Jochen Bern
2021-Sep-22 11:06 UTC
Howto log multiple sftpd instances with their chroot shared via NFS
On 22.09.21 11:18, David Newall wrote:> On Tue, 21 Sep 2021, Hildegard Meier wrote: >> So, if a user logs in on the first server, where syslog-ng was started >> least, the user's sftp activity is logged on the first server. >> But if the user logs in on the second server, it's sftp activity is >> not logged, neither on the second nor on the first server. > > Forward the log entries on both machines to a log host.Considering that server B is not logging *at all* right now, I doubt that it'll have anything to forward to a log host, either. The problem *presumably* is that the syslogd on server A has put some sort of file lock on the device that propagates through the NFS server and interferes with syslogd on server B using it. One solution might be to reconfigure the syslogd's to use a method of locking that does *not* propagate through NFS. I'm afraid I don't know syslog-ng well enough to advise on that. Then there's the possibility of reconfiguring *NFS* to stop the forwarding, but "breaking" file locking on NFS is, of course, a can of worms of possible side effects ... (Bind) mounting a local .../dev over the NFS-shared chroot dirtree ... ought to work, but complicates unmounting/remounting, which was already enough of a hair-puller in failure scenarios when I last worked with NFS. What do the chrooted users have for a homedir *within* the chroot? Would it be possible to have /var/data/chroot be a local FS and mount only /var/data/chroot/home from the NFS server? (If there are files that you need to keep identical on both servers, e.g., under /var/data/chroot/etc, you can still symlink those to some special subdir like /var/data/chroot/home/ETC to put the actual data onto the NFS share.) Regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210922/b8e64b32/attachment.p7s>
Stuart Henderson
2021-Sep-24 11:53 UTC
Howto log multiple sftpd instances with their chroot shared via NFS
On 2021/09/22 13:06, Jochen Bern wrote:> What do the chrooted users have for a homedir *within* the chroot? Would it > be possible to have /var/data/chroot be a local FS and mount only > /var/data/chroot/home from the NFS server? (If there are files that you need > to keep identical on both servers, e.g., under /var/data/chroot/etc, you can > still symlink those to some special subdir like /var/data/chroot/home/ETC to > put the actual data onto the NFS share.)The description was for /var/data/chroot/<username>/dev/log i.e. each user has their own separate chroot. So this type of approach would require mounting a local fs of some sort over the top of each user's dir which soon gets messy. This is amongst the reasons why OpenBSD has the sendsyslog(2) syscall, https://man.openbsd.org/sendsyslog.2 - the syslog daemon opens a kernel socket to receive those messages, and processes which want to write a log entry just call the standard syslog functions which use sendsyslog(2) rather than /dev/log, so it works even through FD exhaustion, in chroot, and with syscall filters that prohibit filesystem access. Not entirely pleasant but I suppose it could alternatively be done by using a LD_PRELOAD wrapper to override syslog functions (I think just syslog_r is probably enough for openssh) and have them send over a network socket instead.