Maybe one of you can help. We have set up a CentOS server so that
each user who logs in via sftp will be jailed in their home directory.
Here's the relevant sshd_config:
# override default of no subsystems
Subsystem sftp internal-sftp -f LOCAL2 -l INFO
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
This actually works great, but none of the activities of sftponly
group members is getting logged. The man page for sftp-server says:
"For logging to work, sftp-server must be able to access /dev/log.
Use of sftp-server in a chroot configuation therefore requires that
syslogd(8) establish a logging socket inside the chroot directory."
How do I establish a logging socket inside the chroot directory, when
the chroot directory is different depending on which user is logging
in at any given time? I don't want to run separate sockets in every
customer's chroot directory, this is not practical.
Any ideas?
Lincoln Zuljewic Silva
2010-Feb-10 23:18 UTC
[CentOS] Syslog for chroot-jailed SFTP users?
Each user has their own jail? I solved a similar issue with jail and syslog adding a "-a /home/jail/dev/log" parameter to syslog startup.>From the syslogd man page:-a socket Using this argument you can specify additional sockets from that syslogd has to listen to. This is needed if you're going to let some daemon run within a chroot() environment. You can use up to 19 additional sockets. If your environment needs even more, you have to increase the symbol MAXFUNIX within the syslogd.c source file. An example for a chroot() daemon is described by the people from OpenBSD at http://www.psionic.com/papers/dns.html. Regards Lincoln On Wed, Feb 10, 2010 at 7:08 PM, Sean Carolan <scarolan at gmail.com> wrote:> Maybe one of you can help. ?We have set up a CentOS server so that > each user who logs in via sftp will be jailed in their home directory. > ?Here's the relevant sshd_config: > > # override default of no subsystems > Subsystem ? ? ? sftp ? ?internal-sftp -f LOCAL2 -l INFO > > Match Group sftponly > ? ? ? ?ChrootDirectory /home/%u > ? ? ? ?ForceCommand internal-sftp > > This actually works great, but none of the activities of sftponly > group members is getting logged. ?The man page for sftp-server says: > > "For logging to work, sftp-server must be able to access /dev/log. > Use of sftp-server in a chroot configuation therefore requires that > syslogd(8) establish a logging socket inside the chroot directory." > > How do I establish a logging socket inside the chroot directory, when > the chroot directory is different depending on which user is logging > in at any given time? ?I don't want to run separate sockets in every > customer's chroot directory, this is not practical. > > Any ideas? > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >-- Lincoln Zuljewic Silva More contact info.: http://www.system.adm.br/contact.php "How often must a question be asked before it?s considered a frequently asked question?"
Reasonably Related Threads
- [Bug 1616] New: root owned empty subdirs are deletable by chroot users
- [Bug 2282] New: When group member count exceeds 126, config reliant fails
- setting umask for internal-sftp users
- [Bug 1951] New: Add home directory facility for chrooted environments
- openssh-5.0p1: sftp transfer logging doesn't appear to work with chroot environment