[Bug 3662] Provide chrooted sftp users dedicated session log without /dev/log unix socket in users chroot jail (that does not work when chroot jail is shared between multiple sftp servers e.g. via NFS)

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Feb 9 19:19:00 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3662

--- Comment #10 from Miranda <daku8938 at gmx.de> ---
(In reply to Damien Miller from comment #9)
> Whether /dev/log can be a symlink is also up to the libc
> implementation. Nothing in OpenSSH limits the use of a symlink for
> /dev/log, but similarly we can't control whether the system will
> accept a symlink without rewriting syslog(3)

On modern Linux hosts with systemd (e.g. Ubuntu Server 18.04 and later)
the system's /dev/log (the real absolute OS filesystem path) is a
symlink to systemd's journal:
/dev/log -> /run/systemd/journal/dev-log

so at least that symlink is accepted. Not sure what that means for what
you write about libc. But I tested with a symlink of chroot jail's
/dev/log to a destiantion out of the chroot jail, but I could not get
any log messages with syslog-ng from the symlink's destination. Would
be great if that could be made work. Of course the sftp client would
need to be forbidden to create that symlink itself, as otherwise that
would be a possibility to access files out of chroot jail.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list