Enabling Siteworx Shell user

Hi all,
I have enabled shell access for a Siteworx user, logged in, run a command, logged out, then disabled access in Siteworx, but for some reason I can’t change the Shell environment from /bin/bash back to /sbin/nologin for some reason that option is no longer there? Is this normal?

Any help / suggestions much appreciated.

Hi nico

I would open a support ticket with IW and let them have a look

It is likely a bug and I believe this is on a IW-CP v7

I really need to load v7 when I have time

Hope that helps a little

Many thanks

John

Hi John @d2d4j ,
Sorry forgot to mention it is a Siteworx 6.9.0 server
Nico

Hello–

Where are you trying to change the shell user back? Is it in NodeWorx under SiteWorx > Shell Users? Could you provide a screenshot of the dropdown?

Thanks,
-Jenna

Hi Jenna

Yes, if you change from

Nodeworx, siteworx, shell, chose a user, tick box and goto bottom and select change shell - you will see there is no nologin selection shown as an option

You do not need to save the change to see the missing selection option

I can do a screenshot but will be late afternoon or early evening or if nico has time, perhaps nico would be so kind

Many thanks

John

@IWorx-Jenna, @d2d4j
Hi Jenna, yes that’s correct in Nodeworx, Siteworx, Shell users,. see attachment.
image
kind regards,
Nico

How odd. I cannot reproduce that on my test server running 6.9.0. I changed a user’s shell to /bin/bash, logged in via SSH with it, ran a command (tailed a log), logged out, and then looked at the shell options for that account. nologin is listed (granted this is a different theme, but that should not affect anything).

Silly question, but they are 100% logged out of the command line, correct?

If so, submit a support ticket, I’ll take a closer look for you.

1 Like

@IWorx-Jenna, @d2d4j

No silly question :slight_smile:
It happens on two 6.9.0 version servers and both use a different theme [ Heliotrope, Blue Steel ]
Seems to me you have more shell options, are you using a v7.0 server?
Nico

Hi

@IWorx-Jenna @Nico as Nico says, I do not think it is theme, however, it doeas appear to only happen on Centos 7. I have just checked a Centos 6 and it is shown as an option to select.

I have quickly opened a support ticket so you can check if it helps and if @nico has not opened a ticket already

Many thanks

John

Hello!

Nope, that’s 6.9.0 on EL7 (the GUI in IW7 looks totally completely different). I checked my two other IW6 test servers as well, same thing–nologin is listed after changing the shell to something else, even on my EL6 boxes. I did notice that you have fewer options listed, as well, which is also odd.

The only thing I can think of that might be a little different is that my test servers have been around for a really long time–the installations are a few years old. I think I created them back when IW 5 was a thing, so at least three, if not four years. Yours may be newer installs, and sometimes bugs pop up in new(er) installs that don’t in established servers.

I spun up a new IW6 server and I see exactly what you are talking about, and was able to reproduce, there. So it seems to be an issue with newer installs, though I have no idea what version it might have popped up in. I’ll submit a bug report for the issue. Thanks so much for bringing it up! I have a meeting with the devs in about a half hour (2pm EST) so I’ll ask if there might be a workaround that can be used. No guarantees, though worth the ask. :slight_smile:

1 Like

Hi

@IWorx-Jenna @Nico

We do not allow user SSH and I believe nico operates the same

Also, they can be disabled so there is no rush and hopefully push out a fix

Many thanks

John

As a note, I checked and this issue is also in IW7, so there is that, as well.

@IWorx-Jenna
True, as said in the beginning I enabled run the command, disabled…no rush for me, but nice if you can fix it.
Kind reggards,
Nico

Brandon just found this little tidbit–looks like it might be a CentOS level thing, not a IW specific thing. It looks like there was a security issue with nologin being listed in /etc/shells, and so it was removed: https://access.redhat.com/errata/RHSA-2018:3249

From the code and it looks like we just dump /etc/shells, which is provided by the OS, to get a list of available shells.

It is still odd that my established test servers has it listed, while a new one does not, even with the same CentOS version. However, it could be a case where the update just updated for new installs of the OS, but did not remove the shell on existing installs.

[[email protected] ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[[email protected] ~]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/sh
/usr/bin/bash
/usr/sbin/nologin
/bin/tcsh
/bin/csh
/usr/sbin/jk_chrootsh
[[email protected] ~]#

vs

[[email protected] ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[[email protected] ~]# cat /etc/shells
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
/usr/sbin/jk_chrootsh
[[email protected] ~]#

I brought it up with the devs and they’re going to look further into it but nothing solid at this point. But it looks like we found the culprit! :slight_smile:

2 Likes

Hi @IWorx-Jenna,
I was wondering what needs to be done to get it added the nologin script seems to be there, see this:

#cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

#cat /etc/shells
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
/usr/sbin/jk_chrootsh

#ls -al /sbin/nologin
-rwxr-xr-x 1 root root 7176 Feb 2 16:31 /sbin/nologin

I have seen this security issue from 2018, just wonder if it is fixed or that they removed it only from the etc/shell and not the file in question, half done job? confusing er…

Kind regards,
Nico

Hello–

I don’t have an answer at this time, though I did bump the ticket with the devs and they’re looking into it. I’ll let you know when I have more info.

-Jenna

Hi again!

Answer faster than I thought–the fix is actually in 7.4.1, which is currently in the Release Candidate channel. The ticket still was marked as open because the dev just forgot to update it with a release note/that it was closed.

7.4.1 should be pushed to Release, soon (within the next week or so, barring anything odd that might pop up, though we have not had any bug reports logged against it). Or you could update now by changing the Update channel to Release Candidate in NodeWorx under Server > Software Updates.

Thanks,
-Jenna

Hi @IWorx-Jenna Jenna,
That;s fast :slight_smile: could you make it also available in the 6.9.0 servers please?
Kind regards,
Nico

Hello–

I talked to the devs, and they’re going to release a hotfix for IW6 with the fix. I don’t know the specific time it will be released but if not today(Fri), than most likely by Monday. :slight_smile:

-Jenna

Hi @IWorx-Jenna Jenna, thanks ever so much, much appreciated.

This morning 06/03 I noticed the hotfix-6/9/0/1810-28 Many thanks all fine now :slight_smile:
Nico