FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 02-10-2010, 08:08 PM
Sean Carolan
 
Default Syslog for chroot-jailed SFTP users?

Maybe one of you can help. We have set up a CentOS server so that
each user who logs in via sftp will be jailed in their home directory.
Here's the relevant sshd_config:

# override default of no subsystems
Subsystem sftp internal-sftp -f LOCAL2 -l INFO

Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp

This actually works great, but none of the activities of sftponly
group members is getting logged. The man page for sftp-server says:

"For logging to work, sftp-server must be able to access /dev/log.
Use of sftp-server in a chroot configuation therefore requires that
syslogd(8) establish a logging socket inside the chroot directory."

How do I establish a logging socket inside the chroot directory, when
the chroot directory is different depending on which user is logging
in at any given time? I don't want to run separate sockets in every
customer's chroot directory, this is not practical.

Any ideas?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-10-2010, 10:18 PM
Lincoln Zuljewic Silva
 
Default Syslog for chroot-jailed SFTP users?

Each user has their own jail?

I solved a similar issue with jail and syslog adding a "-a
/home/jail/dev/log" parameter to syslog startup.

>From the syslogd man page:
-a socket
Using this argument you can specify additional sockets from that
syslogd has to listen to. This is needed if you're going to let
some daemon run within a chroot() environment. You can use up
to 19 additional sockets. If your environment needs even more,
you have to increase the symbol MAXFUNIX within the syslogd.c
source file. An example for a chroot() daemon is described by
the people from OpenBSD at
http://www.psionic.com/papers/dns.html.

Regards
Lincoln


On Wed, Feb 10, 2010 at 7:08 PM, Sean Carolan <scarolan@gmail.com> wrote:
> Maybe one of you can help. *We have set up a CentOS server so that
> each user who logs in via sftp will be jailed in their home directory.
> *Here's the relevant sshd_config:
>
> # override default of no subsystems
> Subsystem * * * sftp * *internal-sftp -f LOCAL2 -l INFO
>
> Match Group sftponly
> * * * *ChrootDirectory /home/%u
> * * * *ForceCommand internal-sftp
>
> This actually works great, but none of the activities of sftponly
> group members is getting logged. *The man page for sftp-server says:
>
> "For logging to work, sftp-server must be able to access /dev/log.
> Use of sftp-server in a chroot configuation therefore requires that
> syslogd(8) establish a logging socket inside the chroot directory."
>
> How do I establish a logging socket inside the chroot directory, when
> the chroot directory is different depending on which user is logging
> in at any given time? *I don't want to run separate sockets in every
> customer's chroot directory, this is not practical.
>
> Any ideas?
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



--
Lincoln Zuljewic Silva
More contact info.: http://www.system.adm.br/contact.php

"How often must a question be asked before it’s considered a
frequently asked question?"
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-10-2010, 10:39 PM
Sean Carolan
 
Default Syslog for chroot-jailed SFTP users?

> I solved a similar issue with jail and syslog adding a "-a
> /home/jail/dev/log" parameter to syslog startup.

In our environment the chroot jail is /home/username. Does this mean
we need a /home/username/dev/log for each and every user? If the
daemon is chroot'd to /home/username wouldn't this be the case?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-10-2010, 10:45 PM
Lincoln Zuljewic Silva
 
Default Syslog for chroot-jailed SFTP users?

If you have:
/home/username01/[etc,dev,tmp,bin,lib]
/home/username02/[etc,dev,tmp,bin,lib]
/home/username03/[etc,dev,tmp,bin,lib]
/home/username04/[etc,dev,tmp,bin,lib]

I believe you will need:
syslogd -a "/home/username01/dev/log" -a "/home/username02/dev/log"
-a "/home/username03/dev/log" -a "/home/username04/dev/log" - or
something like this. I don't know the syntax for multiples "-a"...

Regards
Lincoln

On Wed, Feb 10, 2010 at 9:39 PM, Sean Carolan <scarolan@gmail.com> wrote:
>> I solved a similar issue with jail and syslog adding a "-a
>> /home/jail/dev/log" parameter to syslog startup.
>
> In our environment the chroot jail is /home/username. *Does this mean
> we need a /home/username/dev/log for each and every user? * If the
> daemon is chroot'd to /home/username wouldn't this be the case?
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



--
Lincoln Zuljewic Silva
More contact info.: http://www.system.adm.br/contact.php

"How often must a question be asked before it’s considered a
frequently asked question?"
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-10-2010, 10:47 PM
"nate"
 
Default Syslog for chroot-jailed SFTP users?

Sean Carolan wrote:

> In our environment the chroot jail is /home/username. Does this mean
> we need a /home/username/dev/log for each and every user? If the
> daemon is chroot'd to /home/username wouldn't this be the case?

Yes..

nate

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-11-2010, 07:57 AM
Sean Carolan
 
Default Syslog for chroot-jailed SFTP users?

> I believe you will need:
> syslogd -a "/home/username01/dev/log" *-a "/home/username02/dev/log"
> -a "/home/username03/dev/log" *-a "/home/username04/dev/log" - or
> something like this. I don't know the syntax for multiples "-a"...

This seems very impractical, both from a security standpoint and the
fact that you are limited to only 19 users. Is there any other means
to accomplish detailed sftp logging while users are chroot'd to their
home directories?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 01:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org