Author Topic: syslog-ng, chroot environments & Solaris  (Read 11888 times)

ocoro02

  • Guest
syslog-ng, chroot environments & Solaris
« on: August 18, 2008, 07:22:31 AM »
I'm trying to get chrooted sftp working (using latest openssh 5.1p1) on a Solaris 10 x86 box and am having trouble getting logging working. I realise this may be an ssh issue - and there have been a few mentions of similar problems - but the more I look at it the more I wonder whether it's a problem with syslog-ng.

Basically ssh, using the internal-sftp option & ChrootDirectory logs the initial connection, but once the user is in the chroot environment, there's no further logging (and I want to log sftp transfers etc.).

From a syslog-ng point of view, I'm running v2.0.9 (the package from sunfreeware) and my source looks like this:

source syslog {
        internal();
        sun-streams("/dev/log" door("/var/run/syslog_door"));
        sun-streams("/export/home/mychrootuser/dev/log" door("/export/home/mychrootuser/var/run/
syslog_door"));
        udp(ip(0.0.0.0) port(514));
};

where 'mychrootuser' is the user I wish to be locked in the chroot jail.
I created /export/home/mychrootuser/dev/log by building another instance of the /dev/log character file:

# ls -lL /dev/log
crw-r-----   1 root     sys       21,  5 Jun  9 14:46 /dev/log
# mknod /export/home/mychrootuser/dev/log c 21 5
# ls -l /export/home/mychrootuser/dev/log
crw-r-----   1 root     sys       21,  5 Aug 18 13:15 /export/home/mychrootuser/dev/log

Restart syslog-ng and the door file is created automatically:
# ls -l /export/home/mychrootuser/var/run/syslog_door
Drw-r--r--   1 root     root           0 Aug 18 13:04 /export/home/mychrootuser/var/run/syslog_door

I also alter the perms above to make sure mychrootuser can write to both the log & door files (this might not be necessary - I've tried allowing or keeping perms as listed above).

When I sftp - no luck. Logging works fine when ssh is set to non-chroot.  I've also tried using unix-stream rather than sun-streams.
As I say, it's very likely an ssh problem - but just checking in case if there's a magic fix on Solaris.




« Last Edit: August 18, 2008, 07:44:03 AM by ocoro02 »


Offline fgarillot

  • Newbie
  • *
  • Posts: 1
    • View Profile
    • Email
Re: syslog-ng, chroot environments & Solaris
« Reply #1 on: August 19, 2008, 11:48:06 AM »
I may be running into a similar problem. Are you using ForceCommand in combination with ChrootDirectory in your sshd_config ?

Apparently, some people have noticed that it doesn't work well with logging in syslogd, and I reached the same conclusions with syslog-ng:

http://lists.mindrot.org/pipermail/openssh-unix-dev/2008-June/026526.html
http://lists.mindrot.org/pipermail/openssh-unix-dev/2008-June/026557.html

--
FG

ocoro02

  • Guest
Re: syslog-ng, chroot environments & Solaris
« Reply #2 on: August 21, 2008, 05:26:00 AM »
I've cracked this - the problem mainly lay with openssh which I'll describe in:

http://groups.google.com/group/comp.security.ssh/browse_thread/thread/ce30a1d9889dc2e2#

From a syslog-ng point of view the config was even simpler than I expected. I didn't need to define a new source within the chroot jail. All I have is (what I had before):

source syslog {
        internal();
        sun-streams("/dev/log" door("/var/run/syslog_door"));
        udp(ip(0.0.0.0) port(514));
};


The magic trick is that on Solaris 10, you need /dev/conslog in the chroot jail - and that is all.
So create the device by getting the major/minior numbers for conslog:

% ls -lL /dev/conslog
crw-rw-rw-   1 root     sys       21,  0 Jun  5 14:36 /dev/conslog

And create the device file:

% mkdir /path/to/chrootjail/dev
% mknod /path/to/chrootjail/dev/conslog c 21 0

Need to alter perms on this as well. The SSH perms are quite odd - top level of the chroot jail must be owned by root and must be modes 750 or less.

Offline mutex

  • Administrator
  • Full Member
  • *****
  • Posts: 985
    • View Profile
Re: syslog-ng, chroot environments & Solaris
« Reply #3 on: August 21, 2008, 06:50:50 AM »
That's a pretty obscure problem.  I am glad you got it resolved.

Offline michelj

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: syslog-ng, chroot environments & Solaris
« Reply #4 on: January 17, 2014, 10:19:53 AM »
Thanks a lot for this post ocoro02,

I've just spent 2 days fighting with openssh/sftp, and just discovered your post. Thanks a lot.
For those who are (still) running Solaris 10, but in a zone, mknod is not allowed in zones, an alternate solution is to use a lofs mount to do the trick:

mkdir -p /path/to/chrootjail/dev/conslog
mount -F lofs /dev/conslog /path/to/chrootjail/dev/conslog


MJ