kopano-admin / kopano-cli in chroot jail?

  • Hello,

    I have the following task to give a (non-privileged) user ssh access to our server, so that he can create, modify and delete kopano accounts on his own via the command line interface tools. But the constraint is, that this user should have no access to other areas of the server and should stay in his home folder at best.

    First of all I thought, I could create a chroot environment. I copied the binary and the libs (according to ldd) to the respective folders, but it’s not working (executed in the chroot environment):

    $ kopano-admin 
    kopano-admin: /usr/lib/libkcssl.so.0: version 'KC_8.5.6' not found (required by kopano-admin)
    /usr/sbin/kopano-admin: /usr/lib/libkcarchiver.so.0: version 'KC_8.5.6' not found (required by /usr/sbin/kopano-admin)
    $ ll /usr/lib/libkcssl.so.0
    lrwxrwxrwx 1 0 0 17 Sep  3 13:08 /usr/lib/libkcssl.so.0 -> libkcssl.so.0.0.0
    $ ll /usr/lib/libkcssl.so.0.0.0 
    -rw-r--r-- 1 0 0 39984 Sep  4 13:57 /usr/lib/libkcssl.so.0.0.0

    So is the chroot jail a possible solution at all? Are there any better options for the task?

    The server is running under Ubuntu 16.04. with the db_plugin. Switching to LDAP is not an option.

  • You seem to be having a mismatching libkcarchiver.so.0 that is not actually from 8.5.6.

    So is the chroot jail a possible solution at all?

    I see no impedients to it. kopano-admin can run unprivileged, and it can connect either via filesystem-based socket, or HTTPS with a SSL certificate (to authenticate as the Kopano Admin).