Pages

Thursday, June 23, 2016

Restrict SFTP to Home Folder

I had created a chrooted sftp account on centos 6 , but faced an issue that the user's were not able put/delete as the sftp requires root:root ownership of chrooted directory. I fixed it by changing the chrooted direcotry to one step above of user's home and set user's home set to /. Below are the exact steps.
Prerequisites:  openssh version  >5.2
Notes :
  • chroot home directory is: /mnt/home
  • User home directory is 'junedm' relative to chroot home, i.e. /mnt/home
  • The chrooting is done based on Group , can be done basis on User ( see footer notes )
  • The chrooting group is sftponly , and all user's should have that as group ( secondary group will also work)
Steps :  
A] Add user , create chroot directory structure and fix permissions
  1. Create the chroot directory and make sure the permissions of each directory from / till chroot is 755 and owned by root:root
  • [root@ggvaapp07 ~]# mkdir -p /mnt/home
  • [root@tiber~]# ls -ld /mnt ; ls -ld /mnt/home
    drwxr-xr-x. 3 root root 4096 Jun 23 03:31 /mnt
    drwxr-xr-x 2 root root 4096 Jun 23 03:31 /mnt/home
  1. Add sftponly group.
  • [root@tiber ~]# groupadd sftponly
  1. Add user , with secondary group as sftponly
  • [root@tiber /]# useradd junedm -G sftponly
  • [root@tiber /]# id junedm
  • uid=503(junedm) gid=505(junedm) groups=505(junedm),504(sftponly)
  1. Change user’s home directory to /username ( this is very important otherwise you will not have put/delete permissions if you set that as /mnt/home/username) also set its shell to nologin so that he cannot ssh, only sftp
  • [root@tiber /]# usermod -d /junedm -s /sbin/nologin junedm
  • [root@tiber /]# cat /etc/passwd | grep juned
  • junedm:x:503:505::/junedm:/sbin/nologin
  1. Add users chrooted home directory and set the ownership is user:chrootgroup , also change permission to be 775
  • [root@tiber home]# chmod 775 /mnt/home/junedm ; chown junedm:sftponly /mnt/home/junedm -R
  • [root@tiber home]# ls -ld /mnt/home/junedm
  • drwxrwxr-x 2 junedm sftponly 4096 Jun 23 03:44 /mnt/home/junedm
  1. Create/change password for user
  • [root@ggvaapp07 /]# passwd junedm
  • Changing password for user junedm.
  • New password:
  • Retype new password:
  • passwd: all authentication tokens updated successfully.
B] Create sshd configuration for sftp setup. 
  1. Backup existing sshd_configuration
[root@tiber /]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
  1. comment out the Subsystem line in the configuration line
[root@tiber /]# grep Subsystem /etc/ssh/sshd_config
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
  1. Add following block at the bottom of sshd_configuration file
###Added By Juned for chrooted sftp setup ##############
Subsystem sftp internal-sftp
Match Group sftponly
    ChrootDirectory        /mnt/home
    ForceCommand           internal-sftp -l VERBOSE
    GSSAPIAuthentication   no
    PasswordAuthentication yes
    PubkeyAuthentication   yes
     AllowAgentForwarding no
     AllowTcpForwarding no
     X11Forwarding no
#END
########################################################
  1. Restart sshd
[root@tiber /]# /etc/init.d/sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
[root@tiber /]#
  1. check log's ( in case if you want to find whats happening )
[root@tiber /]# tail -f /var/log/secure
  1. Now connect from different machine using sftp and do get/put/delete operations,
[prod@james tmp]$ sftp junedm@tiber
Connecting to tiber...
junedm@tiber's password:
sftp> put test.txt
Uploading test.txt to /junedm/test.txt
test.txt                                                                                                                             100%    0     0.0KB/s   00:00
sftp> ls -l
-rw-r--r--    1 503      505             0 Jun 23 10:57 test.txt
sftp> rm test.txt
Removing /junedm/test.txt
sftp> cd /
sftp> ls -l
drwxrwxr-x    2 503      504          4096 Jun 23 10:57 junedm
  1. Confirm ssh is not working
[prod@ggvaapp03 tmp]$ ssh junedm@tiber
junedm@tiber's password:
This service allows sftp connections only.
Connection to tiber closed.

Tuesday, November 17, 2015

How to remove the deleted files without rebooting the server.

How to remove the deleted files without rebooting the server.

Staled files are truncated using following way.

# Find which deleted files are hold the disk # Here we have found /var/lib/mysql/tiber-slow.log file is already deleted but process file descripter hold the 53GB of disk space.

[root@tiber ~]# /usr/sbin/lsof +L1| grep deleted
httpd      1215 junedm   35w   REG  253,0           0     0  3375109 /tmp/rewrite.log (deleted)
mysqld_sa  5126      root    0u   CHR  136,8                 0       10 /dev/pts/8 (deleted)
mysqld_sa  5126      root    1u   CHR  136,8                 0       10 /dev/pts/8 (deleted)
mysqld_sa  5126      root    2u   CHR  136,8                 0       10 /dev/pts/8 (deleted)
mysqld     5463     mysql    5u   REG  253,0           0     0  3375113 /tmp/ibmUkzSE (deleted)
mysqld     5463     mysql    6u   REG  253,0           0     0  3375114 /tmp/ibO0Vrz1 (deleted)
mysqld     5463     mysql    7u   REG  253,0           0     0  3375115 /tmp/ibsBhlgo (deleted)
mysqld     5463     mysql    8u   REG  253,0           0     0  3375117 /tmp/ibdc6pyL (deleted)
mysqld     5463     mysql   11w   REG  253,0 56948585548     0  7569934 /var/lib/mysql/tiber-slow.log (deleted)
mysqld     5463     mysql   12u   REG  253,0           0     0  3375118 /tmp/ibbgJXs9 (deleted)
httpd      5675 junedm   35w   REG  253,0           0     0  3375109 /tmp/rewrite.log (deleted)
httpd      5678 junedm   35w   REG  253,0           0     0  3375109 /tmp/rewrite.log (deleted)
httpd     10448      root   35w   REG  253,0           0     0  3375109 /tmp/rewrite.log (deleted)
httpd     11372 junedm   35w   REG  253,0           0     0  3375109 /tmp/rewrite.log (deleted)
httpd     15774 junedm   35w   REG  253,0           0     0  3375109 /tmp/rewrite.log (deleted)
httpd     15992 junedm   35w   REG  253,0           0     0  3375109 /tmp/rewrite.log (deleted)
httpd     17758 junedm   35w   REG  253,0           0     0  3375109 /tmp/rewrite.log (deleted)
httpd     18725 junedm   35w   REG  253,0           0     0  3375109 /tmp/rewrite.log (deleted)
httpd     19277 junedm   35w   REG  253,0           0     0  3375109 /tmp/rewrite.log (deleted)
bash      24852 junedm    0u   CHR 136,11                 0       13 /dev/pts/11 (deleted)
bash      24852 junedm    1u   CHR 136,11                 0       13 /dev/pts/11 (deleted)
bash      24852 junedm    2u   CHR 136,11                 0       13 /dev/pts/11 (deleted)
bash      24852 junedm  255u   CHR 136,11                 0       13 /dev/pts/11 (deleted)
ntpd      28185       ntp    3w   REG  253,0         235     0 10223627 /var/cfengine/outputs/cf_tiber_glam_com__1317021178_Mon_Sep_26_00_12_58_2011_ab92cca0 (deleted)
httpd     29537 junedm   35w   REG  253,0           0     0  3375109 /tmp/rewrite.log (deleted)

# find the the process fd which are not linked

[root@tiber ~]# find -L /proc/5463/fd -type f -links 0 | xargs ls -l
l-wx------ 1 root root 64 Aug  3 19:55 /proc/5463/fd/11 -> /var/lib/mysql/tiber-slow.log (deleted)
lrwx------ 1 root root 64 Aug  3 19:55 /proc/5463/fd/12 -> /tmp/ibbgJXs9 (deleted)
lrwx------ 1 root root 64 Aug  3 19:55 /proc/5463/fd/5 -> /tmp/ibmUkzSE (deleted)
lrwx------ 1 root root 64 Aug  3 19:55 /proc/5463/fd/6 -> /tmp/ibO0Vrz1 (deleted)
lrwx------ 1 root root 64 Aug  3 19:55 /proc/5463/fd/7 -> /tmp/ibsBhlgo (deleted)
lrwx------ 1 root root 64 Aug  3 19:55 /proc/5463/fd/8 -> /tmp/ibdc6pyL (deleted)

#To truncate the process fd of '/var/lib/mysql/tiber-slow.log', have ran the following command.

  [root@tiber ~]# perl -e 'truncate("/proc/5463/fd/11", 0);'

#where '5463 is mysql process id and 11 is the fd for /var/lib/mysql/tiber-slow.log'

After complete the truncate, open file listed zero size of deleted files.
[root@tiber ~]# lsof | grep -i deleted
httpd      1215 junedm   35w      REG              253,0           0              3375109 /tmp/rewrite.log (deleted)
mysqld_sa  5126      root    0u      CHR              136,8                               10 /dev/pts/8 (deleted)
mysqld_sa  5126      root    1u      CHR              136,8                               10 /dev/pts/8 (deleted)
mysqld_sa  5126      root    2u      CHR              136,8                               10 /dev/pts/8 (deleted)
mysqld     5463     mysql    5u      REG              253,0           0              3375113 /tmp/ibmUkzSE (deleted)
mysqld     5463     mysql    6u      REG              253,0           0              3375114 /tmp/ibO0Vrz1 (deleted)
mysqld     5463     mysql    7u      REG              253,0           0              3375115 /tmp/ibsBhlgo (deleted)
mysqld     5463     mysql    8u      REG              253,0           0              3375117 /tmp/ibdc6pyL (deleted)
mysqld     5463     mysql   11w      REG              253,0           0              7569934 /var/lib/mysql/tiber-slow.log (deleted)
mysqld     5463     mysql   12u      REG              253,0           0              3375118 /tmp/ibbgJXs9 (deleted)
httpd      5675 junedm   35w      REG              253,0           0              3375109 /tmp/rewrite.log (deleted)
httpd      5678 junedm   35w      REG              253,0           0              3375109 /tmp/rewrite.log (deleted)
httpd     10448      root   35w      REG              253,0           0              3375109 /tmp/rewrite.log (deleted)
httpd     11372 junedm   35w      REG              253,0           0              3375109 /tmp/rewrite.log (deleted)
httpd     15774 junedm   35w      REG              253,0           0              3375109 /tmp/rewrite.log (deleted)
httpd     15992 junedm   35w      REG              253,0           0              3375109 /tmp/rewrite.log (deleted)
httpd     17758 junedm   35w      REG              253,0           0              3375109 /tmp/rewrite.log (deleted)
httpd     18725 junedm   35w      REG              253,0           0              3375109 /tmp/rewrite.log (deleted)
httpd     19277 junedm   35w      REG              253,0           0              3375109 /tmp/rewrite.log (deleted)
bash      24852 junedm    0u      CHR             136,11                               13 /dev/pts/11 (deleted)
bash      24852 junedm    1u      CHR             136,11                               13 /dev/pts/11 (deleted)
bash      24852 junedm    2u      CHR             136,11                               13 /dev/pts/11 (deleted)
bash      24852 junedm  255u      CHR             136,11                               13 /dev/pts/11 (deleted)
ntpd      28185       ntp    3w      REG              253,0         235             10223627 /var/cfengine/outputs/cf_tiber_glam_com__1317021178_Mon_Sep_26_00_12_58_2011_ab92cca0 (deleted)
httpd     29537 junedm   35w      REG              253,0           0              3375109 /tmp/rewrite.log (deleted)


Tuesday, June 9, 2015

/usr/bin/ld: cannot find -luuid

make[2]: *** [checkgid] Error 1
/usr/bin/ld: cannot find -luuid



# yum provides */libuuid.so

libuuid-devel-2.17.2-12.18.el6.x86_64 : Universally unique ID library
Repo        : Centos-base
Matched from:
Filename    : /usr/lib64/libuuid.so



libuuid-devel-2.17.2-12.18.el6.i686 : Universally unique ID library

yum install libuuid-devel

Monday, June 8, 2015

Sysadmin's Notepad: Investigating frame errors in ifconfig output

Sysadmin's Notepad: Investigating frame errors in ifconfig output: Today I've been alerted about network issues on one of the Linux servers. Fortunately Geneos monitoring tools are analyzing ifconfig out...

Monday, March 2, 2015

Technodrone: Nova-Docker on Juno

Technodrone: Nova-Docker on Juno: Containers are hot. It is the latest buzzword. Unfortunately buzzwords are not always the right way to go, but I have been wanting to use co...