Jochen Bern
2021-Sep-26 19:11 UTC
Aw: Re: Howto log multiple sftpd instances with their chroot shared via NFS
On 24.09.21 16:37, Hildegard Meier wrote:> More ideas appreciated, since it would be relly important for us > to have a solution for that.OK. This is a behavior I see (and use) on a CentOS SFTP server, but I have no idea how portable it is to other distribs, so just give it a try:> # egrep '^[^#]*( mand|sftp)' /etc/ssh/sshd_config > Subsystem sftp internal-sftp > Match group mandanten > ForceCommand internal-sftp -l INFO -u 0077> # ls -al ~lvinq4/dev > insgesamt 0 > drwx--x---. 2 root mandanten 6 20. Mai 17:25 . > drwxr-x---. 5 root mandanten 54 24. Aug 15:38 ..As you can see, the chroots have an *empty* /dev subdir, but logging *still works*, apparently because the chrooted process just keeps using the system-central /dev/log it opened *before* chroot()ing. Kind regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210926/7c0bfcba/attachment-0001.p7s>
Peter Stuge
2021-Sep-26 20:20 UTC
Howto log multiple sftpd instances with their chroot shared via NFS
Jochen Bern wrote:> OK. This is a behavior I see (and use) on a CentOS SFTP server, but I > have no idea how portable it is to other distribs, so just give it a try: > > > # egrep '^[^#]*( mand|sftp)' /etc/ssh/sshd_config > > Subsystem sftp internal-sftp > > Match group mandanten > > ForceCommand internal-sftp -l INFO -u 0077 > > > > # ls -al ~lvinq4/dev > > insgesamt 0 > > drwx--x---. 2 root mandanten 6 20. Mai 17:25 . > > drwxr-x---. 5 root mandanten 54 24. Aug 15:38 .. > > As you can see, the chroots have an *empty* /dev subdir, but logging > *still works*, apparently because the chrooted process just keeps using > the system-central /dev/log it opened *before* chroot()ing.I think that works specifically because *no* new process is created when using internal-sftp as opposed to executing the sftp-server binary. If syslog-ng can be made to reliably route internal-sftp messages to user-specific log files then this approach would work well in Hildegard's setup and would be a lot more pleasant than messing with LD_PRELOAD. //Peter