search

YunoHost-Apps / my_webapp_ynh

Custom Web app with SFTP access
GNU General Public License v3.0
48 stars 39 forks source link

sftp connection doesn't work after webapp creation #79

Closed xoddark closed 2 years ago

xoddark commented 2 years ago

Describe the bug

A clear and concise description of what the bug is.

Context

Steps to reproduce

  1. on a domain (or subdomain) install Custom Webapp application with SFTP access. Wait is finished and :
  2. Tried to connect to server with webapp user and password. The password is accepted, but the connexion is closed with (on client) : client_loop: send disconnect: Broken pipe

Expected behavior

The connection should work when webapp is installed.

Logs

On the server there is this sshd log :

journalctl 16:23:50 sshd[2856]: Connection from port 38674 on port 22 journalctl 16:23:55 sshd[2856]: Accepted password for my_webapp from 4 port 38674 ssh2 journalctl 16:23:55 sshd[2856]: pam_unix(sshd:session): session opened for user my_webapp by (uid=0) journalctl 16:23:55 sshd[2856]: User child is on pid 2881 journalctl 16:23:55 sshd[2856]: pam_unix(sshd:session): session closed for user my_webapp

auth.log 16:23:55 xoddark sshd[2856]: Accepted password for my_webapp from port 38674 ssh2 auth.log 16:23:55 xoddark sshd[2856]: pam_unix(sshd:session): session opened for user my_webapp by (uid=0) auth.log 16:23:55 xoddark systemd-logind[387]: New session 17 of user my_webapp. auth.log 16:23:55 xoddark systemd: pam_unix(systemd-user:session): session opened for user my_webapp by (uid=0) auth.log 16:23:55 xoddark sshd[2856]: User child is on pid 2881 auth.log 16:23:55 xoddark sshd[2881]: fatal: bad ownership or modes for chroot directory "/var/www/my_webapp" auth.log 16:23:55 xoddark sshd[2856]: pam_unix(sshd:session): session closed for user my_webapp

The important line seems to be : fatal: bad ownership or modes for chroot directory "/var/www/my_webapp"

Manual fix :

When I have take a look on server I see this folder right : drwxrwx---+ 3 root root 4096 Jan 16 15:05 my_webapp Removed the group write right fixed the issue. New drwxr-x---+ 3 root root 4096 Jan 16 15:05 my_webapp

I supposed than ynh_system_user_create should remove group write access or my_webapp should fix right after home folder creation.

harabat commented 2 years ago

Facing the same bug.

rozetkinrobot commented 2 years ago

Same bug :/

rozetkinrobot commented 2 years ago

Manual fix:

# chown -R my_webapp:www-data /var/www/my_webapp/www
# chmod 750 /var/www/my_webapp
# chmod 755 -R /var/www/my_webapp/www
tituspijean commented 2 years ago

I cannot replicate the issue on YunoHost v4.3.6.

Can you all share the output of the following commands?

ls -la /var/www/my_webapp
getfacl /var/www
getfacl /var/www/my_webapp
rozetkinrobot commented 2 years ago

Can you all share the output of the following commands?

# ls -la /var/www/my_webapp__3
drwxrwx---+  3 root         root     4096 Jan 27 18:10 .
drwxr-xr-x+ 10 root         root     4096 Jan 27 18:10 ..
drwxrwxrwx   2 my_webapp__3 www-data 4096 Jan 27 18:10 www

# getfacl /var/www
getfacl: Removing leading '/' from absolute path names
# file: var/www
# owner: root
# group: root
user::rwx
group::r-x
group:all_users:---
mask::r-x
other::r-x

# getfacl /var/www/my_webapp__3
getfacl: Removing leading '/' from absolute path names
# file: var/www/my_webapp__3
# owner: root
# group: root
user::rwx
group::rwx
group:www-data:r-x
group:my_webapp__3:r-x
mask::rwx
other::---
xoddark commented 2 years ago

@tituspijean I have the same result to command than @rozetkinrobot

xoddark commented 2 years ago

@tituspijean : Thank you

biphasic commented 1 year ago

Hello, unfortunately I'm running into a similar problem. When I try to login with the command sftp -i .ssh/id_rsa my_webapp@myserver.com

I get the following output on the client side:

Debian GNU/Linux 11
client_loop: send disconnect: Broken pipe
Connection closed

and the sshd log on the server says:

pam_unix(sshd:session): session opened for user my_webapp(uid=996) by (uid=0)
User child is on pid 1908005
fatal: bad ownership or modes for chroot directory component "/var/www/"

which is a bit strange because I thought it would maybe complain about bad ownership for /var/www/my_webapp but it complains about the parent directory.

The output of getfacl /var/www/my_webapp is

getfacl: Removing leading '/' from absolute path names
# file: var/www/my_webapp
# owner: my_webapp
# group: www-data
user::rwx
group::rwx          #effective:r-x
group:www-data:r-x
group:my_webapp:r-x
mask::r-x
other::---

and the output of getfacl /var/www is 

getfacl: Removing leading '/' from absolute path names
# file: var/www
# owner: root
# group: root
user::rwx
group::rwx
group:all_users:---
mask::rwx
other::r-x

Do you have any idea what could be wrong here?

tituspijean commented 1 year ago

What about ls -la /var/www/my_webapp ?

biphasic commented 1 year ago 
drwxr-x---+  4 my_webapp www-data 4096 Nov 27 19:14 .
drwxrwxr-x+  8 root      root     4096 Nov 27 19:13 ..
drwxr-xr-x   2 my_webapp www-data 4096 Nov 27 19:15 .ssh
drwxr-xr-x  21 my_webapp www-data 4096 Nov 27 19:15 www
biphasic commented 1 year ago

I fixed it! Using chmod 0755 /var/www

Now getfacl /var/www says

getfacl: Removing leading '/' from absolute path names
# file: var/www
# owner: root
# group: root
user::rwx
group::rwx          #effective:r-x
group:all_users:---
mask::r-x
other::r-x

The only difference I can see to before is the mask. Thanks for looking into it though!! :)