Mailing List Archive: sftp-server logging under chroot & privilege separation

sftp-server logging under chroot & privilege separation

Mar 8, 2010, 9:53 AM

Post #1 of 4 (5627 views)

Hello:

We are using OpenSSH 5.3p1.

We are using this to host an SFTP drop-box. We have implemented chroot &
privilege separation.

For corporate security reasons, we are running sshd as an application ID
setuid root (long story - don't want to go into it here)

The issue we are noting is that we 'lose' SFTP logging of commands when
sshd is run normally.

When we run it in DEBUG, we see the SFTP commands in the log.

We suspected the chrooting/priv sep had something to do with it, however,
changing the sftp-server to be setuid root did not fix the issue.

Any ideas?

Thanks

Kevin J. Herman
Sr. Systems Analyst
EBMX [Electronic Business Message eXchange]
ITM - Procurement Systems

T/L 776-6793
O/L (248)576-6793
FAX (248)576-2185

CTC E3000-3S2E8
CIMS 483-01-19
LOC/DEPT: 1100-1721

Re: sftp-server logging under chroot & privilege separation [ In reply to ]

lars.curator at gmail

Mar 8, 2010, 11:24 AM

Post #2 of 4 (5477 views)

Permalink

On 2010-3-8 7:53 PM, kjh26@chrysler.com wrote:
> We are using OpenSSH 5.3p1.
>
> We are using this to host an SFTP drop-box. We have implemented chroot &
> privilege separation.
> ... Any ideas?

Assuming the chroot is done via sshd_config and not the old way, here
are some things to look at:

+ turn off the SUID root - there is a way around whatever it was using
sudoer,
+ check that you have created a socket named /dev/log in the chroot
hierarchy,
+ check that syslogd, syslog-ng, or whathaveyou is using that socket,
+ check that the partition where the chroot directory resides is not
mounted with the nodev option.

"The ChrootDirectory must contain the necessary files
and directories to support the user's session ...
sessions which use logging do require /dev/log inside
the chroot directory

http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config

"Use of sftp-server in a chroot configuration therefore
requires that syslogd(8) establish a logging socket
inside the chroot directory.

http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server

Is that on Solaris, AIX, BSD or Linux?

Regards,
/Lars

Re: sftp-server logging under chroot & privilege separation [ In reply to ]

robert.lanning at gmail

Mar 8, 2010, 2:07 PM

Post #3 of 4 (5487 views)

Permalink

It might be an issue with /dev/log not existing in the chrooted
environment.

If you are running syslog-ng, you could tell it to open a second
Unix domain dgram socket. ("unix-dgram(/chroot/path/dev/log);")

On Mon, Mar 8, 2010 at 9:53 AM, <kjh26@chrysler.com> wrote:
> Hello:
>
> We are using OpenSSH 5.3p1.
>
> We are using this to host an SFTP drop-box. We have implemented chroot &
> privilege separation.
>
> For corporate security reasons, we are running sshd as an application ID
> setuid root (long story - don't want to go into it here)
>
> The issue we are noting is that we 'lose' SFTP logging of commands when
> sshd is run normally.
>
> When we run it in DEBUG, we see the SFTP commands in the log.
>
> We suspected the chrooting/priv sep had something to do with it, however,
> changing the sftp-server to be setuid root did not fix the issue.
>
> Any ideas?
>
>
> Thanks
>
>
> Kevin J. Herman
> Sr. Systems Analyst
> EBMX [Electronic Business Message eXchange]
> ITM - Procurement Systems
>
> T/L 776-6793
> O/L (248)576-6793
> FAX (248)576-2185
>
> CTC E3000-3S2E8
> CIMS 483-01-19
> LOC/DEPT: 1100-1721
>
>

--
And, did Galoka think the Ulus were too ugly to save?
-Centauri

Re: sftp-server logging under chroot & privilege separation [ In reply to ]

kjh26 at chrysler

Mar 8, 2010, 3:29 PM

Post #4 of 4 (5483 views)

Permalink

Hi Lars:

Thanks for the info.... we are running this on Solaris 9.

We are trying to stand up an OpenSSH SFTP server to integrate with our B2B
message hub. The Solaris SSH does not give us the flexibility we want to
run it.

The other problem we are having is that since we are an 'application
group', we are at the direction of the sys admins & corporate security for
how we need to implement this.

As for your points below:
==================

+ turn off the SUID root - there is a way around whatever it was using
sudoer
+ check that you have created a socket named /dev/log in the chroot
hierarchy
+ check that syslogd, syslog-ng, or whathaveyou is using that socket
/usr/sbin/syslogd

Thanks

Kevin J. Herman
Sr. Systems Analyst
EBMX [Electronic Business Message eXchange]
ITM - Procurement Systems

T/L 776-6793
O/L (248)576-6793
FAX (248)576-2185

CTC E3000-3S2E8
CIMS 483-01-19
LOC/DEPT: 1100-1721

Lars Nooden <lars.curator@gmail.com>
Sent by: listbounce@securityfocus.com
03/08/2010 05:46 PM

To
secureshell@securityfocus.com
cc

Subject
Re: sftp-server logging under chroot & privilege separation

On 2010-3-8 7:53 PM, kjh26@chrysler.com wrote:
> We are using OpenSSH 5.3p1.
>
> We are using this to host an SFTP drop-box. We have implemented chroot
&
> privilege separation.
> ... Any ideas?

Assuming the chroot is done via sshd_config and not the old way, here
are some things to look at:

+ turn off the SUID root - there is a way around whatever it was using
sudoer,
+ check that you have created a socket named /dev/log in the chroot
hierarchy,
+ check that syslogd, syslog-ng, or whathaveyou is using that socket,
+ check that the partition where the chroot directory resides is not
mounted with the nodev option.

"The ChrootDirectory must contain the necessary files
and directories to support the user's session ...
sessions which use logging do require /dev/log inside
the chroot directory

http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config

"Use of sftp-server in a chroot configuration therefore
requires that syslogd(8) establish a logging socket
inside the chroot directory.

http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server

Is that on Solaris, AIX, BSD or Linux?

Regards,
/Lars