[Bug 3662] Provide chrooted sftp users dedicated session log without /dev/log unix socket in users chroot jail (that does not work when chroot jail is shared between multiple sftp servers e.g. via NFS)

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Nov 7 18:49:13 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3662

Geert van de Kamp <ghvdkamp at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ghvdkamp at gmail.com

--- Comment #12 from Geert van de Kamp <ghvdkamp at gmail.com> ---
(In reply to Miranda from comment #11)
> (In reply to Damien Miller from comment #3)
> > you shouldn't need a /dev/log socket with internal-sftp, it logs via
> > the privileged monitor sshd process that runs without chroot
> 
> It would be a solution for the chroot log device problem, to use the
> log from the privileged monitor sshd process that you mention here,
> but only if each sftp user's session log line has a unique
> identifiable log line prefix.
> 
> My suggestion for a solution:
> Change the current log prefix
> 
> " internal-sftp[<PID>]: "
> 
> to
> 
> " internal-sftp[<PID>][<username>]: "
> 
> E.g. change
> " internal-sftp[12345]: "
> to
> " internal-sftp[12345][myusername]: "
> 
> E.g. here an example of a session with file upload:
> 
> Feb 13 14:37:30 10.1.2.3 internal-sftp[16066][myuser]: session
> opened for local user myuser from [10.7.2.100]
> Feb 13 14:37:30 10.1.2.3 internal-sftp[16066][myuser]: open
> "/file.txt" flags WRITE,CREATE,TRUNCATE mode 0644
> Feb 13 14:37:30 10.1.2.3 internal-sftp[16066][myuser]: close
> "/file.txt" bytes read 0 written 44
> Feb 13 14:37:30 10.1.2.3 internal-sftp[16066][myuser]: session
> closed for local user myuser from [10.7.2.100]
> 
> With that it would be possible to reliably filter out the session
> log lines for each sftp user.
> 
> Please check and comment if this could be a solution for you.

I experience this exact issue and after Googling a bit, I bumped into
this thread. For me, the workaround that Miranda has implemented,
should be workable. I have to deal with about 20 accounts, so very much
doable.

I was just wondering, is it possible to let the internal-sftp add a
syslog tag?

Something like:

ForceCommand internal-sftp -l INFO -t "my-tag"

The tag could then be picked up by syslog-ng or rsyslog (in my case)

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list