[scponly] scponlyc logging

Kaleb Pederson kaleb.pederson at gmail.com
Tue Aug 5 16:04:21 EDT 2008 

I was wrong on a couple of things:

- You can't hardlink directories
- You CAN hardlink sockets, so `ln /dev/log /path/to/chroot/dev/log`
should work.  But, you'll need to recreate the links any time the
syslog daemon is restarted since the hardlink would be pointing to the
wrong inode/socket.

The following has a lot of good information about chroots:

http://www.unixwiz.net/techtips/chroot-practices.html

Good luck.

--Kaleb

On Tue, Aug 5, 2008 at 12:32 PM, Stuart VanZee <StuartV at datalinesys.com> wrote:
>
> Once again, thank you for the reply.
>
> Looks like i have some more reading to do since you
> have given me some really good ideas on how to
> handle this.  I'm not sure my code foo is up to writing
> such a daemon, but we'll see.  I'll look into the link
> idea first though.
>
> Thanks again.
>
> s
>
>> From: Kaleb Pederson
>> Subject: Re: [scponly] scponlyc logging
>>
>>
>> On Tue, Aug 5, 2008 at 11:58 AM, Stuart VanZee
>> <StuartV at datalinesys.com> wrote:
>> >
>> > Well... That did it.  Thank you very much.
>>
>> No problem.
>>
>> > Looking in the man page for syslogd it says:
>> >
>> >     -a path
>> >             Specify a location where syslogd should place
>> an additional log
>> >             socket.  Up to about 20 additional logging
>> sockets can be speci-
>> >             fied.  The primary use for this is to place
>> additional log sock-
>> >             ets in /dev/log of various chroot filespaces.
>> >
>> > Do you have any idea what the "Up to about 20" is all about?  I will
>> > eventually (probably sooner than later) have to support
>> much more than
>> > 20 accounts that are able to sftp (and be chrooted) on this
>> box. Do you
>> > know if there is a way of getting around this limit or if
>> this limit is
>> > a hard limit or not?
>>
>> No, I'm not sure as that will be completely dependent on your
>> logging daemon.
>>
>> I'm not sure if BSD has this feature, but you might be able to mount
>> --bind a single /dev from a chroot into all of them, so the logging
>> device "magically" shows up for all of them.  You might also be able
>> to hardlink a chrooted /dev into all the chroots, thus only using a
>> single one (I'd investigate the security of this one first). Lastly,
>> assuming you have a developer, he/she could write a simple daemon that
>> will create sockets within each chroot and forward them to the real
>> logging device.
>>
>> Regards.
>>
>> --Kaleb
>>
>> _______________________________________________
>> scponly mailing list
>> scponly at lists.ccs.neu.edu
>> https://lists.ccs.neu.edu/bin/listinfo/scponly
>>
>>
>>
>

More information about the scponly mailing list