[CentOS] Syslog for chroot-jailed SFTP users?
Maybe one of you can help. We have set up a CentOS server so that each user who logs in via sftp will be jailed in their home directory. Here's the relevant sshd_config: # override default of no subsystems Subsystem sftpinternal-sftp -f LOCAL2 -l INFO Match Group sftponly ChrootDirectory /home/%u ForceCommand internal-sftp This actually works great, but none of the activities of sftponly group members is getting logged. The man page for sftp-server says: "For logging to work, sftp-server must be able to access /dev/log. Use of sftp-server in a chroot configuation therefore requires that syslogd(8) establish a logging socket inside the chroot directory." How do I establish a logging socket inside the chroot directory, when the chroot directory is different depending on which user is logging in at any given time? I don't want to run separate sockets in every customer's chroot directory, this is not practical. Any ideas? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Syslog for chroot-jailed SFTP users?
Each user has their own jail? I solved a similar issue with jail and syslog adding a "-a /home/jail/dev/log" parameter to syslog startup. >From the syslogd man page: -a socket Using this argument you can specify additional sockets from that syslogd has to listen to. This is needed if you're going to let some daemon run within a chroot() environment. You can use up to 19 additional sockets. If your environment needs even more, you have to increase the symbol MAXFUNIX within the syslogd.c source file. An example for a chroot() daemon is described by the people from OpenBSD at http://www.psionic.com/papers/dns.html. Regards Lincoln On Wed, Feb 10, 2010 at 7:08 PM, Sean Carolan wrote: > Maybe one of you can help. We have set up a CentOS server so that > each user who logs in via sftp will be jailed in their home directory. > Here's the relevant sshd_config: > > # override default of no subsystems > Subsystem sftp internal-sftp -f LOCAL2 -l INFO > > Match Group sftponly > ChrootDirectory /home/%u > ForceCommand internal-sftp > > This actually works great, but none of the activities of sftponly > group members is getting logged. The man page for sftp-server says: > > "For logging to work, sftp-server must be able to access /dev/log. > Use of sftp-server in a chroot configuation therefore requires that > syslogd(8) establish a logging socket inside the chroot directory." > > How do I establish a logging socket inside the chroot directory, when > the chroot directory is different depending on which user is logging > in at any given time? I don't want to run separate sockets in every > customer's chroot directory, this is not practical. > > Any ideas? > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Lincoln Zuljewic Silva More contact info.: http://www.system.adm.br/contact.php "How often must a question be asked before it’s considered a frequently asked question?" ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Syslog for chroot-jailed SFTP users?
> I solved a similar issue with jail and syslog adding a "-a > /home/jail/dev/log" parameter to syslog startup. In our environment the chroot jail is /home/username. Does this mean we need a /home/username/dev/log for each and every user? If the daemon is chroot'd to /home/username wouldn't this be the case? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Syslog for chroot-jailed SFTP users?
If you have: /home/username01/[etc,dev,tmp,bin,lib] /home/username02/[etc,dev,tmp,bin,lib] /home/username03/[etc,dev,tmp,bin,lib] /home/username04/[etc,dev,tmp,bin,lib] I believe you will need: syslogd -a "/home/username01/dev/log" -a "/home/username02/dev/log" -a "/home/username03/dev/log" -a "/home/username04/dev/log" - or something like this. I don't know the syntax for multiples "-a"... Regards Lincoln On Wed, Feb 10, 2010 at 9:39 PM, Sean Carolan wrote: >> I solved a similar issue with jail and syslog adding a "-a >> /home/jail/dev/log" parameter to syslog startup. > > In our environment the chroot jail is /home/username. Does this mean > we need a /home/username/dev/log for each and every user? If the > daemon is chroot'd to /home/username wouldn't this be the case? > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Lincoln Zuljewic Silva More contact info.: http://www.system.adm.br/contact.php "How often must a question be asked before it’s considered a frequently asked question?" ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Syslog for chroot-jailed SFTP users?
Sean Carolan wrote: > In our environment the chroot jail is /home/username. Does this mean > we need a /home/username/dev/log for each and every user? If the > daemon is chroot'd to /home/username wouldn't this be the case? Yes.. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Syslog for chroot-jailed SFTP users?
> I believe you will need: > syslogd -a "/home/username01/dev/log" -a "/home/username02/dev/log" > -a "/home/username03/dev/log" -a "/home/username04/dev/log" - or > something like this. I don't know the syntax for multiples "-a"... This seems very impractical, both from a security standpoint and the fact that you are limited to only 19 users. Is there any other means to accomplish detailed sftp logging while users are chroot'd to their home directories? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
