Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 3662] Provide chrooted sftp users dedicated session log without /dev/log unix socket in users chroot jail (that does not work when chroot jail is shared between multiple sftp servers e.g. via NFS)
bugzilla-daemon at mindrot
Feb 6, 2024, 6:39 AM
Post #1 of 5 (106 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3662

Miranda <daku8938@gmx.de> changed:

What |Removed |Added
----------------------------------------------------------------------------
Summary|Enhance sftp-server with a |Provide chrooted sftp users
|parameter to customize the |dedicated session log
|name of the log device |without /dev/log unix
|(currently fix /dev/log) |socket in users chroot jail
| |(that does not work when
| |chroot jail is shared
| |between multiple sftp
| |servers e.g. via NFS)

--- Comment #8 from Miranda <daku8938@gmx.de> ---
@Damien Very sad that the fix /dev/log name is burried so deep in the
code.

An alternative minimal-invasive solution would be to to allow to follow
symlink if /dev/log in user's chroot jail is a symlink to a local file.

Give the /usr/lib/sftp-server program a new parameter

-L <0=do not allow to follow /dev/log if it's a symlink out of jail
(default) | 1=follow if /dev/log is a symlink out of jail>

(so, this would be the same concept as now with the bind mount, only to
be a symlink, so the performance and scaling problem would be solved)

In my case that would be the symlink:

/var/data/chroot/<username>/dev/log -> /var/data/dev/<username>


Best way I could imagine would be to provide /usr/lib/sftp-server
program a new parameter

-L <user log file wit %u being username macro>

e.g. so one could set

"ForceCommand internal-sftp -L /var/log/sftp/%u.log"

I can understand that it is not easy for you to change something here,
but please also understand that we need a solution. It seems like we
are a really rare user that operates OpenSSH SFTP as a HA cluster
having the user's chroot shared via NFS, and therefore the user logging
with exclusive lock on /dev/log in chroot does not work. Otherwise this
isse must have been reportet already long time ago.

Any solution welcome, if we could only have one. Thanks

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3662] Provide chrooted sftp users dedicated session log without /dev/log unix socket in users chroot jail (that does not work when chroot jail is shared between multiple sftp servers e.g. via NFS) [ In reply to ]
bugzilla-daemon at mindrot
Feb 6, 2024, 7:29 AM
Post #2 of 5 (106 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3662

Miranda <daku8938@gmx.de> changed:

What |Removed |Added
----------------------------------------------------------------------------
Priority|P5 |P3
Severity|enhancement |normal

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3662] Provide chrooted sftp users dedicated session log without /dev/log unix socket in users chroot jail (that does not work when chroot jail is shared between multiple sftp servers e.g. via NFS) [ In reply to ]
bugzilla-daemon at mindrot
Feb 6, 2024, 3:25 PM
Post #3 of 5 (106 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3662

--- Comment #9 from Damien Miller <djm@mindrot.org> ---
Whether /dev/log can be a symlink is also up to the libc
implementation. Nothing in OpenSSH limits the use of a symlink for
/dev/log, but similarly we can't control whether the system will accept
a symlink without rewriting syslog(3)

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3662] Provide chrooted sftp users dedicated session log without /dev/log unix socket in users chroot jail (that does not work when chroot jail is shared between multiple sftp servers e.g. via NFS) [ In reply to ]
bugzilla-daemon at mindrot
Feb 9, 2024, 12:19 AM
Post #4 of 5 (99 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3662

--- Comment #10 from Miranda <daku8938@gmx.de> ---
(In reply to Damien Miller from comment #9)
> Whether /dev/log can be a symlink is also up to the libc
> implementation. Nothing in OpenSSH limits the use of a symlink for
> /dev/log, but similarly we can't control whether the system will
> accept a symlink without rewriting syslog(3)

On modern Linux hosts with systemd (e.g. Ubuntu Server 18.04 and later)
the system's /dev/log (the real absolute OS filesystem path) is a
symlink to systemd's journal:
/dev/log -> /run/systemd/journal/dev-log

so at least that symlink is accepted. Not sure what that means for what
you write about libc. But I tested with a symlink of chroot jail's
/dev/log to a destiantion out of the chroot jail, but I could not get
any log messages with syslog-ng from the symlink's destination. Would
be great if that could be made work. Of course the sftp client would
need to be forbidden to create that symlink itself, as otherwise that
would be a possibility to access files out of chroot jail.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3662] Provide chrooted sftp users dedicated session log without /dev/log unix socket in users chroot jail (that does not work when chroot jail is shared between multiple sftp servers e.g. via NFS) [ In reply to ]
bugzilla-daemon at mindrot
Feb 13, 2024, 5:45 AM
Post #5 of 5 (82 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3662

--- Comment #11 from Miranda <daku8938@gmx.de> ---
(In reply to Damien Miller from comment #3)
> you shouldn't need a /dev/log socket with internal-sftp, it logs via
> the privileged monitor sshd process that runs without chroot

It would be a solution for the chroot log device problem, to use the
log from the privileged monitor sshd process that you mention here, but
only if each sftp user's session log line has a unique identifiable log
line prefix.

My suggestion for a solution:
Change the current log prefix

" internal-sftp[<PID>]: "

to

" internal-sftp[<PID>][<username>]: "

E.g. change
" internal-sftp[12345]: "
to
" internal-sftp[12345][myusername]: "

E.g. here an example of a session with file upload:

Feb 13 14:37:30 10.1.2.3 internal-sftp[16066][myuser]: session opened
for local user myuser from [10.7.2.100]
Feb 13 14:37:30 10.1.2.3 internal-sftp[16066][myuser]: open "/file.txt"
flags WRITE,CREATE,TRUNCATE mode 0644
Feb 13 14:37:30 10.1.2.3 internal-sftp[16066][myuser]: close
"/file.txt" bytes read 0 written 44
Feb 13 14:37:30 10.1.2.3 internal-sftp[16066][myuser]: session closed
for local user myuser from [10.7.2.100]

With that it would be possible to reliably filter out the session log
lines for each sftp user.

Please check and comment if this could be a solution for you.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal