Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

Can not capture internal-sftp process log in syslog

 

 

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


rudupa at easylink

May 7, 2012, 12:32 PM

Post #1 of 5 (1225 views)
Permalink
Can not capture internal-sftp process log in syslog

Hi,

I am trying to use internal-sftp to limit sftp only access to a set of users.

I have set sshd_config as follows
sshd_config
===========
Subsystem sftp internal-sftp -f LOCAL0 -l VERBOSE
Match group ftp
ChrootDirectory /sftp/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -f LOCAL0 -l VERBOSE
Match

I am able to access internal-sftp and run sftp sessions properly.

But, I am not able to capture the loggings written by internal-sftp process.

My syslog config settings are
/etc/syslog/syslog
==================
SYSLOGD_OPTIONS="-m 0 -a /sftp/sftp.log.socket"

syslog.conf
===========
In addition, syslog.conf has
local7.debug /var/log/sftp.log
# Save boot messages also to boot.log
local7.* /var/log/boot.log

I am running RedHad 6 (2.6.9) in VM environment and I am using openssh 5.9

I need help in capturing internal-sftp process log in syslogs.

Thanks,
Raghu
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


dtucker at zip

May 7, 2012, 8:15 PM

Post #2 of 5 (1181 views)
Permalink
Re: Can not capture internal-sftp process log in syslog [In reply to]

On Mon, May 07, 2012 at 07:32:39PM +0000, Raghu Udupa wrote:
> I am trying to use internal-sftp to limit sftp only access to a set of users.
[...]
> SYSLOGD_OPTIONS="-m 0 -a /sftp/sftp.log.socket"

the code in syslog(3) is probably trying to open /dev/log within the
chroot. Try -a /sftp/dev/log, and if that fails try strace'ing the sshd
process to see where it's looking.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


rudupa at easylink

May 8, 2012, 1:15 PM

Post #3 of 5 (1185 views)
Permalink
Can not capture internal-sftp process log in syslog [In reply to]

Thanks Darren.

I captured the strace. I am getting the error "Too many levels of symbolic links" while trying to connect to /dev/log

connect(7, {sa_family=AF_FILE, path="/dev/log"}, 16) = -1 ELOOP (Too many levels of symbolic links)
close(7) = 0

my chrooted dir is /sftp/sftptest
/dev/log is linked to /sftp/sftptest/dev/log

Here is the detailed strace

close(5) = 0
getuid32() = 0
setgid32(50) = 0
open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 5
read(5, "65536\n", 31) = 6
close(5) = 0
open("/etc/group", O_RDONLY) = 5
fcntl64(5, F_GETFD) = 0
fcntl64(5, F_SETFD, FD_CLOEXEC) = 0
fstat64(5, {st_mode=S_IFREG|0644, st_size=670, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f29000
_llseek(5, 0, [0], SEEK_CUR) = 0
read(5, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 670
read(5, "", 4096) = 0
close(5) = 0
munmap(0xb7f29000, 4096) = 0
setgroups32(1, [50]) = 0
stat64("/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat64("/sftp/", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
stat64("/sftp/sftptest", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
chdir("/sftp/sftptest") = 0
chroot("/sftp/sftptest") = 0
chdir("/") = 0
time(NULL) = 1336507416
stat64("/etc/localtime", 0xbfef6420) = -1 ENOENT (No such file or directory)
open("/etc/localtime", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/localtime", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/localtime", O_RDONLY) = -1 ENOENT (No such file or directory)
socket(PF_FILE, SOCK_DGRAM, 0) = 5
fcntl64(5, F_SETFD, FD_CLOEXEC) = 0
connect(5, {sa_family=AF_FILE, path="/dev/log"}, 16) = -1 ELOOP (Too many levels of symbolic links)
close(5) = 0
getuid32() = 0
getgid32() = 50
time(NULL) = 1336507416

-----Original Message-----
From: Darren Tucker [mailto:dtucker [at] zip]
Sent: Monday, May 07, 2012 11:16 PM
To: Raghu Udupa
Cc: 'openssh-unix-dev [at] mindrot'
Subject: Re: Can not capture internal-sftp process log in syslog

On Mon, May 07, 2012 at 07:32:39PM +0000, Raghu Udupa wrote:
> I am trying to use internal-sftp to limit sftp only access to a set of users.
[...]
> SYSLOGD_OPTIONS="-m 0 -a /sftp/sftp.log.socket"

the code in syslog(3) is probably trying to open /dev/log within the
chroot. Try -a /sftp/dev/log, and if that fails try strace'ing the sshd
process to see where it's looking.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


keisial at gmail

May 8, 2012, 2:46 PM

Post #4 of 5 (1176 views)
Permalink
Re: Can not capture internal-sftp process log in syslog [In reply to]

On 08/05/12 22:15, Raghu Udupa wrote:
> Thanks Darren.
>
> I captured the strace. I am getting the error "Too many levels of symbolic links" while trying to connect to /dev/log
>
> connect(7, {sa_family=AF_FILE, path="/dev/log"}, 16) = -1 ELOOP (Too many levels of symbolic links)
> close(7) = 0
>
> my chrooted dir is /sftp/sftptest
> /dev/log is linked to /sftp/sftptest/dev/log
I think /dev/log is not linked to /sftp/sftptest/dev/log, but
/sftp/sftptest/dev/log points to /dev/log

Obviously, once you're in the /sftp/sftptest chroot,the /dev/log seen
from the inside is the same as the outside /sftp/sftptest/dev/log.
In other words, it has become a symlink to itself (thus it fails with
ELOOP).

You should either make them hard links (but you should probably recreate
them on each reboot), instruct syslogd to also listen on the chroot
/dev/log, or mount --bind the two /dev/log

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


peter at stuge

May 8, 2012, 3:15 PM

Post #5 of 5 (1171 views)
Permalink
Re: Can not capture internal-sftp process log in syslog [In reply to]

Raghu Udupa wrote:
> my chrooted dir is /sftp/sftptest
> /dev/log is linked to /sftp/sftptest/dev/log

Do it the other way around.

Make syslogd listen on a real socket at /sftp/sftptest/dev/log

Symlink /dev/log (outside the chroot) to /sftp/sftptest/dev/log

Or, make syslogd listen to both sockets, if yours can.


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.