OT: chroot sftp centos 7
Fairlight
fairlite at fairlite.com
Wed Mar 27 03:30:35 PDT 2019
On Tue, Mar 26, 2019 at 09:25:42PM -0400, scooter6 at gmail.com thus spoke:
> Well I'm glad I could piss you off
-Wrong answer-, especially from someone who saw fit to bother me -in
private-, off-list, TEN times with their problems, without offering to
compensate me:
81 + Mar 24 scooter6 at gmail. ( 6.9K) ÀÄ&Ä>
82 + Mar 24 scooter6 at gmail. ( 7.6K) ÀÄ>
83 r + Mar 24 scooter6 at gmail. ( 9.0K) ÀÄ>
85 r + Mar 25 scooter6 at gmail. ( 16K) ÃÄ&Ä>
87 r + Mar 25 scooter6 at gmail. ( 34K) ³ ÀÄ&Ä>
89 r + Mar 25 scooter6 at gmail. ( 70K) ³ ÀÄ&Ä>
91 + Mar 25 scooter6 at gmail. ( 137K) ³ ÀÄ&Ä>
92 r + Mar 25 scooter6 at gmail. ( 140K) ³ ÀÄ>
94 + Mar 25 scooter6 at gmail. ( 255K) ³ ÀÄ&Ä>
95 + Mar 24 scooter6 at gmail. ( 9.9K) ÀÄ>
...until I mentioned that anything further would need to be paid
work because you were taking time away from other clients. Then you
mysteriously went radio silent after saying, "I understand. I'll reach out
if it comes to that." Until dragging Yet Another *nix 101 question back to
a non-*nix community, with an issue wholly unrelated to filePro.
Learning all the wrong lessons, and unable to take a hint, I see.
For my part, you're done. Being a jerk and just using me for a couple
days, giving an up-to-the-second ongoing tally of your repeated failures
in systems administration in private for which I never asked and without
compensation, and seeking further help under the same terms was one thing.
I stopped that in its tracks by mere -mention- of the word 'money', which
speaks volumes.
Being a -complete- dick and saying you're -glad- you could piss me off?
Really? Let's just say you'll -better- have a checkbook in hand if you
ever contact -me- off-list again for -any- reason, quite possibly including
previously complimentary product support for my software, the way you just
tried pulling that guilt trip (which utterly and spectacularly failed, by
the way), and attempting to make me look like the bad guy when you're the
one who's been taking advantage, both publicly and privately.
It's one thing to persist in what you were doing with OT stuff before.
It's quite another to unsolicitedly take it private, persist without
offering remuneration (professionally rude, not to put too fine a point on
it), take it to the point you have to be shut down so I can get a moment's
peace and do my actual paying work for paying clients, and then bring it
-back- to the list because you just trashed your goodwill with the person
you were privately using behind-the-scenes Ä with yet -another- wholly
non-filePro problem, no less.
Yeah, I'm going to call you on it. Damned straight, Skippy. And not that
I actually -need- someone to back me on it, but someone just wrote me
privately saying they feel I'm actually in the right -before- seeing this
current response, and they didn't even know about the private thread you
kept going. Well, they do now. :) (At this point, the intelligent person
whould figure out they've stepped in it, and just quietly stand down.
We'll see how bright you are.)
As Paul Harvey used to say, now people know the -rest- of the story.
Nice try, but perhaps you should rethink your behaviour before taking a pot
shot guilt trip at me or the community. You don't exactly have the high
moral ground from which to debate the issue. You want to go on about
'community', try treating it as such, rather than as unpaid labour.
Have fun, and good luck with that C7 box!
"Shutdown complete."
mark->
> Next time I won't start my post with OT unless it involves a joke
> thanks for your time and input
> As I said, I mimicked my setup that worked for me on 5.10 but for some
> reason complains with the exact same setup on centos 7
> I know sftp works out of the box on centos 7 - but these users should
> be jailed and not able to navigate around other than to their
> 'attachments' directory- they drop off files and that's it....
> I'll look at my configuration again and see if everything is in order
> moving forward I'll make sure I have my checkbook in hand when asking
> for any assistance from this 'community'
>
> On Tue, Mar 26, 2019 at 9:11 PM Fairlight via Filepro-list
> <[1]filepro-list at lists.celestial.com> wrote:
>
> This is way outside the scope of filePro. For that matter, so was
> the mail
> stuff last week.
> At this point, you've come to the filePro list for a good percentage
> of
> what should be Linux 101 and done within the scope of a CentOS
> community,
> asking us to help set up your new box. While it's been a form of
> cheap
> amusement to watch you go on this journey, that benefit has
> outstayed its
> welcome, at least for me. In fact, it's annoying the hell out of
> me,
> because you should be either researching your problems, or paying
> someone
> to do it. As someone who does systems administration for a living,
> I
> can say I'm quite irked on principle to see you repeatedly trying to
> get
> something for nothing in terms of systems administration. It's
> like going
> to a professional car mechanics' retreat without being a
> professional
> mechanic yourself, and trying to get your car fixed for free.Â
> Insulting
> doesn't quite do it justice.
> At the -very- least, you should be leaning on a community actually
> focused
> on the platform at hand.
> Respectfully, I would suggest you either hire someone who can get it
> done, or find a community better suited to handling the
> *nix-specific
> issues you keep running into which are wholly unrelated to filePro
> itself. You may use filePro, but these aren't even filePro
> integration
> problems/issues/questions, at this point. These are *nix subsystem
> and
> functionality issues, full stop.
> What you've been doing is the equivalent of someone coming in here
> and
> asking how to configure IIS on Windows. It makes about as much
> sense, and
> it's really not the venue.
> If this is for a hobby, figure it out. If this is for business, it
> should
> be paid work for someone, past a certain point. You've really been
> pushing
> it lately.
> And for the record, stock sftp on CentOS 7 works just fine. I've
> got it
> working on many boxes, and there are no issues as long as
> permissions and
> groups are correct.
> /home/ should be root:root 0755.
> /home/frontier/ should be root:root 0755.
> Under there, you should have subdirectories for file storage and
> retrieval.
> Assume a common idiom of inbound and outbound:
> /home/frontier/inbound/ frontier:users 0755
> /home/frontier/outbound/ frontier:users 0755
> You need those subdirectories, because frontier will not be able to
> write
> directly to a directory owned by root with 0755, which is mandatory.
> You do -not- actually need the sftponly group on the
> subdirectories. That
> group serves only as a trigger for sftp jailing.
> The user -must- have sftponly as their primary group.
> This is the sshd_config section which works for me:
> Match group sftponly
> Â Â Â Â X11Forwarding no
> Â Â Â Â AllowTcpForwarding no
> Â Â Â Â ForceCommand internal-sftp
> Â Â Â Â ChrootDirectory %h
> I wonder if you have /home/ set incorrectly. Aside from
> ChrootDirectory
> expando differences, the rest of what you have looks correct.
> I can, however, confirm that sftp works just fine on CentOS 7 with
> openssh-7.4p1-16.el7.x86_64. I'm looking directly at a working one
> which
> has been verified and is in production.
> mark->
> On Tue, Mar 26, 2019 at 07:13:33PM -0400, scooter6--- via
> Filepro-list thus spoke:
> > Is anyone aware of anything changing as to how to chroot sftp
> users on
> > centos 7?
> > I have everything setup identically on new server and keep getting
> > fatal: bad ownership or modes for chroot di
> > rectory component "/" [postauth]
> >
> > Every thing I know root has to own the directory in full path up
> until
> > chroot directory
> >
> > The only way I can even get a sftpuser to connect is if I make
> them the own
> > of the /home directory
> >
> > Old server:  this is in /home
> >
> > drwxr-xr-x 3 root  root  4096 Oct 16 11:15 frontier
> >
> > Then, if you go to /home/frontier:
> >
> > drwxr-xr-x 3 frontier sftponly 4096 Mar 19 15:45 attachments
> >
> > sshd_config:
> >
> > Match Group sftponly
> >Â Â Â Â Â ChrootDirectory /home/%u
> >Â Â Â Â Â ForceCommand internal-sftp
> >Â Â Â Â Â X11Forwarding no
> >Â Â Â Â Â AllowTcpForwarding no
> >
> > New server:Â Â this is in /home
> >
> > drwxr-xr-x  4 root  root   38 Mar 26 18:17 frontier
> >
> > Then, if you do to /home/frontier:
> >
> > drwxr-xr-x 2 frontier sftponly 6 Mar 26 19:05 attachments
> >
> > sshd_config has:
> >
> > Match Group sftponly
> >Â Â Â Â Â ChrootDirectory /home/%u
> >Â Â Â Â Â ForceCommand internal-sftp
> >Â Â Â Â Â X11Forwarding no
> >Â Â Â Â Â AllowTcpForwarding no
> >
> > Only thing different on serves are the UID/GIDs
> >
> > Old server for frontier:
> >
> > id frontier
> >
> > uid=1014(frontier) gid=502(sftponly) groups=502(sftponly)
> >
> > New server:
> >
> > id frontier
> >
> > uid=2043(frontier) gid=1503(sftponly) groups=1503(sftponly)
> >
> > Old server, /etc/passwd
> >Â Â frontier:x:1014:502::/attachments:/bin/false
> >
> > New server, /etc/passwd
> >Â Â frontier:x:2043:1503::/attachments:/bin/false
> >
> > I even tried creating a new group, new user, etc - it's typically
> straight
> > forward, but I can't get any combination to work that others swear
> works
> > for them. This isn't normally difficult but I've been working on
> this for
> > 4 hours and can't get the right combination to seem to work
> >
> > Has anyone successfully gotten this to work on centos 7?
> >
> > thanks
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> <[2]http://mailman.celestial.com/pipermail/filepro-list/attachments/
> 20190326/6ae6eec6/attachment.html>
> > _______________________________________________
> > Filepro-list mailing list
> > [3]Filepro-list at lists.celestial.com
> > Subscribe/Unsubscribe/Subscription Changes
> > [4]http://mailman.celestial.com/mailman/listinfo/filepro-list
> >
> --
> Audio panton, cogito singularis.
> _______________________________________________
> Filepro-list mailing list
> [5]Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes
> [6]http://mailman.celestial.com/mailman/listinfo/filepro-list
>
> References
>
> 1. mailto:filepro-list at lists.celestial.com
> 2. http://mailman.celestial.com/pipermail/filepro-list/attachments/20190326/6ae6eec6/attachment.html
> 3. mailto:Filepro-list at lists.celestial.com
> 4. http://mailman.celestial.com/mailman/listinfo/filepro-list
> 5. mailto:Filepro-list at lists.celestial.com
> 6. http://mailman.celestial.com/mailman/listinfo/filepro-list
--
Fairlight Consulting
http://www.fairlite.com
fairlite at fairlite.com
(502) 509-3840
More information about the Filepro-list
mailing list