[Bug 3662] New: Make logging of chrooted sftp sessions possible internally routed to local file, without /dev/log device

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Feb 1 23:37:49 AEDT 2024 

https://bugzilla.mindrot.org/show_bug.cgi?id=3662

            Bug ID: 3662
           Summary: Make logging of chrooted sftp sessions possible
                    internally routed to local file, without /dev/log
                    device
           Product: Portable OpenSSH
           Version: 9.6p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sftp-server
          Assignee: unassigned-bugs at mindrot.org
          Reporter: daku8938 at gmx.de

Problem:

Abstract:
If you have two or more sftp-servers and the sftp user's home directory
is on one nfs share (exported by a third party NFS server), you have to
make a local bind mount over each chrooted user's /dev/log file to be
able to log the sftp sessions on all sftp servers.
If you have now 1000 or more users and therefore 1000 or more local
bind units, the system becomes slow because it does not scale.
(see e.g. https://github.com/systemd/systemd/issues/31137)

So it would be great if the sftp session log of a user session could be
routed internally directly e.g. to a local file "/var/log/sftp/%u.log"

Here the problem and the current ugly and non-scaling inperformant
workaround. You can see it also here:
https://unix.stackexchange.com/questions/666641/howto-log-multiple-sftpd-servers-activity-which-users-chrooted-home-is-on-shar

I have an Ubuntu server with sftpd running where /var/data/chroot/ is
an NFS mount from a remote central NFS server, and each sftpd user's
chroot home is /var/data/chroot/<username>/ and every user has a log
device /var/data/chroot/<username>/dev/log which I read in successfully
with syslog-ng:

source s_chroot_<username>    {
unix-stream("/var/data/chroot/<username>/dev/log" optional(yes) ); };
destination d_sftp_<username> { file("/var/log/sftp/<username>.log");
};

Now I have a second sftpd server in parallel, with the same user
database and also mounts /var/data/chroot/ via NFS, and has the same
syslog-ng config, so every user can login on the one server or on the
other. This is for high availability. This works so far.

What is not working now is the sftpd logging: The sftp user's log is
only available on one sftp server exclusively, and that is the one
where syslog-ng was started least, because as I understand it takes the
exclusive unix socket file lock for each user's /dev/log.

So, if a user logs in on the first server, where syslog-ng was started
least, the user's sftp activity is logged on the first server. But if
the user logs in on the second server, it's sftp activity is not
logged, neither on the second nor on the first server.

If the syslog-ng is then restarted on the second server, the sftp
user's activity is exclusively logged only on the second server and
only for logins on the second server.

My ugly workaround for this is the following:

Create a local directory under which user subdirectories are created:
sudo mkdir /var/data/dev For very username <username> and the user's
primary group <groupname> do the following:

sudo mkdir             /var/data/dev/<username>
sudo chmod 550         /var/data/dev/<username>       # This
restrictive permission is a requirement I think
sudo chgrp <groupname> /var/data/dev/<username>       # so the user can
read the directory
So the new directory is exactly the same as the existing
/var/data/chroot/<username>/dev directory (which is on the nfs mount
/var/data/chroot/).

Then do mount --bind /var/data/dev/<username>
/var/data/chroot/<username>/dev so /var/data/chroot/<username>/dev is
now effectively local on the sftp server, not anymore on nfs mount.

Then change the syslog-ng config

from

source s_chroot_<username> {
unix-stream("/var/data/chroot/<username>/dev/log" optional(yes) ); };

to

source s_chroot_<username> { unix-stream("/var/data/dev/<username>/log"
optional(yes) ); };

(this is not strictly needed, but I think it's nice having syslog-ng
definitely now only reading from local file, guaranteed not from nfs
mount anymore)

Whether the user logs in on the one sftp server or the other, syslog-ng
can now log the sftp session on the affected sftp server.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list