EXCLUSIVE file can be modified. Using an EXCLUSIVE password file enables you to add, modify, and delete users. It also enables you to change the SYS password with the ALTER USER command.
  SHARED: A SHARED password file can be used by multiple databases running on the same server, or multiple instances of a Real Application Clusters (RAC) database. A SHARED password file cannot be modified. This means that you cannot add users to a SHARED password file. Any attempt to do so or to change the password of SYS or other users with the SYSDBA or SYSOPER privileges generates an error. All users needing SYSDBA or SYSOPER system privileges must be added to the password file when REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE. After all users are added, you can change REMOTE_LOGIN_PASSWORDFILE to SHARED, and then share the file.
  This option is useful if you are administering multiple databases or a RAC database.
  If REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE or SHARED and the password file is missing, this is equivalent to setting REMOTE_LOGIN_PASSWORDFILE to NONE.

• Password Problem for some applications:

  Password Problem for some applications: I'm unable to download Adobe Reader, Microsoft updates.  I have no password set to start the computer, applications such as Pages, Numbers, Keynote require no password for updates. 
  When I try to update Microsoft or Adobe Reader, first I try with no password, I get a hint and I know exactly what it means, but still unable to download.  I don't know enough about passwords as to why some I can download and others I can't.  So I don't know what I should read.  I'm the only user of this computer and prefer not to have to deal with passwords.  I'm using a MacBook Pro, Mac OS 10.9.3

  Oh what a tangled web we weave.  I read up on keychain and I don't understand what I'm reading.  Right now I cannot download my email on my computer, I can access it through the cloud. I'm sure it will be the same for the other iCloud feathers.   When I go to preferences and select iCloud when ever I try to sign in I get some dialog box it shows up "A keychain cannot be found to store 1076701306.  It doesn't matter whether I reset it or cancel it out iCloud preferences remains grayed out. 
  In keychain access on the left side under keychains and Read's local item, systems, and systems roots.
  When I select local items nothing shows up to the right under the name column even when down under all items is selected nothing shows up.  And nothing shows up to the right when under categories I selected the other options password etc.  On the other hand when I select under keychains systems, systems roots I do get items to show up on the right side under names under all items, passwords, etc.  Where do I start?

• Chroot jail in FTP?

  I asked this question about two years back, but I'm hoping there's an
  answer now...
  Is there a way to lock ftp clients into their home directory, so that
  cannot go back a directory level? Essentially their home directory is
  their root directory.
  Previously using linux ftp servers, you could do this with an option
  called 'chroot jail', but I'm not seeming the same feature on the
  Netware ftp.
  Is there a way to do this? I'm running NW 6.5sp6.
  Thanks!
  Matt

  Did you check the date of the TID though ? <g>, I'm surprised no one
  pointed it out last time you asked
  Cheers Dave
  Dave Parkes [NSCS]
  Occasionally resident at http://support-forums.novell.com/

• MySQL, to chroot jail or not?

  I didn't know that it was ever considered to be worth it.  This is not a common practice, even in large firms I am not aware of anyone doing this. I saw not worth it.

  Hey Guys,
       We're moving to a new host for our VPS and it's a different OS, (Ubuntu, we're coming from CentOS). 
       On our previous server we chroot jailed mysqld. but now I've been doing some research and there's a bunch of people out there that say it's not even worth it to do it anymore.
       Do you guys think this is true? Should I waste my time setting up the chroot jail? or should I just install it like any other application on the server base?
  This topic first appeared in the Spiceworks Community

• Outgoing Mail & Password Problems-Solution

  Hi All,
  After upgrading to Snow Leopard I had a couple of issues.
  1) Couldn't send mail
  2) Passwords in Mail were not getting saved
  To resolve the outgoing mail problem see this article
  http://support.apple.com/kb/TS2998
  Basically edit your outgoing server and change the outgoing port to custom and put in you appropriate port number. I use Cox without SSL so I used 25
  For the password problem go to your Home folder, go into Library and move the folder called "Keychain to the trash then restart. After restarting open Mail go into Preferences and add your password back to your account. It should now retain the password. This will also help with other apps like Safari that use Keychain to store passwords.
  Also I was able to copy a keychain from another computer to get back all of the passwords I already had. After the upgrade my keychain was mostly empty.
  Good Luck,
  Mark

  Had been trying that, to no avail. Found that I had to entirely delete the account and set up entirely new account with new password which worked.
  Thx

• Email password problem!!

  I've had this macbook for about 1-1/2 years and for the first year or so had no email-related problems. However, for the past 6 months or so, I have password problems relating to one of my email accounts. Several times per day (even several times per minute), I will get a message on the screen something like this: The incoming mail server incoming.verizon.net has rejected the password for the account (my personal email account). Please re-enter the correct password. There is a little checkbox "remember this password in my keychain". Doesn't matter whether I check this box or not, five minutes later the message is there again.
  I have gone to Preferences/Accounts, deleted and re-entered the password, but it has no effect. I have three other email accounts on this macbook that are unaffected.
  Can anyone help? I'm getting reeeaaaalllly frustrated.

  Hi there!
  OK--some confusion here. There are two types of accounts to discuss -- your BIS account and your email accounts.
  BIS is Blackberry Internet Service, the service, hosted by your carrier, that provides the conduit between your BB and your internet facing email services (e.g., Yahoo, Gmail, etc.). BIS has credentials for accessing it.
  Your email accounts likewise have their own credentials. These credentials are stored within BIS so that it can, without your intervention, check your email services and see if there's anything to deliver to your BB...and do so if there is.
  The screen you described sounds like your BIS credentials screen -- those credentials are whatever they are. And probably not the same as your email account credentials. You need to know what your BIS credentials are..they are yours. If you don't know them, then you need to contact your carrier for assistance as they manage your BIS account.
  Good luck and let us know!
  Occam's Razor nearly always applies when troubleshooting technology issues!
  If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
  Join our BBM Channels
  BSCF General Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• IPod touch disabled  - password problem - was able to reset apple id

  iPod touch disabled - password problem - I reset apple id & password, now having trouble syncing.

  iOS: Forgotten passcode or device disabled after entering wrong passcode
  Try restoring Recovery Mode:
  iClarified - iPhone - How to Put an iPhone Into Recovery Mode
  If unsuccessful, try DFU mode:
  iClarified - iPhone - How to Put an iPhone Into DFU Mode
  After restoring, set as new iPod:
  iOS: How to back up your data and set up as a new device
  OR
  Restore from back up:
  iOS: How to back up
  Hope this helps.

• Plagued by Password Problems

  The current problems I'm experiecing with my password started back in the summer last year (2014). What would happen is that, whilst on my PC, Outlook would, out of the blue, suddenly request that I enter my password - which it already had, of course. But when I did renter it, it still kept on requesting it and refused to send or receive any email. I then turned to my iPhone, and it too was no-longer able to send or receive email, claiming an invalid password.
  I then went onto my BT home page and accessed my BT Yahoo email via the internet, which was still working. However, after a while I would even find myself blocked from BT Yahoo account - BT requesting that I reset my password. I would do that, and for a while, Outlook, iPhone and BT Internet all worked fine. A few weeks later however, we have a reapeat performance - Outlook stops working, iPhone stops working and I'm back having to use the BT Yahoo website. I reset my password again. This scenario has played out numerous time over the last 8 - 10 months.
  I became so frustrated in Jamuary this year, that I contacted the BT email helpline and an engineer (who I have to say had very little patience with me, regarding the problems I was having as self-inflicted) eventually gave me a new password and reset it for me at their end, telling me this would cure all my failed password problems - and it did, for a while. The whole fiasco kicked off again several weeks later. Again another BT engineer reset my password at the beginning of April this year - it lasted a week before the dreaded Outlook dialog, "Enter Username and Password" appeared and my iPhone stopped receiving - again.
  Recently passwords have been lasting for only a few days and it's not been unsually to have to reset my password several times in one day. It's becoming a nightmare. I need a password to last more than a few hours, days or even weeks. I need Outlook working. I need to be able to use my iPhone to send and receive email, not worrying about when the next "failed password" error message is going to appear - forcing me back onto the BT Yahoo website.
  I've raised this issue via the BT helpline with two of their engineers now, and despite their best efforts and assurances, the problem is still present and as bad as ever. I can't carry on like this and it's affecting, not just my social life, but my working life too.
  Does anyone have a longterm fix for this problem? And am I alone in this experience?
  Prof.

  Professor wrote:
  The current problems I'm experiecing with my password started back in the summer last year (2014). What would happen is that, whilst on my PC, Outlook would, out of the blue, suddenly request that I enter my password - which it already had, of course. But when I did renter it, it still kept on requesting it and refused to send or receive any email. I then turned to my iPhone, and it too was no-longer able to send or receive email, claiming an invalid password.
  I then went onto my BT home page and accessed my BT Yahoo email via the internet, which was still working. However, after a while I would even find myself blocked from BT Yahoo account - BT requesting that I reset my password. I would do that, and for a while, Outlook, iPhone and BT Internet all worked fine. A few weeks later however, we have a reapeat performance - Outlook stops working, iPhone stops working and I'm back having to use the BT Yahoo website. I reset my password again. This scenario has played out numerous time over the last 8 - 10 months.
  I became so frustrated in Jamuary this year, that I contacted the BT email helpline and an engineer (who I have to say had very little patience with me, regarding the problems I was having as self-inflicted) eventually gave me a new password and reset it for me at their end, telling me this would cure all my failed password problems - and it did, for a while. The whole fiasco kicked off again several weeks later. Again another BT engineer reset my password at the beginning of April this year - it lasted a week before the dreaded Outlook dialog, "Enter Username and Password" appeared and my iPhone stopped receiving - again.
  Recently passwords have been lasting for only a few days and it's not been unsually to have to reset my password several times in one day. It's becoming a nightmare. I need a password to last more than a few hours, days or even weeks. I need Outlook working. I need to be able to use my iPhone to send and receive email, not worrying about when the next "failed password" error message is going to appear - forcing me back onto the BT Yahoo website.
  I've raised this issue via the BT helpline with two of their engineers now, and despite their best efforts and assurances, the problem is still present and as bad as ever. I can't carry on like this and it's affecting, not just my social life, but my working life too.
  Does anyone have a longterm fix for this problem? And am I alone in this experience?
  Prof.
  It is likely you are suffering from the problem of multiple device access to your email account.  You need to ensure that if you are accessing your email by several devices and methods that they do not conflict. 
  I have sent you a private message (PM) that gives general longterm fix to the problem.  Please feel free to reply via the PM method. I have found that this is the best mechanism to progress the issue.

• SFTP password problem

  Hi Everyone,
  I've just begun setting up Server with port forwarding through my Airport Time capsule.  Everything works when I SFTP as myself.  from terminal, either SFTPing to [email protected] and entering my apssword lets me in... as well as simply SFTPing to 123.456.789.000 and entering my password.
  problem is, I created another account.  I created one account through "users" in system settings, and I tried to create another account within Server.  both accounts I gave administrator priveleges to, just for good measure.
  both accounts come back saying incorrect password.  my spider sense is telling me that it might have something to do with the way MY username is configured -- in my previous experience, I shouldn't be able to simply ftp to the raw IP without a user@ and have it ask me for a password.
  Thanks,
  Aemilia

  So if I understand this correctly, you now have two accounts with the same short name?  You'll want to resolve that duplication; that's not something that works well, and all sorts of stuff can get tangled.
  If you don't have duplicated shortnames here, then there's something else going on.  Start by confirming the remote account has ssh access and a valid and accessible login home directory; that's all necessary for ssh (and sftp, which is based on ssh) to work.
  Also have a look at the system logs for any related errors.
  Also consider setting up certificate-based logins for ssh (and sftp), as those are more secure than passwords, and particularly given the prevalence of brute-force ssh attacks on the network.