How to rebuild chroot template on a server with Plesk?

Follow

Comments

10 comments

  • Avatar
    Ultra Graphics

    Hello! I tried this method to rebuild the CHROOT that stopped working on our server (essentially /bin/bash (chrooted) connection method stopped working for all 60+ websites over SFTP). I thought this might be the ticket to fix but it didn't work. I did notice that when running through the process it said it couldn't find "bin".  Could that possibly be causing my problem?  I would very much appreciate any guidance you can provide! Thank you.

    0
    Comment actions Permalink
  • Avatar
    Lev Iurev

    @Ultra Graphics could you please provide us with more details?

    0
    Comment actions Permalink
  • Avatar
    Ultra Graphics

    I'm afraid I don't know enough to provide more details.  However, I can try to expand on what I found upon further investigation after Jan 12th. I ended up restoring a server backup of everything but the /var/ folder to try to bring back a working chrooted SFTP, then tried using the reinstall method again including removal, update, and apply.  Then I tried switching the subsystem in sshd_config from the /usr/libexec/openssh/sftp-server to internal-sftp, restarting ssh, then switching back, then restarting again.  Either all those things (or some combination of any) caused the chroot to work again.

    Unfortunately, I don't know enough to know what actually fixed it, but I have an idea that it was the restored backup.  After that, I tried to update plesk to 17.5.3, and got an error in the log that lead me to believe that it's the sftp-server that was causing the chroot issue (from the update log):

    Trying to install sftp-server binary into chroot environment... cp: cannot stat '/usr/libexec/openssh/sftp-server\r': No such file or directory
    done
    /var/www/vhosts/chroot/usr/libexec/openssh/sftp-server
    : cannot open (No such file or directory)
    probably it will not work in chrooted accounts

    Which led me down a completely different path of trying to figure out why. I'm now looking into the idea of using internal-sftp instead to see if I can get a more long-term reliable chroot for my customers, and I don't know that my issue was specifically related to the implementation of this support article. I appreciate you following up!

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    @Ultra Graphics

    Hi!

    As I can see the described symptoms are different from the article.

    In case the further investigation is required, contact Plesk Technical Support.

    0
    Comment actions Permalink
  • Avatar
    Marco Marsala

    Complex chrooted environments may broke after an update (for ex 17.8.11 Update #84 on Ubuntu 16.04). After that, chrooted users cannot log in via SSH (they are immediately disconnected by the server after a successful login). My environment was created using ONLY the script provided in this KB article (I added some executables, devices, locales, termcap) so there is a bug somewhere! For posterity, update symptoms in this article and fix the root cause.

    0
    Comment actions Permalink
  • Avatar
    Francisco Garcia (Edited )

    Hi Marco Marsala,

    Could you please explain if only Plesk was upgraded? Or was there a distro upgrade as well?

    0
    Comment actions Permalink
  • Avatar
    Marco Marsala

    Just Plesk.

    0
    Comment actions Permalink
  • Avatar
    Danil Dmitrienko

    Hello @Marco Marsala

    For further detailed investigation please submit a request to Plesk Technical Support.

    0
    Comment actions Permalink
  • Avatar
    Lars Doe

    Seems like the script is not compatible with Debian Buster, yet.

    I had to add "application/x-pie-executable" in install_chroot_program() to prevent the warning "... is not a program", that caused files like "bash" not to be copied.

    # file /usr/bin/bash
    /usr/bin/bash: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=ffe165dc81a64aea2b05beda07aeda8ad71f1e7c, stripped

     

    0
    Comment actions Permalink
  • Avatar
    Mikhail Shport

    Hello Lars Doe,

    The script is compatible with Debian 10 in general. However, there was no support for the PIE binary.

    Such support has been added to the script. As of now, it should work properly for such cases.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request