[BlueOnyx:23587] Re: ssh failure of migrated users

Michael Stauber mstauber at blueonyx.it
Sun Jan 19 18:43:42 -05 2020 

Hi Maurice,

> In /usr/sausalito/handlers/base/shell/users_shell.pl, line 147:
> the statement checks for $shell->{enabled} eq "3". Is this correct? I
> think the "3" means Full shell access, in which case no jail should be set.
> 
> Furthermore, in that same line, there also is a check for $user->{site}
> == "". Shouldn't that be eq instead of ==, because it is a string
> comparison?
Actually: I'm trying to wrap my mind around this myself at the moment
and I don't recall all the intricacies. :p

See line 136 of /usr/sausalito/handlers/base/shell/users_shell.pl first:

my ($success, $bad_users, $err, $errmsg) = usermod($changeUser);

That runs usermod() on the user in question and that modifies
/etc/passwd on the server to fix the shell and home directory there.

Based on the $success of that command we either report failure, or
execute further with the stuff from line 147-160.

Now that line 147 is a perfect example of a convoluted mess with way too
many things that can go wrong.

Let us take line 147 apart and format it in a slightly different way:


if  (
      (
        ($shell->{enabled} eq "1") ||
        ($shell->{enabled} eq "2") ||
        ($shell->{enabled} eq "3")
      )
      &&
      (
        ($user->{systemAdministrator} eq "1") ||
        ($user->{site} == "")
      )
    )
    {
      # Conditionally execute /usr/sbin/jk_jailuser
    }

The /usr/sbin/jk_jailuser is run against the /etc/passwd file inside the
chrooted jail and NOT the real one from the server itself.

Currently it is only run if the User's $shell->{enabled} is set to
either "1", "2" or "3" *AND* if $user->{systemAdministrator} is set to
"1" and the User does NOT belong to a Vsite.

Means: As is that part will only work if the user is a
systemAdministrator, but it won't do anything for regular Vsite users.

And I think the logic in *that* final part is reversed from what it
should be:

We WANT to run it for regular Vsite users, but NOT systemAdministrators.
At least from what I faintly remember about it.

I'll look into this on Monday on a test box and will play a few test
scenarios through to see what it does and compare that with what it
actually *should* do.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list