Secure Shell
sftp-server logging under chroot & privilege separation Mar 08 2010 05:53PM
kjh26 chrysler com (2 replies)
Re: sftp-server logging under chroot & privilege separation Mar 08 2010 10:07PM
Robert Hajime Lanning (robert lanning gmail com)
Re: sftp-server logging under chroot & privilege separation Mar 08 2010 07:24PM
Lars Nooden (lars curator gmail com) (1 replies)
Re: sftp-server logging under chroot & privilege separation Mar 08 2010 11:29PM
kjh26 chrysler com
Hi Lars:

Thanks for the info.... we are running this on Solaris 9.

We are trying to stand up an OpenSSH SFTP server to integrate with our B2B
message hub. The Solaris SSH does not give us the flexibility we want to
run it.

The other problem we are having is that since we are an 'application
group', we are at the direction of the sys admins & corporate security for
how we need to implement this.

As for your points below:
==================

==> chrooting is being achieved via sshd_config

+ turn off the SUID root - there is a way around whatever it was using
sudoer
==> setuid is the only way we can get this to work
==> this is being run under a 'generic' application ID - NOT ROOT
+ check that you have created a socket named /dev/log in the chroot
hierarchy
==> I think this is my problem - I'll have to research this!!!
+ check that syslogd, syslog-ng, or whathaveyou is using that socket
==> we are using syslog -> root 5621 1 0 May 12 ? 66:05
/usr/sbin/syslogd

Thanks

Kevin J. Herman
Sr. Systems Analyst
EBMX [Electronic Business Message eXchange]
ITM - Procurement Systems

T/L 776-6793
O/L (248)576-6793
FAX (248)576-2185

CTC E3000-3S2E8
CIMS 483-01-19
LOC/DEPT: 1100-1721

Lars Nooden <lars.curator (at) gmail (dot) com [email concealed]>
Sent by: listbounce (at) securityfocus (dot) com [email concealed]
03/08/2010 05:46 PM

To
secureshell (at) securityfocus (dot) com [email concealed]
cc

Subject
Re: sftp-server logging under chroot & privilege separation

On 2010-3-8 7:53 PM, kjh26 (at) chrysler (dot) com [email concealed] wrote:
> We are using OpenSSH 5.3p1.
>
> We are using this to host an SFTP drop-box. We have implemented chroot
&
> privilege separation.
> ... Any ideas?

Assuming the chroot is done via sshd_config and not the old way, here
are some things to look at:

+ turn off the SUID root - there is a way around whatever it was using
sudoer,
+ check that you have created a socket named /dev/log in the chroot
hierarchy,
+ check that syslogd, syslog-ng, or whathaveyou is using that socket,
+ check that the partition where the chroot directory resides is not
mounted with the nodev option.

"The ChrootDirectory must contain the necessary files
and directories to support the user's session ...
sessions which use logging do require /dev/log inside
the chroot directory

http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config

"Use of sftp-server in a chroot configuration therefore
requires that syslogd(8) establish a logging socket
inside the chroot directory.

http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server

Is that on Solaris, AIX, BSD or Linux?

Regards,
/Lars

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus