OT: chroot sftp centos 7

Fairlight fairlite at fairlite.com
Wed Mar 27 06:40:43 PDT 2019


Apology accepted.  Thanks.

I know how stress gets.  Feel better!

mark->


On Wed, Mar 27, 2019 at 08:26:08AM -0400, scooter6 at gmail.com thus spoke:
>    Mark,
>    You're absolutely correct and I apologize for my behaviorÂ
>    It's been a stressful several weeks
>    I was out of line and I apologize
>    In the future, if the need arises, I will seek to hire you for your
>    expertise
>    Sorry again
>    Scott
> 
>    On Wed, Mar 27, 2019 at 6:32 AM Fairlight via Filepro-list
>    <[1]filepro-list at lists.celestial.com> wrote:
> 
>      On Tue, Mar 26, 2019 at 09:25:42PM -0400, [2]scooter6 at gmail.com thus
>      spoke:
>      >Â  Â  Well I'm glad I could piss you off
>      -Wrong answer-, especially from someone who saw fit to bother me -in
>      private-, off-list, TEN times with their problems, without offering
>      to
>      compensate me:
>      Â  Â  Â  Â 81Â  Â + Mar 24 scooter6 at gmail. ( 6.9K) ÃÃ&Ã>
>      Â  Â  Â  Â 82Â  Â + Mar 24 scooter6 at gmail. ( 7.6K)Â  Â  Â ÃÃ>
>      Â  Â  Â  Â 83 r + Mar 24 scooter6 at gmail. ( 9.0K)Â  Â  Â  Â ÃÃ>
>      Â  Â  Â  Â 85 r + Mar 25 scooter6 at gmail. (Â  16K)Â  Â  Â  Â  Â ÃÃ&Ã>
>             87 r + Mar 25 scooter6 at gmail. (  34K)         ³Â
>      Â ÃÃ&Ã>
>             89 r + Mar 25 scooter6 at gmail. (  70K)         ³Â
>      Â  Â  Â ÃÃ&Ã>
>             91   + Mar 25 scooter6 at gmail. ( 137K)         ³Â
>      Â  Â  Â  Â  Â ÃÃ&Ã>
>             92 r + Mar 25 scooter6 at gmail. ( 140K)         ³Â
>      Â  Â  Â  Â  Â  Â  Â ÃÃ>
>             94   + Mar 25 scooter6 at gmail. ( 255K)         ³Â
>      Â  Â  Â  Â  Â  Â  Â  Â ÃÃ&Ã>
>      Â  Â  Â  Â 95Â  Â + Mar 24 scooter6 at gmail. ( 9.9K)Â  Â  Â  Â  Â ÃÃ>
>      ...until I mentioned that anything further would need to be paid
>      work because you were taking time away from other clients.  Then
>      you
>      mysteriously went radio silent after saying, "I understand.  I'll
>      reach out
>      if it comes to that."Â  Until dragging Yet Another *nix 101 question
>      back to
>      a non-*nix community, with an issue wholly unrelated to filePro.
>      Learning all the wrong lessons, and unable to take a hint, I see.
>      For my part, you're done.  Being a jerk and just using me for a
>      couple
>      days, giving an up-to-the-second ongoing tally of your repeated
>      failures
>      in systems administration in private for which I never asked and
>      without
>      compensation, and seeking further help under the same terms was one
>      thing.
>      I stopped that in its tracks by mere -mention- of the word 'money',
>      which
>      speaks volumes.
>      Being a -complete- dick and saying you're -glad- you could piss me
>      off?
>      Really?  Let's just say you'll -better- have a checkbook in hand if
>      you
>      ever contact -me- off-list again for -any- reason, quite possibly
>      including
>      previously complimentary product support for my software, the way
>      you just
>      tried pulling that guilt trip (which utterly and spectacularly
>      failed, by
>      the way), and attempting to make me look like the bad guy when
>      you're the
>      one who's been taking advantage, both publicly and privately.
>      It's one thing to persist in what you were doing with OT stuff
>      before.
>      It's quite another to unsolicitedly take it private, persist without
>      offering remuneration (professionally rude, not to put too fine a
>      point on
>      it), take it to the point you have to be shut down so I can get a
>      moment's
>      peace and do my actual paying work for paying clients, and then
>      bring it
>      -back- to the list because you just trashed your goodwill with the
>      person
>      you were privately using behind-the-scenes à with yet -another-
>      wholly
>      non-filePro problem, no less.Â
>      Yeah, I'm going to call you on it.  Damned straight, Skippy.  And
>      not that
>      I actually -need- someone to back me on it, but someone just wrote
>      me
>      privately saying they feel I'm actually in the right -before- seeing
>      this
>      current response, and they didn't even know about the private thread
>      you
>      kept going.  Well, they do now. :) (At this point, the intelligent
>      person
>      whould figure out they've stepped in it, and just quietly stand
>      down.
>      We'll see how bright you are.)
>      As Paul Harvey used to say, now people know the -rest- of the story.
>      Nice try, but perhaps you should rethink your behaviour before
>      taking a pot
>      shot guilt trip at me or the community.  You don't exactly have the
>      high
>      moral ground from which to debate the issue.  You want to go on
>      about
>      'community', try treating it as such, rather than as unpaid labour.
>      Have fun, and good luck with that C7 box!
>      "Shutdown complete."
>      mark->
>      >Â  Â  Next time I won't start my post with OT unless it involves a
>      joke
>      >Â  Â  thanks for your time and input
>      >Â  Â  As I said, I mimicked my setup that worked for me on 5.10 but
>      for some
>      >Â  Â  reason complains with the exact same setup on centos 7
>      >Â  Â  I know sftp works out of the box on centos 7 - but these
>      users should
>      >Â  Â  be jailed and not able to navigate around other than to their
>      >Â  Â  'attachments' directory- they drop off files and that's
>      it....
>      >Â  Â  I'll look at my configuration again and see if everything is
>      in order
>      >Â  Â  moving forward I'll make sure I have my checkbook in hand
>      when asking
>      >Â  Â  for any assistance from this 'community'
>      >
>      >Â  Â  On Tue, Mar 26, 2019 at 9:11 PM Fairlight via Filepro-list
>      >Â  Â  <[1][3]filepro-list at lists.celestial.com> wrote:
>      >
>      >Â  Â  Â  This is way outside the scope of filePro.ÃÂ  For that
>      matter, so was
>      >Â  Â  Â  the mail
>      >Â  Â  Â  stuff last week.
>      >Â  Â  Â  At this point, you've come to the filePro list for a good
>      percentage
>      >Â  Â  Â  of
>      >Â  Â  Â  what should be Linux 101 and done within the scope of a
>      CentOS
>      >Â  Â  Â  community,
>      >Â  Â  Â  asking us to help set up your new box.ÃÂ  While it's been
>      a form of
>      >Â  Â  Â  cheap
>      >Â  Â  Â  amusement to watch you go on this journey, that benefit
>      has
>      >Â  Â  Â  outstayed its
>      >Â  Â  Â  welcome, at least for me.ÃÂ  In fact, it's annoying the
>      hell out of
>      >Â  Â  Â  me,
>      >Â  Â  Â  because you should be either researching your problems, or
>      paying
>      >Â  Â  Â  someone
>      >Â  Â  Â  to do it.ÃÂ  As someone who does systems administration
>      for a living,
>      >Â  Â  Â  I
>      >Â  Â  Â  can say I'm quite irked on principle to see you repeatedly
>      trying to
>      >Â  Â  Â  get
>      >Â  Â  Â  something for nothing in terms of systems
>      administration.ÃÂ  It's
>      >Â  Â  Â  like going
>      >Â  Â  Â  to a professional car mechanics' retreat without being a
>      >Â  Â  Â  professional
>      >Â  Â  Â  mechanic yourself, and trying to get your car fixed for
>      free.Ã
>      >Â  Â  Â  Insulting
>      >Â  Â  Â  doesn't quite do it justice.
>      >Â  Â  Â  At the -very- least, you should be leaning on a community
>      actually
>      >Â  Â  Â  focused
>      >Â  Â  Â  on the platform at hand.
>      >Â  Â  Â  Respectfully, I would suggest you either hire someone who
>      can get it
>      >Â  Â  Â  done, or find a community better suited to handling the
>      >Â  Â  Â  *nix-specific
>      >Â  Â  Â  issues you keep running into which are wholly unrelated to
>      filePro
>      >Â  Â  Â  itself.ÃÂ  You may use filePro, but these aren't even
>      filePro
>      >Â  Â  Â  integration
>      >Â  Â  Â  problems/issues/questions, at this point.ÃÂ  These are
>      *nix subsystem
>      >Â  Â  Â  and
>      >Â  Â  Â  functionality issues, full stop.
>      >Â  Â  Â  What you've been doing is the equivalent of someone coming
>      in here
>      >Â  Â  Â  and
>      >Â  Â  Â  asking how to configure IIS on Windows.ÃÂ  It makes about
>      as much
>      >Â  Â  Â  sense, and
>      >Â  Â  Â  it's really not the venue.
>      >Â  Â  Â  If this is for a hobby, figure it out.ÃÂ  If this is for
>      business, it
>      >Â  Â  Â  should
>      >Â  Â  Â  be paid work for someone, past a certain point.ÃÂ  You've
>      really been
>      >Â  Â  Â  pushing
>      >Â  Â  Â  it lately.
>      >Â  Â  Â  And for the record, stock sftp on CentOS 7 works just
>      fine.ÃÂ  I've
>      >Â  Â  Â  got it
>      >Â  Â  Â  working on many boxes, and there are no issues as long as
>      >Â  Â  Â  permissions and
>      >Â  Â  Â  groups are correct.
>      >Â  Â  Â  /home/ should be root:root 0755.
>      >Â  Â  Â  /home/frontier/ should be root:root 0755.
>      >Â  Â  Â  Under there, you should have subdirectories for file
>      storage and
>      >Â  Â  Â  retrieval.
>      >Â  Â  Â  Assume a common idiom of inbound and outbound:
>      >Â  Â  Â  /home/frontier/inbound/ frontier:users 0755
>      >Â  Â  Â  /home/frontier/outbound/ frontier:users 0755
>      >Â  Â  Â  You need those subdirectories, because frontier will not
>      be able to
>      >Â  Â  Â  write
>      >Â  Â  Â  directly to a directory owned by root with 0755, which is
>      mandatory.
>      >Â  Â  Â  You do -not- actually need the sftponly group on the
>      >Â  Â  Â  subdirectories.ÃÂ  That
>      >Â  Â  Â  group serves only as a trigger for sftp jailing.
>      >Â  Â  Â  The user -must- have sftponly as their primary group.
>      >Â  Â  Â  This is the sshd_config section which works for me:
>      >Â  Â  Â  Match group sftponly
>      >Â  Â  Â  ÃÂ  ÃÂ  ÃÂ  ÃÂ  X11Forwarding no
>      >Â  Â  Â  ÃÂ  ÃÂ  ÃÂ  ÃÂ  AllowTcpForwarding no
>      >Â  Â  Â  ÃÂ  ÃÂ  ÃÂ  ÃÂ  ForceCommand internal-sftp
>      >Â  Â  Â  ÃÂ  ÃÂ  ÃÂ  ÃÂ  ChrootDirectory %h
>      >Â  Â  Â  I wonder if you have /home/ set incorrectly.ÃÂ  Aside from
>      >Â  Â  Â  ChrootDirectory
>      >Â  Â  Â  expando differences, the rest of what you have looks
>      correct.
>      >Â  Â  Â  I can, however, confirm that sftp works just fine on
>      CentOS 7 with
>      >Â  Â  Â  openssh-7.4p1-16.el7.x86_64.ÃÂ  I'm looking directly at a
>      working one
>      >Â  Â  Â  which
>      >Â  Â  Â  has been verified and is in production.
>      >Â  Â  Â  mark->
>      >Â  Â  Â  On Tue, Mar 26, 2019 at 07:13:33PM -0400, scooter6--- via
>      >Â  Â  Â  Filepro-list thus spoke:
>      >Â  Â  Â  > Is anyone aware of anything changing as to how to chroot
>      sftp
>      >Â  Â  Â  users on
>      >Â  Â  Â  > centos 7?
>      >Â  Â  Â  > I have everything setup identically on new server and
>      keep getting
>      >Â  Â  Â  > fatal: bad ownership or modes for chroot di
>      >Â  Â  Â  > rectory component "/" [postauth]
>      >Â  Â  Â  >
>      >Â  Â  Â  > Every thing I know root has to own the directory in full
>      path up
>      >Â  Â  Â  until
>      >Â  Â  Â  > chroot directory
>      >Â  Â  Â  >
>      >Â  Â  Â  > The only way I can even get a sftpuser to connect is if
>      I make
>      >Â  Â  Â  them the own
>      >Â  Â  Â  > of the /home directory
>      >Â  Â  Â  >
>      >Â  Â  Â  > Old server:ÃÂ  Ã this is inÃÂ  /home
>      >Â  Â  Â  >
>      >Â  Â  Â  > drwxr-xr-xÃÂ  3 rootÃÂ  ÃÂ  rootÃÂ  ÃÂ  4096 Oct 16
>      11:15 frontier
>      >Â  Â  Â  >
>      >Â  Â  Â  > Then, if you go to /home/frontier:
>      >Â  Â  Â  >
>      >Â  Â  Â  > drwxr-xr-x 3 frontier sftponly 4096 Mar 19 15:45
>      attachments
>      >Â  Â  Â  >
>      >Â  Â  Â  > sshd_config:
>      >Â  Â  Â  >
>      >Â  Â  Â  > Match Group sftponly
>      >Â  Â  Â  >ÃÂ  ÃÂ  ÃÂ  ÃÂ  Ã ChrootDirectory /home/%u
>      >Â  Â  Â  >ÃÂ  ÃÂ  ÃÂ  ÃÂ  Ã ForceCommand internal-sftp
>      >Â  Â  Â  >ÃÂ  ÃÂ  ÃÂ  ÃÂ  Ã X11Forwarding no
>      >Â  Â  Â  >ÃÂ  ÃÂ  ÃÂ  ÃÂ  Ã AllowTcpForwarding no
>      >Â  Â  Â  >
>      >Â  Â  Â  > New server:ÃÂ  Ã this is in /home
>      >Â  Â  Â  >
>      >Â  Â  Â  > drwxr-xr-xÃÂ  Ã 4 rootÃÂ  ÃÂ  rootÃÂ  ÃÂ  ÃÂ  38 Mar 26
>      18:17 frontier
>      >Â  Â  Â  >
>      >Â  Â  Â  > Then, if you do to /home/frontier:
>      >Â  Â  Â  >
>      >Â  Â  Â  > drwxr-xr-x 2 frontier sftponly 6 Mar 26 19:05
>      attachments
>      >Â  Â  Â  >
>      >Â  Â  Â  > sshd_config has:
>      >Â  Â  Â  >
>      >Â  Â  Â  > Match Group sftponly
>      >Â  Â  Â  >ÃÂ  ÃÂ  ÃÂ  ÃÂ  Ã ChrootDirectory /home/%u
>      >Â  Â  Â  >ÃÂ  ÃÂ  ÃÂ  ÃÂ  Ã ForceCommand internal-sftp
>      >Â  Â  Â  >ÃÂ  ÃÂ  ÃÂ  ÃÂ  Ã X11Forwarding no
>      >Â  Â  Â  >ÃÂ  ÃÂ  ÃÂ  ÃÂ  Ã AllowTcpForwarding no
>      >Â  Â  Â  >
>      >Â  Â  Â  > Only thing different on serves are the UID/GIDs
>      >Â  Â  Â  >
>      >Â  Â  Â  > Old server for frontier:
>      >Â  Â  Â  >
>      >Â  Â  Â  > id frontier
>      >Â  Â  Â  >
>      >Â  Â  Â  > uid=1014(frontier) gid=502(sftponly)
>      groups=502(sftponly)
>      >Â  Â  Â  >
>      >Â  Â  Â  > New server:
>      >Â  Â  Â  >
>      >Â  Â  Â  > id frontier
>      >Â  Â  Â  >
>      >Â  Â  Â  > uid=2043(frontier) gid=1503(sftponly)
>      groups=1503(sftponly)
>      >Â  Â  Â  >
>      >Â  Â  Â  > Old server, /etc/passwd
>      >Â  Â  Â  >ÃÂ  Ã frontier:x:1014:502::/attachments:/bin/false
>      >Â  Â  Â  >
>      >Â  Â  Â  > New server, /etc/passwd
>      >Â  Â  Â  >ÃÂ  Ã frontier:x:2043:1503::/attachments:/bin/false
>      >Â  Â  Â  >
>      >Â  Â  Â  > I even tried creating a new group, new user, etc - it's
>      typically
>      >Â  Â  Â  straight
>      >Â  Â  Â  > forward, but I can't get any combination to work that
>      others swear
>      >Â  Â  Â  works
>      >Â  Â  Â  > for them.ÃÂ  This isn't normally difficult but I've been
>      working on
>      >Â  Â  Â  this for
>      >Â  Â  Â  > 4 hours and can't get the right combination to seem to
>      work
>      >Â  Â  Â  >
>      >Â  Â  Â  > Has anyone successfully gotten this to work on centos 7?
>      >Â  Â  Â  >
>      >Â  Â  Â  > thanks
>      >Â  Â  Â  > -------------- next part --------------
>      >Â  Â  Â  > An HTML attachment was scrubbed...
>      >Â  Â  Â  > URL:
>      >Â  Â  Â
>      <[2][4]http://mailman.celestial.com/pipermail/filepro-list/attachmen
>      ts/
>      >Â  Â  Â  20190326/6ae6eec6/attachment.html>
>      >Â  Â  Â  > _______________________________________________
>      >Â  Â  Â  > Filepro-list mailing list
>      >Â  Â  Â  > [3][5]Filepro-list at lists.celestial.com
>      >Â  Â  Â  > Subscribe/Unsubscribe/Subscription Changes
>      >Â  Â  Â  >
>      [4][6]http://mailman.celestial.com/mailman/listinfo/filepro-list
>      >Â  Â  Â  >
>      >Â  Â  Â  --
>      >Â  Â  Â  Audio panton, cogito singularis.
>      >Â  Â  Â  _______________________________________________
>      >Â  Â  Â  Filepro-list mailing list
>      >Â  Â  Â  [5][7]Filepro-list at lists.celestial.com
>      >Â  Â  Â  Subscribe/Unsubscribe/Subscription Changes
>      >Â  Â  Â
>      [6][8]http://mailman.celestial.com/mailman/listinfo/filepro-list
>      >
>      > References
>      >
>      >Â  Â  1. mailto:[9]filepro-list at lists.celestial.com
>      >Â  Â  2.
>      [10]http://mailman.celestial.com/pipermail/filepro-list/attachments/
>      20190326/6ae6eec6/attachment.html
>      >Â  Â  3. mailto:[11]Filepro-list at lists.celestial.com
>      >Â  Â  4.
>      [12]http://mailman.celestial.com/mailman/listinfo/filepro-list
>      >Â  Â  5. mailto:[13]Filepro-list at lists.celestial.com
>      >Â  Â  6.
>      [14]http://mailman.celestial.com/mailman/listinfo/filepro-list
>      --
>      Fairlight Consulting
>      [15]http://www.fairlite.com
>      [16]fairlite at fairlite.com
>      (502) 509-3840
>      _______________________________________________
>      Filepro-list mailing list
>      [17]Filepro-list at lists.celestial.com
>      Subscribe/Unsubscribe/Subscription Changes
>      [18]http://mailman.celestial.com/mailman/listinfo/filepro-list
> 
> References
> 
>    1. mailto:filepro-list at lists.celestial.com
>    2. mailto:scooter6 at gmail.com
>    3. mailto:filepro-list at lists.celestial.com
>    4. http://mailman.celestial.com/pipermail/filepro-list/attachments/
>    5. mailto:Filepro-list at lists.celestial.com
>    6. http://mailman.celestial.com/mailman/listinfo/filepro-list
>    7. mailto:Filepro-list at lists.celestial.com
>    8. http://mailman.celestial.com/mailman/listinfo/filepro-list
>    9. mailto:filepro-list at lists.celestial.com
>   10. http://mailman.celestial.com/pipermail/filepro-list/attachments/20190326/6ae6eec6/attachment.html
>   11. mailto:Filepro-list at lists.celestial.com
>   12. http://mailman.celestial.com/mailman/listinfo/filepro-list
>   13. mailto:Filepro-list at lists.celestial.com
>   14. http://mailman.celestial.com/mailman/listinfo/filepro-list
>   15. http://www.fairlite.com/
>   16. mailto:fairlite at fairlite.com
>   17. mailto:Filepro-list at lists.celestial.com
>   18. http://mailman.celestial.com/mailman/listinfo/filepro-list

-- 
Audio panton, cogito singularis.


More information about the Filepro-list mailing list