OT: chroot sftp centos 7

scooter6 at gmail.com scooter6 at gmail.com
Wed Mar 27 05:26:08 PDT 2019


Mark,

You're absolutely correct and I apologize for my behavior
It's been a stressful several weeks
I was out of line and I apologize

In the future, if the need arises, I will seek to hire you for your
expertise
Sorry again

Scott


On Wed, Mar 27, 2019 at 6:32 AM Fairlight via Filepro-list <
filepro-list at lists.celestial.com> wrote:

> On Tue, Mar 26, 2019 at 09:25:42PM -0400, scooter6 at gmail.com thus spoke:
> >    Well I'm glad I could piss you off
>
> -Wrong answer-, especially from someone who saw fit to bother me -in
> private-, off-list, TEN times with their problems, without offering to
> compensate me:
>
>        81   + Mar 24 scooter6 at gmail. ( 6.9K) ÀÄ&Ä>
>        82   + Mar 24 scooter6 at gmail. ( 7.6K)     ÀÄ>
>        83 r + Mar 24 scooter6 at gmail. ( 9.0K)       ÀÄ>
>        85 r + Mar 25 scooter6 at gmail. (  16K)         ÃÄ&Ä>
>        87 r + Mar 25 scooter6 at gmail. (  34K)         ³   ÀÄ&Ä>
>        89 r + Mar 25 scooter6 at gmail. (  70K)         ³       ÀÄ&Ä>
>        91   + Mar 25 scooter6 at gmail. ( 137K)         ³           ÀÄ&Ä>
>        92 r + Mar 25 scooter6 at gmail. ( 140K)         ³               ÀÄ>
>        94   + Mar 25 scooter6 at gmail. ( 255K)         ³
>  ÀÄ&Ä>
>        95   + Mar 24 scooter6 at gmail. ( 9.9K)         ÀÄ>
>
> ...until I mentioned that anything further would need to be paid
> work because you were taking time away from other clients.  Then you
> mysteriously went radio silent after saying, "I understand.  I'll reach out
> if it comes to that."  Until dragging Yet Another *nix 101 question back to
> a non-*nix community, with an issue wholly unrelated to filePro.
>
> Learning all the wrong lessons, and unable to take a hint, I see.
>
> For my part, you're done.  Being a jerk and just using me for a couple
> days, giving an up-to-the-second ongoing tally of your repeated failures
> in systems administration in private for which I never asked and without
> compensation, and seeking further help under the same terms was one thing.
> I stopped that in its tracks by mere -mention- of the word 'money', which
> speaks volumes.
>
> Being a -complete- dick and saying you're -glad- you could piss me off?
> Really?  Let's just say you'll -better- have a checkbook in hand if you
> ever contact -me- off-list again for -any- reason, quite possibly including
> previously complimentary product support for my software, the way you just
> tried pulling that guilt trip (which utterly and spectacularly failed, by
> the way), and attempting to make me look like the bad guy when you're the
> one who's been taking advantage, both publicly and privately.
>
> It's one thing to persist in what you were doing with OT stuff before.
> It's quite another to unsolicitedly take it private, persist without
> offering remuneration (professionally rude, not to put too fine a point on
> it), take it to the point you have to be shut down so I can get a moment's
> peace and do my actual paying work for paying clients, and then bring it
> -back- to the list because you just trashed your goodwill with the person
> you were privately using behind-the-scenes Ä with yet -another- wholly
> non-filePro problem, no less.
>
> Yeah, I'm going to call you on it.  Damned straight, Skippy.  And not that
> I actually -need- someone to back me on it, but someone just wrote me
> privately saying they feel I'm actually in the right -before- seeing this
> current response, and they didn't even know about the private thread you
> kept going.  Well, they do now. :) (At this point, the intelligent person
> whould figure out they've stepped in it, and just quietly stand down.
> We'll see how bright you are.)
>
> As Paul Harvey used to say, now people know the -rest- of the story.
>
> Nice try, but perhaps you should rethink your behaviour before taking a pot
> shot guilt trip at me or the community.  You don't exactly have the high
> moral ground from which to debate the issue.  You want to go on about
> 'community', try treating it as such, rather than as unpaid labour.
>
> Have fun, and good luck with that C7 box!
>
> "Shutdown complete."
>
> mark->
>
>
> >    Next time I won't start my post with OT unless it involves a joke
> >    thanks for your time and input
> >    As I said, I mimicked my setup that worked for me on 5.10 but for some
> >    reason complains with the exact same setup on centos 7
> >    I know sftp works out of the box on centos 7 - but these users should
> >    be jailed and not able to navigate around other than to their
> >    'attachments' directory- they drop off files and that's it....
> >    I'll look at my configuration again and see if everything is in order
> >    moving forward I'll make sure I have my checkbook in hand when asking
> >    for any assistance from this 'community'
> >
> >    On Tue, Mar 26, 2019 at 9:11 PM Fairlight via Filepro-list
> >    <[1]filepro-list at lists.celestial.com> wrote:
> >
> >      This is way outside the scope of filePro.  For that matter, so was
> >      the mail
> >      stuff last week.
> >      At this point, you've come to the filePro list for a good percentage
> >      of
> >      what should be Linux 101 and done within the scope of a CentOS
> >      community,
> >      asking us to help set up your new box.  While it's been a form of
> >      cheap
> >      amusement to watch you go on this journey, that benefit has
> >      outstayed its
> >      welcome, at least for me.  In fact, it's annoying the hell out of
> >      me,
> >      because you should be either researching your problems, or paying
> >      someone
> >      to do it.  As someone who does systems administration for a living,
> >      I
> >      can say I'm quite irked on principle to see you repeatedly trying to
> >      get
> >      something for nothing in terms of systems administration.  It's
> >      like going
> >      to a professional car mechanics' retreat without being a
> >      professional
> >      mechanic yourself, and trying to get your car fixed for free.Â
> >      Insulting
> >      doesn't quite do it justice.
> >      At the -very- least, you should be leaning on a community actually
> >      focused
> >      on the platform at hand.
> >      Respectfully, I would suggest you either hire someone who can get it
> >      done, or find a community better suited to handling the
> >      *nix-specific
> >      issues you keep running into which are wholly unrelated to filePro
> >      itself.  You may use filePro, but these aren't even filePro
> >      integration
> >      problems/issues/questions, at this point.  These are *nix subsystem
> >      and
> >      functionality issues, full stop.
> >      What you've been doing is the equivalent of someone coming in here
> >      and
> >      asking how to configure IIS on Windows.  It makes about as much
> >      sense, and
> >      it's really not the venue.
> >      If this is for a hobby, figure it out.  If this is for business, it
> >      should
> >      be paid work for someone, past a certain point.  You've really been
> >      pushing
> >      it lately.
> >      And for the record, stock sftp on CentOS 7 works just fine.  I've
> >      got it
> >      working on many boxes, and there are no issues as long as
> >      permissions and
> >      groups are correct.
> >      /home/ should be root:root 0755.
> >      /home/frontier/ should be root:root 0755.
> >      Under there, you should have subdirectories for file storage and
> >      retrieval.
> >      Assume a common idiom of inbound and outbound:
> >      /home/frontier/inbound/ frontier:users 0755
> >      /home/frontier/outbound/ frontier:users 0755
> >      You need those subdirectories, because frontier will not be able to
> >      write
> >      directly to a directory owned by root with 0755, which is mandatory.
> >      You do -not- actually need the sftponly group on the
> >      subdirectories.  That
> >      group serves only as a trigger for sftp jailing.
> >      The user -must- have sftponly as their primary group.
> >      This is the sshd_config section which works for me:
> >      Match group sftponly
> >      Â  Â  Â  Â  X11Forwarding no
> >      Â  Â  Â  Â  AllowTcpForwarding no
> >      Â  Â  Â  Â  ForceCommand internal-sftp
> >      Â  Â  Â  Â  ChrootDirectory %h
> >      I wonder if you have /home/ set incorrectly.  Aside from
> >      ChrootDirectory
> >      expando differences, the rest of what you have looks correct.
> >      I can, however, confirm that sftp works just fine on CentOS 7 with
> >      openssh-7.4p1-16.el7.x86_64.  I'm looking directly at a working one
> >      which
> >      has been verified and is in production.
> >      mark->
> >      On Tue, Mar 26, 2019 at 07:13:33PM -0400, scooter6--- via
> >      Filepro-list thus spoke:
> >      > Is anyone aware of anything changing as to how to chroot sftp
> >      users on
> >      > centos 7?
> >      > I have everything setup identically on new server and keep getting
> >      > fatal: bad ownership or modes for chroot di
> >      > rectory component "/" [postauth]
> >      >
> >      > Every thing I know root has to own the directory in full path up
> >      until
> >      > chroot directory
> >      >
> >      > The only way I can even get a sftpuser to connect is if I make
> >      them the own
> >      > of the /home directory
> >      >
> >      > Old server:   this is in  /home
> >      >
> >      > drwxr-xr-x  3 root    root    4096 Oct 16 11:15 frontier
> >      >
> >      > Then, if you go to /home/frontier:
> >      >
> >      > drwxr-xr-x 3 frontier sftponly 4096 Mar 19 15:45 attachments
> >      >
> >      > sshd_config:
> >      >
> >      > Match Group sftponly
> >      >Â  Â  Â  Â  Â ChrootDirectory /home/%u
> >      >Â  Â  Â  Â  Â ForceCommand internal-sftp
> >      >Â  Â  Â  Â  Â X11Forwarding no
> >      >Â  Â  Â  Â  Â AllowTcpForwarding no
> >      >
> >      > New server:Â  Â this is in /home
> >      >
> >      > drwxr-xr-x   4 root    root      38 Mar 26 18:17 frontier
> >      >
> >      > Then, if you do to /home/frontier:
> >      >
> >      > drwxr-xr-x 2 frontier sftponly 6 Mar 26 19:05 attachments
> >      >
> >      > sshd_config has:
> >      >
> >      > Match Group sftponly
> >      >Â  Â  Â  Â  Â ChrootDirectory /home/%u
> >      >Â  Â  Â  Â  Â ForceCommand internal-sftp
> >      >Â  Â  Â  Â  Â X11Forwarding no
> >      >Â  Â  Â  Â  Â AllowTcpForwarding no
> >      >
> >      > Only thing different on serves are the UID/GIDs
> >      >
> >      > Old server for frontier:
> >      >
> >      > id frontier
> >      >
> >      > uid=1014(frontier) gid=502(sftponly) groups=502(sftponly)
> >      >
> >      > New server:
> >      >
> >      > id frontier
> >      >
> >      > uid=2043(frontier) gid=1503(sftponly) groups=1503(sftponly)
> >      >
> >      > Old server, /etc/passwd
> >      >Â  Â frontier:x:1014:502::/attachments:/bin/false
> >      >
> >      > New server, /etc/passwd
> >      >Â  Â frontier:x:2043:1503::/attachments:/bin/false
> >      >
> >      > I even tried creating a new group, new user, etc - it's typically
> >      straight
> >      > forward, but I can't get any combination to work that others swear
> >      works
> >      > for them.  This isn't normally difficult but I've been working on
> >      this for
> >      > 4 hours and can't get the right combination to seem to work
> >      >
> >      > Has anyone successfully gotten this to work on centos 7?
> >      >
> >      > thanks
> >      > -------------- next part --------------
> >      > An HTML attachment was scrubbed...
> >      > URL:
> >      <[2]
> http://mailman.celestial.com/pipermail/filepro-list/attachments/
> >      20190326/6ae6eec6/attachment.html>
> >      > _______________________________________________
> >      > Filepro-list mailing list
> >      > [3]Filepro-list at lists.celestial.com
> >      > Subscribe/Unsubscribe/Subscription Changes
> >      > [4]http://mailman.celestial.com/mailman/listinfo/filepro-list
> >      >
> >      --
> >      Audio panton, cogito singularis.
> >      _______________________________________________
> >      Filepro-list mailing list
> >      [5]Filepro-list at lists.celestial.com
> >      Subscribe/Unsubscribe/Subscription Changes
> >      [6]http://mailman.celestial.com/mailman/listinfo/filepro-list
> >
> > References
> >
> >    1. mailto:filepro-list at lists.celestial.com
> >    2.
> http://mailman.celestial.com/pipermail/filepro-list/attachments/20190326/6ae6eec6/attachment.html
> >    3. mailto:Filepro-list at lists.celestial.com
> >    4. http://mailman.celestial.com/mailman/listinfo/filepro-list
> >    5. mailto:Filepro-list at lists.celestial.com
> >    6. http://mailman.celestial.com/mailman/listinfo/filepro-list
>
> --
> Fairlight Consulting
> http://www.fairlite.com
> fairlite at fairlite.com
> (502) 509-3840
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes
> http://mailman.celestial.com/mailman/listinfo/filepro-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.celestial.com/pipermail/filepro-list/attachments/20190327/e1fd3d1b/attachment.html>


More information about the Filepro-list mailing list