www.TipsNtrapS.com

Thursday, June 23, 2016

Restrict SFTP to Home Folder

I had created a chrooted sftp account on centos 6 , but faced an issue that the user's were not able put/delete as the sftp requires root:root ownership of chrooted directory. I fixed it by changing the chrooted direcotry to one step above of user's home and set user's home set to /. Below are the exact steps.

Prerequisites: openssh version >5.2

Notes :

chroot home directory is: /mnt/home
User home directory is 'junedm' relative to chroot home, i.e. /mnt/home
The chrooting is done based on Group , can be done basis on User ( see footer notes )
The chrooting group is sftponly , and all user's should have that as group ( secondary group will also work)

Steps :

A] Add user , create chroot directory structure and fix permissions

Create the chroot directory and make sure the permissions of each directory from / till chroot is 755 and owned by root:root

[root@ggvaapp07 ~]# mkdir -p /mnt/home
[root@tiber~]# ls -ld /mnt ; ls -ld /mnt/home
drwxr-xr-x. 3 root root 4096 Jun 23 03:31 /mnt
drwxr-xr-x 2 root root 4096 Jun 23 03:31 /mnt/home

Add sftponly group.

[root@tiber ~]# groupadd sftponly

Add user , with secondary group as sftponly

[root@tiber /]# useradd junedm -G sftponly
[root@tiber /]# id junedm
uid=503(junedm) gid=505(junedm) groups=505(junedm),504(sftponly)

Change user’s home directory to /username ( this is very important otherwise you will not have put/delete permissions if you set that as /mnt/home/username) also set its shell to nologin so that he cannot ssh, only sftp

[root@tiber /]# usermod -d /junedm -s /sbin/nologin junedm
[root@tiber /]# cat /etc/passwd | grep juned
junedm:x:503:505::/junedm:/sbin/nologin

Add users chrooted home directory and set the ownership is user:chrootgroup , also change permission to be 775

[root@tiber home]# chmod 775 /mnt/home/junedm ; chown junedm:sftponly /mnt/home/junedm -R
[root@tiber home]# ls -ld /mnt/home/junedm
drwxrwxr-x 2 junedm sftponly 4096 Jun 23 03:44 /mnt/home/junedm

Create/change password for user

[root@ggvaapp07 /]# passwd junedm
Changing password for user junedm.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

B] Create sshd configuration for sftp setup.

Backup existing sshd_configuration

[root@tiber /]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

comment out the Subsystem line in the configuration line

[root@tiber /]# grep Subsystem /etc/ssh/sshd_config

#Subsystem sftp /usr/libexec/openssh/sftp-server

Add following block at the bottom of sshd_configuration file

###Added By Juned for chrooted sftp setup ##############

Subsystem sftp internal-sftp

Match Group sftponly

ChrootDirectory /mnt/home

ForceCommand internal-sftp -l VERBOSE

GSSAPIAuthentication no

PasswordAuthentication yes

PubkeyAuthentication yes

AllowAgentForwarding no

AllowTcpForwarding no

X11Forwarding no

#END

########################################################

Restart sshd

[root@tiber /]# /etc/init.d/sshd restart

Stopping sshd: [ OK ]

Starting sshd: [ OK ]

[root@tiber /]#

check log's ( in case if you want to find whats happening )

[root@tiber /]# tail -f /var/log/secure

Now connect from different machine using sftp and do get/put/delete operations,

[prod@james tmp]$ sftp junedm@tiber

Connecting to tiber...

junedm@tiber's password:

sftp> put test.txt

Uploading test.txt to /junedm/test.txt

test.txt 100% 0 0.0KB/s 00:00

sftp> ls -l

-rw-r--r-- 1 503 505 0 Jun 23 10:57 test.txt

sftp> rm test.txt

Removing /junedm/test.txt

sftp> cd /

sftp> ls -l

drwxrwxr-x 2 503 504 4096 Jun 23 10:57 junedm

Confirm ssh is not working

[prod@ggvaapp03 tmp]$ ssh junedm@tiber

junedm@tiber's password:

This service allows sftp connections only.

Connection to tiber closed.

Tuesday, November 17, 2015

How to remove the deleted files without rebooting the server.

How to remove the deleted files without rebooting the server.

Staled files are truncated using following way.

# Find which deleted files are hold the disk # Here we have found /var/lib/mysql/tiber-slow.log file is already deleted but process file descripter hold the 53GB of disk space.

[root@tiber ~]# /usr/sbin/lsof +L1| grep deleted
httpd 1215 junedm 35w REG 253,0 0 0 3375109 /tmp/rewrite.log (deleted)
mysqld_sa 5126 root 0u CHR 136,8 0 10 /dev/pts/8 (deleted)
mysqld_sa 5126 root 1u CHR 136,8 0 10 /dev/pts/8 (deleted)
mysqld_sa 5126 root 2u CHR 136,8 0 10 /dev/pts/8 (deleted)
mysqld 5463 mysql 5u REG 253,0 0 0 3375113 /tmp/ibmUkzSE (deleted)
mysqld 5463 mysql 6u REG 253,0 0 0 3375114 /tmp/ibO0Vrz1 (deleted)
mysqld 5463 mysql 7u REG 253,0 0 0 3375115 /tmp/ibsBhlgo (deleted)
mysqld 5463 mysql 8u REG 253,0 0 0 3375117 /tmp/ibdc6pyL (deleted)
mysqld 5463 mysql 11w REG 253,0 56948585548 0 7569934 /var/lib/mysql/tiber-slow.log (deleted)
mysqld 5463 mysql 12u REG 253,0 0 0 3375118 /tmp/ibbgJXs9 (deleted)
httpd 5675 junedm 35w REG 253,0 0 0 3375109 /tmp/rewrite.log (deleted)
httpd 5678 junedm 35w REG 253,0 0 0 3375109 /tmp/rewrite.log (deleted)
httpd 10448 root 35w REG 253,0 0 0 3375109 /tmp/rewrite.log (deleted)
httpd 11372 junedm 35w REG 253,0 0 0 3375109 /tmp/rewrite.log (deleted)
httpd 15774 junedm 35w REG 253,0 0 0 3375109 /tmp/rewrite.log (deleted)
httpd 15992 junedm 35w REG 253,0 0 0 3375109 /tmp/rewrite.log (deleted)
httpd 17758 junedm 35w REG 253,0 0 0 3375109 /tmp/rewrite.log (deleted)
httpd 18725 junedm 35w REG 253,0 0 0 3375109 /tmp/rewrite.log (deleted)
httpd 19277 junedm 35w REG 253,0 0 0 3375109 /tmp/rewrite.log (deleted)
bash 24852 junedm 0u CHR 136,11 0 13 /dev/pts/11 (deleted)
bash 24852 junedm 1u CHR 136,11 0 13 /dev/pts/11 (deleted)
bash 24852 junedm 2u CHR 136,11 0 13 /dev/pts/11 (deleted)
bash 24852 junedm 255u CHR 136,11 0 13 /dev/pts/11 (deleted)
ntpd 28185 ntp 3w REG 253,0 235 0 10223627 /var/cfengine/outputs/cf_tiber_glam_com__1317021178_Mon_Sep_26_00_12_58_2011_ab92cca0 (deleted)
httpd 29537 junedm 35w REG 253,0 0 0 3375109 /tmp/rewrite.log (deleted)

# find the the process fd which are not linked

[root@tiber ~]# find -L /proc/5463/fd -type f -links 0 | xargs ls -l
l-wx------ 1 root root 64 Aug 3 19:55 /proc/5463/fd/11 -> /var/lib/mysql/tiber-slow.log (deleted)
lrwx------ 1 root root 64 Aug 3 19:55 /proc/5463/fd/12 -> /tmp/ibbgJXs9 (deleted)
lrwx------ 1 root root 64 Aug 3 19:55 /proc/5463/fd/5 -> /tmp/ibmUkzSE (deleted)
lrwx------ 1 root root 64 Aug 3 19:55 /proc/5463/fd/6 -> /tmp/ibO0Vrz1 (deleted)
lrwx------ 1 root root 64 Aug 3 19:55 /proc/5463/fd/7 -> /tmp/ibsBhlgo (deleted)
lrwx------ 1 root root 64 Aug 3 19:55 /proc/5463/fd/8 -> /tmp/ibdc6pyL (deleted)

#To truncate the process fd of '/var/lib/mysql/tiber-slow.log', have ran the following command.

[root@tiber ~]# perl -e 'truncate("/proc/5463/fd/11", 0);'

#where '5463 is mysql process id and 11 is the fd for /var/lib/mysql/tiber-slow.log'

After complete the truncate, open file listed zero size of deleted files.
[root@tiber ~]# lsof | grep -i deleted
httpd 1215 junedm 35w REG 253,0 0 3375109 /tmp/rewrite.log (deleted)
mysqld_sa 5126 root 0u CHR 136,8 10 /dev/pts/8 (deleted)
mysqld_sa 5126 root 1u CHR 136,8 10 /dev/pts/8 (deleted)
mysqld_sa 5126 root 2u CHR 136,8 10 /dev/pts/8 (deleted)
mysqld 5463 mysql 5u REG 253,0 0 3375113 /tmp/ibmUkzSE (deleted)
mysqld 5463 mysql 6u REG 253,0 0 3375114 /tmp/ibO0Vrz1 (deleted)
mysqld 5463 mysql 7u REG 253,0 0 3375115 /tmp/ibsBhlgo (deleted)
mysqld 5463 mysql 8u REG 253,0 0 3375117 /tmp/ibdc6pyL (deleted)
mysqld 5463 mysql 11w REG 253,0 0 7569934 /var/lib/mysql/tiber-slow.log (deleted)
mysqld 5463 mysql 12u REG 253,0 0 3375118 /tmp/ibbgJXs9 (deleted)
httpd 5675 junedm 35w REG 253,0 0 3375109 /tmp/rewrite.log (deleted)
httpd 5678 junedm 35w REG 253,0 0 3375109 /tmp/rewrite.log (deleted)
httpd 10448 root 35w REG 253,0 0 3375109 /tmp/rewrite.log (deleted)
httpd 11372 junedm 35w REG 253,0 0 3375109 /tmp/rewrite.log (deleted)
httpd 15774 junedm 35w REG 253,0 0 3375109 /tmp/rewrite.log (deleted)
httpd 15992 junedm 35w REG 253,0 0 3375109 /tmp/rewrite.log (deleted)
httpd 17758 junedm 35w REG 253,0 0 3375109 /tmp/rewrite.log (deleted)
httpd 18725 junedm 35w REG 253,0 0 3375109 /tmp/rewrite.log (deleted)
httpd 19277 junedm 35w REG 253,0 0 3375109 /tmp/rewrite.log (deleted)
bash 24852 junedm 0u CHR 136,11 13 /dev/pts/11 (deleted)
bash 24852 junedm 1u CHR 136,11 13 /dev/pts/11 (deleted)
bash 24852 junedm 2u CHR 136,11 13 /dev/pts/11 (deleted)
bash 24852 junedm 255u CHR 136,11 13 /dev/pts/11 (deleted)
ntpd 28185 ntp 3w REG 253,0 235 10223627 /var/cfengine/outputs/cf_tiber_glam_com__1317021178_Mon_Sep_26_00_12_58_2011_ab92cca0 (deleted)
httpd 29537 junedm 35w REG 253,0 0 3375109 /tmp/rewrite.log (deleted)

Tuesday, June 9, 2015

/usr/bin/ld: cannot find -luuid

make[2]: *** [checkgid] Error 1
/usr/bin/ld: cannot find -luuid

# yum provides */libuuid.so

libuuid-devel-2.17.2-12.18.el6.x86_64 : Universally unique ID library

Repo : Centos-base

Matched from:

Filename : /usr/lib64/libuuid.so

libuuid-devel-2.17.2-12.18.el6.i686 : Universally unique ID library

yum install libuuid-devel

Monday, June 8, 2015

Sysadmin's Notepad: Investigating frame errors in ifconfig output

Sysadmin's Notepad: Investigating frame errors in ifconfig output: Today I've been alerted about network issues on one of the Linux servers. Fortunately Geneos monitoring tools are analyzing ifconfig out...

Wednesday, May 27, 2015

Installing Mirantis OpenStack on Any Laptop w/ 8GB RAM In 5 Minutes or ...

Wednesday, March 4, 2015

Openstack Icehouse on Fedora 20 using RDO

Monday, March 2, 2015

Technodrone: Nova-Docker on Juno

Technodrone: Nova-Docker on Juno: Containers are hot. It is the latest buzzword. Unfortunately buzzwords are not always the right way to go, but I have been wanting to use co...

Pages