fai-savelog: upload logs in chroot jail
Maximilian Stein
m at steiny.biz
Tue Feb 20 11:36:11 CET 2024
Hi there,
Only recently I managed to switch to Debian Bookworm and FAI 6.0.3.
So far, on the FAI server side, I used a shell script to validate and
restrict the log upload of fai-savelog.
In particular, the user `fai` for login on the server has a custom
script (fai-shell) as its login shell. My `authorized_keys` has entries
like these:
command="egon" ssh-ed25519 AAAAC3Nza…
Now, ssh runs fai-shell with "egon" as command and stores the
client-supplient command in $SSH_ORIGINAL_COMMAND. In that way,
fai-shell can validate that a client using this particular SSH key may
only write into log/egon/softupdate-….
However, recent ssh versions switched to sftp internally, so now
$SSH_ORIGINAL_COMMAND only contains "internal-sftp". Is there a clever
way to enforce a client separation like I have with older SSH versions?
Ideally, a client may only write into his client-specific directory but
neither read anything nor write to another directory.
The current implementation in fai-savelog unfortunately complicates a
solution with a chroot jail like in [1] as it first runs `mkdir` and
`ln`s. But even using sftp commands only would require a decent amount
of prepartion on the server side (effectively one chroot per client or a
virtual sftp implementation).
My current workaround is to manually upload the logs with scp's -O flag
(i.e., to use the legacy scp protocol) in a hook.
Best,
Maximilian
[1]: https://linuxize.com/post/how-to-set-up-sftp-chroot-jail/
More information about the linux-fai
mailing list