[Bug 3662] Provide chrooted sftp users dedicated session log without /dev/log unix socket in users chroot jail (that does not work when chroot jail is shared between multiple sftp servers e.g. via NFS)
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Nov 7 18:49:13 AEDT 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3662
Geert van de Kamp <ghvdkamp at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ghvdkamp at gmail.com
--- Comment #12 from Geert van de Kamp <ghvdkamp at gmail.com> ---
(In reply to Miranda from comment #11)
> (In reply to Damien Miller from comment #3)
> > you shouldn't need a /dev/log socket with internal-sftp, it logs via
> > the privileged monitor sshd process that runs without chroot
>
> It would be a solution for the chroot log device problem, to use the
> log from the privileged monitor sshd process that you mention here,
> but only if each sftp user's session log line has a unique
> identifiable log line prefix.
>
> My suggestion for a solution:
> Change the current log prefix
>
> " internal-sftp[<PID>]: "
>
> to
>
> " internal-sftp[<PID>][<username>]: "
>
> E.g. change
> " internal-sftp[12345]: "
> to
> " internal-sftp[12345][myusername]: "
>
> E.g. here an example of a session with file upload:
>
> Feb 13 14:37:30 10.1.2.3 internal-sftp[16066][myuser]: session
> opened for local user myuser from [10.7.2.100]
> Feb 13 14:37:30 10.1.2.3 internal-sftp[16066][myuser]: open
> "/file.txt" flags WRITE,CREATE,TRUNCATE mode 0644
> Feb 13 14:37:30 10.1.2.3 internal-sftp[16066][myuser]: close
> "/file.txt" bytes read 0 written 44
> Feb 13 14:37:30 10.1.2.3 internal-sftp[16066][myuser]: session
> closed for local user myuser from [10.7.2.100]
>
> With that it would be possible to reliably filter out the session
> log lines for each sftp user.
>
> Please check and comment if this could be a solution for you.
I experience this exact issue and after Googling a bit, I bumped into
this thread. For me, the workaround that Miranda has implemented,
should be workable. I have to deal with about 20 accounts, so very much
doable.
I was just wondering, is it possible to let the internal-sftp add a
syslog tag?
Something like:
ForceCommand internal-sftp -l INFO -t "my-tag"
The tag could then be picked up by syslog-ng or rsyslog (in my case)
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list