OT: chroot sftp centos 7
scooter6 at gmail.com
scooter6 at gmail.com
Wed Mar 27 05:26:08 PDT 2019
Mark,
You're absolutely correct and I apologize for my behavior
It's been a stressful several weeks
I was out of line and I apologize
In the future, if the need arises, I will seek to hire you for your
expertise
Sorry again
Scott
On Wed, Mar 27, 2019 at 6:32 AM Fairlight via Filepro-list <
filepro-list at lists.celestial.com> wrote:
> On Tue, Mar 26, 2019 at 09:25:42PM -0400, scooter6 at gmail.com thus spoke:
> > Well I'm glad I could piss you off
>
> -Wrong answer-, especially from someone who saw fit to bother me -in
> private-, off-list, TEN times with their problems, without offering to
> compensate me:
>
> 81 + Mar 24 scooter6 at gmail. ( 6.9K) ÀÄ&Ä>
> 82 + Mar 24 scooter6 at gmail. ( 7.6K) ÀÄ>
> 83 r + Mar 24 scooter6 at gmail. ( 9.0K) ÀÄ>
> 85 r + Mar 25 scooter6 at gmail. ( 16K) ÃÄ&Ä>
> 87 r + Mar 25 scooter6 at gmail. ( 34K) ³ ÀÄ&Ä>
> 89 r + Mar 25 scooter6 at gmail. ( 70K) ³ ÀÄ&Ä>
> 91 + Mar 25 scooter6 at gmail. ( 137K) ³ ÀÄ&Ä>
> 92 r + Mar 25 scooter6 at gmail. ( 140K) ³ ÀÄ>
> 94 + Mar 25 scooter6 at gmail. ( 255K) ³
> ÀÄ&Ä>
> 95 + Mar 24 scooter6 at gmail. ( 9.9K) ÀÄ>
>
> ...until I mentioned that anything further would need to be paid
> work because you were taking time away from other clients. Then you
> mysteriously went radio silent after saying, "I understand. I'll reach out
> if it comes to that." Until dragging Yet Another *nix 101 question back to
> a non-*nix community, with an issue wholly unrelated to filePro.
>
> Learning all the wrong lessons, and unable to take a hint, I see.
>
> For my part, you're done. Being a jerk and just using me for a couple
> days, giving an up-to-the-second ongoing tally of your repeated failures
> in systems administration in private for which I never asked and without
> compensation, and seeking further help under the same terms was one thing.
> I stopped that in its tracks by mere -mention- of the word 'money', which
> speaks volumes.
>
> Being a -complete- dick and saying you're -glad- you could piss me off?
> Really? Let's just say you'll -better- have a checkbook in hand if you
> ever contact -me- off-list again for -any- reason, quite possibly including
> previously complimentary product support for my software, the way you just
> tried pulling that guilt trip (which utterly and spectacularly failed, by
> the way), and attempting to make me look like the bad guy when you're the
> one who's been taking advantage, both publicly and privately.
>
> It's one thing to persist in what you were doing with OT stuff before.
> It's quite another to unsolicitedly take it private, persist without
> offering remuneration (professionally rude, not to put too fine a point on
> it), take it to the point you have to be shut down so I can get a moment's
> peace and do my actual paying work for paying clients, and then bring it
> -back- to the list because you just trashed your goodwill with the person
> you were privately using behind-the-scenes Ä with yet -another- wholly
> non-filePro problem, no less.
>
> Yeah, I'm going to call you on it. Damned straight, Skippy. And not that
> I actually -need- someone to back me on it, but someone just wrote me
> privately saying they feel I'm actually in the right -before- seeing this
> current response, and they didn't even know about the private thread you
> kept going. Well, they do now. :) (At this point, the intelligent person
> whould figure out they've stepped in it, and just quietly stand down.
> We'll see how bright you are.)
>
> As Paul Harvey used to say, now people know the -rest- of the story.
>
> Nice try, but perhaps you should rethink your behaviour before taking a pot
> shot guilt trip at me or the community. You don't exactly have the high
> moral ground from which to debate the issue. You want to go on about
> 'community', try treating it as such, rather than as unpaid labour.
>
> Have fun, and good luck with that C7 box!
>
> "Shutdown complete."
>
> mark->
>
>
> > Next time I won't start my post with OT unless it involves a joke
> > thanks for your time and input
> > As I said, I mimicked my setup that worked for me on 5.10 but for some
> > reason complains with the exact same setup on centos 7
> > I know sftp works out of the box on centos 7 - but these users should
> > be jailed and not able to navigate around other than to their
> > 'attachments' directory- they drop off files and that's it....
> > I'll look at my configuration again and see if everything is in order
> > moving forward I'll make sure I have my checkbook in hand when asking
> > for any assistance from this 'community'
> >
> > On Tue, Mar 26, 2019 at 9:11 PM Fairlight via Filepro-list
> > <[1]filepro-list at lists.celestial.com> wrote:
> >
> > This is way outside the scope of filePro. For that matter, so was
> > the mail
> > stuff last week.
> > At this point, you've come to the filePro list for a good percentage
> > of
> > what should be Linux 101 and done within the scope of a CentOS
> > community,
> > asking us to help set up your new box. While it's been a form of
> > cheap
> > amusement to watch you go on this journey, that benefit has
> > outstayed its
> > welcome, at least for me. In fact, it's annoying the hell out of
> > me,
> > because you should be either researching your problems, or paying
> > someone
> > to do it. As someone who does systems administration for a living,
> > I
> > can say I'm quite irked on principle to see you repeatedly trying to
> > get
> > something for nothing in terms of systems administration. It's
> > like going
> > to a professional car mechanics' retreat without being a
> > professional
> > mechanic yourself, and trying to get your car fixed for free.Â
> > Insulting
> > doesn't quite do it justice.
> > At the -very- least, you should be leaning on a community actually
> > focused
> > on the platform at hand.
> > Respectfully, I would suggest you either hire someone who can get it
> > done, or find a community better suited to handling the
> > *nix-specific
> > issues you keep running into which are wholly unrelated to filePro
> > itself. You may use filePro, but these aren't even filePro
> > integration
> > problems/issues/questions, at this point. These are *nix subsystem
> > and
> > functionality issues, full stop.
> > What you've been doing is the equivalent of someone coming in here
> > and
> > asking how to configure IIS on Windows. It makes about as much
> > sense, and
> > it's really not the venue.
> > If this is for a hobby, figure it out. If this is for business, it
> > should
> > be paid work for someone, past a certain point. You've really been
> > pushing
> > it lately.
> > And for the record, stock sftp on CentOS 7 works just fine. I've
> > got it
> > working on many boxes, and there are no issues as long as
> > permissions and
> > groups are correct.
> > /home/ should be root:root 0755.
> > /home/frontier/ should be root:root 0755.
> > Under there, you should have subdirectories for file storage and
> > retrieval.
> > Assume a common idiom of inbound and outbound:
> > /home/frontier/inbound/ frontier:users 0755
> > /home/frontier/outbound/ frontier:users 0755
> > You need those subdirectories, because frontier will not be able to
> > write
> > directly to a directory owned by root with 0755, which is mandatory.
> > You do -not- actually need the sftponly group on the
> > subdirectories. That
> > group serves only as a trigger for sftp jailing.
> > The user -must- have sftponly as their primary group.
> > This is the sshd_config section which works for me:
> > Match group sftponly
> > Â Â Â Â X11Forwarding no
> > Â Â Â Â AllowTcpForwarding no
> > Â Â Â Â ForceCommand internal-sftp
> > Â Â Â Â ChrootDirectory %h
> > I wonder if you have /home/ set incorrectly. Aside from
> > ChrootDirectory
> > expando differences, the rest of what you have looks correct.
> > I can, however, confirm that sftp works just fine on CentOS 7 with
> > openssh-7.4p1-16.el7.x86_64. I'm looking directly at a working one
> > which
> > has been verified and is in production.
> > mark->
> > On Tue, Mar 26, 2019 at 07:13:33PM -0400, scooter6--- via
> > Filepro-list thus spoke:
> > > Is anyone aware of anything changing as to how to chroot sftp
> > users on
> > > centos 7?
> > > I have everything setup identically on new server and keep getting
> > > fatal: bad ownership or modes for chroot di
> > > rectory component "/" [postauth]
> > >
> > > Every thing I know root has to own the directory in full path up
> > until
> > > chroot directory
> > >
> > > The only way I can even get a sftpuser to connect is if I make
> > them the own
> > > of the /home directory
> > >
> > > Old server:  this is in /home
> > >
> > > drwxr-xr-x 3 root  root  4096 Oct 16 11:15 frontier
> > >
> > > Then, if you go to /home/frontier:
> > >
> > > drwxr-xr-x 3 frontier sftponly 4096 Mar 19 15:45 attachments
> > >
> > > sshd_config:
> > >
> > > Match Group sftponly
> > >Â Â Â Â Â ChrootDirectory /home/%u
> > >Â Â Â Â Â ForceCommand internal-sftp
> > >Â Â Â Â Â X11Forwarding no
> > >Â Â Â Â Â AllowTcpForwarding no
> > >
> > > New server:Â Â this is in /home
> > >
> > > drwxr-xr-x  4 root  root   38 Mar 26 18:17 frontier
> > >
> > > Then, if you do to /home/frontier:
> > >
> > > drwxr-xr-x 2 frontier sftponly 6 Mar 26 19:05 attachments
> > >
> > > sshd_config has:
> > >
> > > Match Group sftponly
> > >Â Â Â Â Â ChrootDirectory /home/%u
> > >Â Â Â Â Â ForceCommand internal-sftp
> > >Â Â Â Â Â X11Forwarding no
> > >Â Â Â Â Â AllowTcpForwarding no
> > >
> > > Only thing different on serves are the UID/GIDs
> > >
> > > Old server for frontier:
> > >
> > > id frontier
> > >
> > > uid=1014(frontier) gid=502(sftponly) groups=502(sftponly)
> > >
> > > New server:
> > >
> > > id frontier
> > >
> > > uid=2043(frontier) gid=1503(sftponly) groups=1503(sftponly)
> > >
> > > Old server, /etc/passwd
> > >Â Â frontier:x:1014:502::/attachments:/bin/false
> > >
> > > New server, /etc/passwd
> > >Â Â frontier:x:2043:1503::/attachments:/bin/false
> > >
> > > I even tried creating a new group, new user, etc - it's typically
> > straight
> > > forward, but I can't get any combination to work that others swear
> > works
> > > for them. This isn't normally difficult but I've been working on
> > this for
> > > 4 hours and can't get the right combination to seem to work
> > >
> > > Has anyone successfully gotten this to work on centos 7?
> > >
> > > thanks
> > > -------------- next part --------------
> > > An HTML attachment was scrubbed...
> > > URL:
> > <[2]
> http://mailman.celestial.com/pipermail/filepro-list/attachments/
> > 20190326/6ae6eec6/attachment.html>
> > > _______________________________________________
> > > Filepro-list mailing list
> > > [3]Filepro-list at lists.celestial.com
> > > Subscribe/Unsubscribe/Subscription Changes
> > > [4]http://mailman.celestial.com/mailman/listinfo/filepro-list
> > >
> > --
> > Audio panton, cogito singularis.
> > _______________________________________________
> > Filepro-list mailing list
> > [5]Filepro-list at lists.celestial.com
> > Subscribe/Unsubscribe/Subscription Changes
> > [6]http://mailman.celestial.com/mailman/listinfo/filepro-list
> >
> > References
> >
> > 1. mailto:filepro-list at lists.celestial.com
> > 2.
> http://mailman.celestial.com/pipermail/filepro-list/attachments/20190326/6ae6eec6/attachment.html
> > 3. mailto:Filepro-list at lists.celestial.com
> > 4. http://mailman.celestial.com/mailman/listinfo/filepro-list
> > 5. mailto:Filepro-list at lists.celestial.com
> > 6. http://mailman.celestial.com/mailman/listinfo/filepro-list
>
> --
> Fairlight Consulting
> http://www.fairlite.com
> fairlite at fairlite.com
> (502) 509-3840
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes
> http://mailman.celestial.com/mailman/listinfo/filepro-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.celestial.com/pipermail/filepro-list/attachments/20190327/e1fd3d1b/attachment.html>
More information about the Filepro-list
mailing list