Hi, there is a long standing problem with logging in chroots. Especially, when you use %u in ChrootDirectory, it is nearly impossible to have /dev/log in every possible chroot for all users. It seems to be important mainly for sftp-internal session which are simply configurable to be chrooted and where admins would like to log sftp session commands. I have put together a patch which introduces a new configuration option LogViaMonitor. When this option is 'yes', then postauth unprivileged processes log via their monitor process instead of via standard channels (syslog, stderr). I've removed closefrom() from close_child_fds() in order not to close m_log_send_fd socket before sftp_server_main() is called. And I've put it to a part of code where it's clear that there will be exec(). I'd appreciate any comment or suggestion. Petr -- Petr Lautrbach -------------- next part -------------- A non-text attachment was scrubbed... Name: log-via-monitor.patch Type: text/x-patch Size: 10936 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141001/ab8af223/attachment-0001.bin>
On 10/01/2014 03:33 PM, Petr Lautrbach wrote:> Hi, > > there is a long standing problem with logging in chroots. Especially, > when you use %u in ChrootDirectory, it is nearly impossible to have > /dev/log in every possible chroot for all users. > > It seems to be important mainly for sftp-internal session which are > simply configurable to be chrooted and where admins would like to log > sftp session commands. > > I have put together a patch which introduces a new configuration option > LogViaMonitor. When this option is 'yes', then postauth unprivileged > processes log via their monitor process instead of via standard channels > (syslog, stderr). > > I've removed closefrom() from close_child_fds() in order not to close > m_log_send_fd socket before sftp_server_main() is called. And I've put > it to a part of code where it's clear that there will be exec(). > > I'd appreciate any comment or suggestion. >Ping? Do you have any comments, objections or hints? Thanks, Petr -- Petr Lautrbach