OT: chroot sftp centos 7
Fairlight
fairlite at fairlite.com
Wed Mar 27 06:40:43 PDT 2019
Apology accepted. Thanks.
I know how stress gets. Feel better!
mark->
On Wed, Mar 27, 2019 at 08:26:08AM -0400, scooter6 at gmail.com thus spoke:
> Mark,
> You're absolutely correct and I apologize for my behaviorÂ
> It's been a stressful several weeks
> I was out of line and I apologize
> In the future, if the need arises, I will seek to hire you for your
> expertise
> Sorry again
> Scott
>
> On Wed, Mar 27, 2019 at 6:32 AM Fairlight via Filepro-list
> <[1]filepro-list at lists.celestial.com> wrote:
>
> On Tue, Mar 26, 2019 at 09:25:42PM -0400, [2]scooter6 at gmail.com thus
> spoke:
> >Â Â Well I'm glad I could piss you off
> -Wrong answer-, especially from someone who saw fit to bother me -in
> private-, off-list, TEN times with their problems, without offering
> to
> compensate me:
> Â Â Â Â 81Â Â + Mar 24 scooter6 at gmail. ( 6.9K) ÃÃ&Ã>
> Â Â Â Â 82Â Â + Mar 24 scooter6 at gmail. ( 7.6K)Â Â Â ÃÃ>
> Â Â Â Â 83 r + Mar 24 scooter6 at gmail. ( 9.0K)Â Â Â Â ÃÃ>
> Â Â Â Â 85 r + Mar 25 scooter6 at gmail. (Â 16K)Â Â Â Â Â ÃÃ&Ã>
>     87 r + Mar 25 scooter6 at gmail. ( 34K)     ³Â
> Â ÃÃ&Ã>
>     89 r + Mar 25 scooter6 at gmail. ( 70K)     ³Â
> Â Â Â ÃÃ&Ã>
>     91  + Mar 25 scooter6 at gmail. ( 137K)     ³Â
> Â Â Â Â Â ÃÃ&Ã>
>     92 r + Mar 25 scooter6 at gmail. ( 140K)     ³Â
> Â Â Â Â Â Â Â ÃÃ>
>     94  + Mar 25 scooter6 at gmail. ( 255K)     ³Â
> Â Â Â Â Â Â Â Â ÃÃ&Ã>
> Â Â Â Â 95Â Â + Mar 24 scooter6 at gmail. ( 9.9K)Â Â Â Â Â ÃÃ>
> ...until I mentioned that anything further would need to be paid
> work because you were taking time away from other clients. Then
> you
> mysteriously went radio silent after saying, "I understand. I'll
> reach out
> if it comes to that."Â Until dragging Yet Another *nix 101 question
> back to
> a non-*nix community, with an issue wholly unrelated to filePro.
> Learning all the wrong lessons, and unable to take a hint, I see.
> For my part, you're done. Being a jerk and just using me for a
> couple
> days, giving an up-to-the-second ongoing tally of your repeated
> failures
> in systems administration in private for which I never asked and
> without
> compensation, and seeking further help under the same terms was one
> thing.
> I stopped that in its tracks by mere -mention- of the word 'money',
> which
> speaks volumes.
> Being a -complete- dick and saying you're -glad- you could piss me
> off?
> Really? Let's just say you'll -better- have a checkbook in hand if
> you
> ever contact -me- off-list again for -any- reason, quite possibly
> including
> previously complimentary product support for my software, the way
> you just
> tried pulling that guilt trip (which utterly and spectacularly
> failed, by
> the way), and attempting to make me look like the bad guy when
> you're the
> one who's been taking advantage, both publicly and privately.
> It's one thing to persist in what you were doing with OT stuff
> before.
> It's quite another to unsolicitedly take it private, persist without
> offering remuneration (professionally rude, not to put too fine a
> point on
> it), take it to the point you have to be shut down so I can get a
> moment's
> peace and do my actual paying work for paying clients, and then
> bring it
> -back- to the list because you just trashed your goodwill with the
> person
> you were privately using behind-the-scenes à with yet -another-
> wholly
> non-filePro problem, no less.Â
> Yeah, I'm going to call you on it. Damned straight, Skippy. And
> not that
> I actually -need- someone to back me on it, but someone just wrote
> me
> privately saying they feel I'm actually in the right -before- seeing
> this
> current response, and they didn't even know about the private thread
> you
> kept going. Well, they do now. :) (At this point, the intelligent
> person
> whould figure out they've stepped in it, and just quietly stand
> down.
> We'll see how bright you are.)
> As Paul Harvey used to say, now people know the -rest- of the story.
> Nice try, but perhaps you should rethink your behaviour before
> taking a pot
> shot guilt trip at me or the community. You don't exactly have the
> high
> moral ground from which to debate the issue. You want to go on
> about
> 'community', try treating it as such, rather than as unpaid labour.
> Have fun, and good luck with that C7 box!
> "Shutdown complete."
> mark->
> >Â Â Next time I won't start my post with OT unless it involves a
> joke
> >Â Â thanks for your time and input
> >Â Â As I said, I mimicked my setup that worked for me on 5.10 but
> for some
> >Â Â reason complains with the exact same setup on centos 7
> >Â Â I know sftp works out of the box on centos 7 - but these
> users should
> >Â Â be jailed and not able to navigate around other than to their
> >Â Â 'attachments' directory- they drop off files and that's
> it....
> >Â Â I'll look at my configuration again and see if everything is
> in order
> >Â Â moving forward I'll make sure I have my checkbook in hand
> when asking
> >Â Â for any assistance from this 'community'
> >
> >Â Â On Tue, Mar 26, 2019 at 9:11 PM Fairlight via Filepro-list
> >Â Â <[1][3]filepro-list at lists.celestial.com> wrote:
> >
> >Â Â Â This is way outside the scope of filePro.ÃÂ For that
> matter, so was
> >Â Â Â the mail
> >Â Â Â stuff last week.
> >Â Â Â At this point, you've come to the filePro list for a good
> percentage
> >Â Â Â of
> >Â Â Â what should be Linux 101 and done within the scope of a
> CentOS
> >Â Â Â community,
> >Â Â Â asking us to help set up your new box.ÃÂ While it's been
> a form of
> >Â Â Â cheap
> >Â Â Â amusement to watch you go on this journey, that benefit
> has
> >Â Â Â outstayed its
> >Â Â Â welcome, at least for me.ÃÂ In fact, it's annoying the
> hell out of
> >Â Â Â me,
> >Â Â Â because you should be either researching your problems, or
> paying
> >Â Â Â someone
> >Â Â Â to do it.ÃÂ As someone who does systems administration
> for a living,
> >Â Â Â I
> >Â Â Â can say I'm quite irked on principle to see you repeatedly
> trying to
> >Â Â Â get
> >Â Â Â something for nothing in terms of systems
> administration.ÃÂ It's
> >Â Â Â like going
> >Â Â Â to a professional car mechanics' retreat without being a
> >Â Â Â professional
> >Â Â Â mechanic yourself, and trying to get your car fixed for
> free.Ã
> >Â Â Â Insulting
> >Â Â Â doesn't quite do it justice.
> >Â Â Â At the -very- least, you should be leaning on a community
> actually
> >Â Â Â focused
> >Â Â Â on the platform at hand.
> >Â Â Â Respectfully, I would suggest you either hire someone who
> can get it
> >Â Â Â done, or find a community better suited to handling the
> >Â Â Â *nix-specific
> >Â Â Â issues you keep running into which are wholly unrelated to
> filePro
> >Â Â Â itself.ÃÂ You may use filePro, but these aren't even
> filePro
> >Â Â Â integration
> >Â Â Â problems/issues/questions, at this point.ÃÂ These are
> *nix subsystem
> >Â Â Â and
> >Â Â Â functionality issues, full stop.
> >Â Â Â What you've been doing is the equivalent of someone coming
> in here
> >Â Â Â and
> >Â Â Â asking how to configure IIS on Windows.ÃÂ It makes about
> as much
> >Â Â Â sense, and
> >Â Â Â it's really not the venue.
> >Â Â Â If this is for a hobby, figure it out.ÃÂ If this is for
> business, it
> >Â Â Â should
> >Â Â Â be paid work for someone, past a certain point.ÃÂ You've
> really been
> >Â Â Â pushing
> >Â Â Â it lately.
> >Â Â Â And for the record, stock sftp on CentOS 7 works just
> fine.ÃÂ I've
> >Â Â Â got it
> >Â Â Â working on many boxes, and there are no issues as long as
> >Â Â Â permissions and
> >Â Â Â groups are correct.
> >Â Â Â /home/ should be root:root 0755.
> >Â Â Â /home/frontier/ should be root:root 0755.
> >Â Â Â Under there, you should have subdirectories for file
> storage and
> >Â Â Â retrieval.
> >Â Â Â Assume a common idiom of inbound and outbound:
> >Â Â Â /home/frontier/inbound/ frontier:users 0755
> >Â Â Â /home/frontier/outbound/ frontier:users 0755
> >Â Â Â You need those subdirectories, because frontier will not
> be able to
> >Â Â Â write
> >Â Â Â directly to a directory owned by root with 0755, which is
> mandatory.
> >Â Â Â You do -not- actually need the sftponly group on the
> >Â Â Â subdirectories.ÃÂ That
> >Â Â Â group serves only as a trigger for sftp jailing.
> >Â Â Â The user -must- have sftponly as their primary group.
> >Â Â Â This is the sshd_config section which works for me:
> >Â Â Â Match group sftponly
> >Â Â Â ÃÂ ÃÂ ÃÂ ÃÂ X11Forwarding no
> >Â Â Â ÃÂ ÃÂ ÃÂ ÃÂ AllowTcpForwarding no
> >Â Â Â ÃÂ ÃÂ ÃÂ ÃÂ ForceCommand internal-sftp
> >Â Â Â ÃÂ ÃÂ ÃÂ ÃÂ ChrootDirectory %h
> >Â Â Â I wonder if you have /home/ set incorrectly.ÃÂ Aside from
> >Â Â Â ChrootDirectory
> >Â Â Â expando differences, the rest of what you have looks
> correct.
> >Â Â Â I can, however, confirm that sftp works just fine on
> CentOS 7 with
> >Â Â Â openssh-7.4p1-16.el7.x86_64.ÃÂ I'm looking directly at a
> working one
> >Â Â Â which
> >Â Â Â has been verified and is in production.
> >Â Â Â mark->
> >Â Â Â On Tue, Mar 26, 2019 at 07:13:33PM -0400, scooter6--- via
> >Â Â Â Filepro-list thus spoke:
> >Â Â Â > Is anyone aware of anything changing as to how to chroot
> sftp
> >Â Â Â users on
> >Â Â Â > centos 7?
> >Â Â Â > I have everything setup identically on new server and
> keep getting
> >Â Â Â > fatal: bad ownership or modes for chroot di
> >Â Â Â > rectory component "/" [postauth]
> >Â Â Â >
> >Â Â Â > Every thing I know root has to own the directory in full
> path up
> >Â Â Â until
> >Â Â Â > chroot directory
> >Â Â Â >
> >Â Â Â > The only way I can even get a sftpuser to connect is if
> I make
> >Â Â Â them the own
> >Â Â Â > of the /home directory
> >Â Â Â >
> >Â Â Â > Old server:ÃÂ Ã this is inÃÂ /home
> >Â Â Â >
> >Â Â Â > drwxr-xr-xÃÂ 3 rootÃÂ ÃÂ rootÃÂ ÃÂ 4096 Oct 16
> 11:15 frontier
> >Â Â Â >
> >Â Â Â > Then, if you go to /home/frontier:
> >Â Â Â >
> >Â Â Â > drwxr-xr-x 3 frontier sftponly 4096 Mar 19 15:45
> attachments
> >Â Â Â >
> >Â Â Â > sshd_config:
> >Â Â Â >
> >Â Â Â > Match Group sftponly
> >Â Â Â >ÃÂ ÃÂ ÃÂ ÃÂ Ã ChrootDirectory /home/%u
> >Â Â Â >ÃÂ ÃÂ ÃÂ ÃÂ Ã ForceCommand internal-sftp
> >Â Â Â >ÃÂ ÃÂ ÃÂ ÃÂ Ã X11Forwarding no
> >Â Â Â >ÃÂ ÃÂ ÃÂ ÃÂ Ã AllowTcpForwarding no
> >Â Â Â >
> >Â Â Â > New server:ÃÂ Ã this is in /home
> >Â Â Â >
> >Â Â Â > drwxr-xr-xÃÂ Ã 4 rootÃÂ ÃÂ rootÃÂ ÃÂ ÃÂ 38 Mar 26
> 18:17 frontier
> >Â Â Â >
> >Â Â Â > Then, if you do to /home/frontier:
> >Â Â Â >
> >Â Â Â > drwxr-xr-x 2 frontier sftponly 6 Mar 26 19:05
> attachments
> >Â Â Â >
> >Â Â Â > sshd_config has:
> >Â Â Â >
> >Â Â Â > Match Group sftponly
> >Â Â Â >ÃÂ ÃÂ ÃÂ ÃÂ Ã ChrootDirectory /home/%u
> >Â Â Â >ÃÂ ÃÂ ÃÂ ÃÂ Ã ForceCommand internal-sftp
> >Â Â Â >ÃÂ ÃÂ ÃÂ ÃÂ Ã X11Forwarding no
> >Â Â Â >ÃÂ ÃÂ ÃÂ ÃÂ Ã AllowTcpForwarding no
> >Â Â Â >
> >Â Â Â > Only thing different on serves are the UID/GIDs
> >Â Â Â >
> >Â Â Â > Old server for frontier:
> >Â Â Â >
> >Â Â Â > id frontier
> >Â Â Â >
> >Â Â Â > uid=1014(frontier) gid=502(sftponly)
> groups=502(sftponly)
> >Â Â Â >
> >Â Â Â > New server:
> >Â Â Â >
> >Â Â Â > id frontier
> >Â Â Â >
> >Â Â Â > uid=2043(frontier) gid=1503(sftponly)
> groups=1503(sftponly)
> >Â Â Â >
> >Â Â Â > Old server, /etc/passwd
> >Â Â Â >ÃÂ Ã frontier:x:1014:502::/attachments:/bin/false
> >Â Â Â >
> >Â Â Â > New server, /etc/passwd
> >Â Â Â >ÃÂ Ã frontier:x:2043:1503::/attachments:/bin/false
> >Â Â Â >
> >Â Â Â > I even tried creating a new group, new user, etc - it's
> typically
> >Â Â Â straight
> >Â Â Â > forward, but I can't get any combination to work that
> others swear
> >Â Â Â works
> >Â Â Â > for them.ÃÂ This isn't normally difficult but I've been
> working on
> >Â Â Â this for
> >Â Â Â > 4 hours and can't get the right combination to seem to
> work
> >Â Â Â >
> >Â Â Â > Has anyone successfully gotten this to work on centos 7?
> >Â Â Â >
> >Â Â Â > thanks
> >Â Â Â > -------------- next part --------------
> >Â Â Â > An HTML attachment was scrubbed...
> >Â Â Â > URL:
> >Â Â Â
> <[2][4]http://mailman.celestial.com/pipermail/filepro-list/attachmen
> ts/
> >Â Â Â 20190326/6ae6eec6/attachment.html>
> >Â Â Â > _______________________________________________
> >Â Â Â > Filepro-list mailing list
> >Â Â Â > [3][5]Filepro-list at lists.celestial.com
> >Â Â Â > Subscribe/Unsubscribe/Subscription Changes
> >Â Â Â >
> [4][6]http://mailman.celestial.com/mailman/listinfo/filepro-list
> >Â Â Â >
> >Â Â Â --
> >Â Â Â Audio panton, cogito singularis.
> >Â Â Â _______________________________________________
> >Â Â Â Filepro-list mailing list
> >Â Â Â [5][7]Filepro-list at lists.celestial.com
> >Â Â Â Subscribe/Unsubscribe/Subscription Changes
> >Â Â Â
> [6][8]http://mailman.celestial.com/mailman/listinfo/filepro-list
> >
> > References
> >
> >Â Â 1. mailto:[9]filepro-list at lists.celestial.com
> >Â Â 2.
> [10]http://mailman.celestial.com/pipermail/filepro-list/attachments/
> 20190326/6ae6eec6/attachment.html
> >Â Â 3. mailto:[11]Filepro-list at lists.celestial.com
> >Â Â 4.
> [12]http://mailman.celestial.com/mailman/listinfo/filepro-list
> >Â Â 5. mailto:[13]Filepro-list at lists.celestial.com
> >Â Â 6.
> [14]http://mailman.celestial.com/mailman/listinfo/filepro-list
> --
> Fairlight Consulting
> [15]http://www.fairlite.com
> [16]fairlite at fairlite.com
> (502) 509-3840
> _______________________________________________
> Filepro-list mailing list
> [17]Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes
> [18]http://mailman.celestial.com/mailman/listinfo/filepro-list
>
> References
>
> 1. mailto:filepro-list at lists.celestial.com
> 2. mailto:scooter6 at gmail.com
> 3. mailto:filepro-list at lists.celestial.com
> 4. http://mailman.celestial.com/pipermail/filepro-list/attachments/
> 5. mailto:Filepro-list at lists.celestial.com
> 6. http://mailman.celestial.com/mailman/listinfo/filepro-list
> 7. mailto:Filepro-list at lists.celestial.com
> 8. http://mailman.celestial.com/mailman/listinfo/filepro-list
> 9. mailto:filepro-list at lists.celestial.com
> 10. http://mailman.celestial.com/pipermail/filepro-list/attachments/20190326/6ae6eec6/attachment.html
> 11. mailto:Filepro-list at lists.celestial.com
> 12. http://mailman.celestial.com/mailman/listinfo/filepro-list
> 13. mailto:Filepro-list at lists.celestial.com
> 14. http://mailman.celestial.com/mailman/listinfo/filepro-list
> 15. http://www.fairlite.com/
> 16. mailto:fairlite at fairlite.com
> 17. mailto:Filepro-list at lists.celestial.com
> 18. http://mailman.celestial.com/mailman/listinfo/filepro-list
--
Audio panton, cogito singularis.
More information about the Filepro-list
mailing list