Howto log multiple sftpd instances with their chroot shared via NFS
Stuart Henderson
stu at spacehopper.org
Fri Sep 24 21:53:01 AEST 2021
On 2021/09/22 13:06, Jochen Bern wrote:
> What do the chrooted users have for a homedir *within* the chroot? Would it
> be possible to have /var/data/chroot be a local FS and mount only
> /var/data/chroot/home from the NFS server? (If there are files that you need
> to keep identical on both servers, e.g., under /var/data/chroot/etc, you can
> still symlink those to some special subdir like /var/data/chroot/home/ETC to
> put the actual data onto the NFS share.)
The description was for /var/data/chroot/<username>/dev/log i.e. each
user has their own separate chroot. So this type of approach would
require mounting a local fs of some sort over the top of each user's dir
which soon gets messy.
This is amongst the reasons why OpenBSD has the sendsyslog(2) syscall,
https://man.openbsd.org/sendsyslog.2 - the syslog daemon opens a
kernel socket to receive those messages, and processes which want to
write a log entry just call the standard syslog functions which use
sendsyslog(2) rather than /dev/log, so it works even through FD
exhaustion, in chroot, and with syscall filters that prohibit
filesystem access.
Not entirely pleasant but I suppose it could alternatively be done by
using a LD_PRELOAD wrapper to override syslog functions (I think just
syslog_r is probably enough for openssh) and have them send over a
network socket instead.
More information about the openssh-unix-dev
mailing list