sftp syslogging does not work if sftp sessions are within a chroot
This document (7016993) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 12
SLES 12, SLES 15
Creation of /dev/log inside chroot directoryLet's use systemd-tmpfiles(8) to create needed directory, file for us (see tmpfiles.d(5) for details). For each chrooted directory add following lines into /etc/tmpfiles.d/sftp-server.conf:
D! /chrootdirectory/dev 775 root root - - f! /chrootdirectory/dev/log 666 root root - -The above lines instruct systemd-tmpfiles to create a clean /chrootdirectory/dev directory and auxiliary /chrootdirectory/dev/log during boot.
Definitions of bind mountsLet's use systemd.mount(5) unit definition to define "propagation" of system's /dev/log into the chroot directory. This unit must be created for each chroot directory.
Here /etc/systemd/system/chrootdirectory-dev-log.mount will be created with following content:
[Mount] What=/dev/log Where=/chrootdirectory/dev/log Type=none Options=bind,nofail,noautoNOTE: With
nofail, this mount will be only wanted, not required, by
remote-fs.target. Moreover the mount unit is not ordered before these target units. This means that the boot will continue without waiting for the mount unit and regardless whether the mount point can be mounted successfully.
Extending ssh.service unit for bind mountsNow it is needed to make sshd.service unit require the previously defined bind mounts. Run systemctl edit sshd.service and add following content (RequiresMountsFor is space-separated list of absolute paths).
FinalizationDuring system boot everything will be setup automatically - temporary dev directory and auxiliary log file will be created in chroot directory, starting of sshd.service will bind-mount system /dev/log into chroot directories.
If reboot is not wanted then the steps to finalize the system-journal approach is
systemctl daemon-reload systemd-tmpfiles --prefix=/chrootdirectory --create --remove --boot -Eto create tempory directory and auxiliary file,
systemctl restart sshd.serviceto make sshd.service unit bind-mount /dev/log into chroot directories.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7016993
- Creation Date: 16-Nov-2015
- Modified Date:29-Sep-2021
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com