Bug#610969: openssh-server: Make sftp transfer log work if /dev/log not writable for normal user

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#610969: openssh-server: Make sftp transfer log work if /dev/log not writable for normal user
From: Jan Sievers <sievers@zedat.fu-berlin.de>
Date: Mon, 24 Jan 2011 15:24:29 +0100
Message-id: <[🔎] 20110124142429.22189.38493.reportbug@island.zedat.fu-berlin.de>
Reply-to: Jan Sievers <sievers@zedat.fu-berlin.de>, 610969@bugs.debian.org

Package: openssh-server
Version: 1:5.1p1-5
Severity: wishlist

Currently the subsystem process sftp-server writes the transfer log.
Since these processes run with the privileges of the user which logs
into SFTP, writing SFTP transfer logs does not work if /dev/log is not
writable by a "normal user".

It makes sense to prevent normal users from writing to /dev/log if you use
log processing tools, like fail2ban, which take action upan specific log
lines.

I guess it should be possible to inherit a file handle previously
opened by the ssh daemon to the subsystem process, like it is done by
FTP daemons.

Jan

-- System Information:
Debian Release: 5.0.8
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser         3.110                    add and remove users and groups
ii  debconf [debcon 1.5.24                   Debian configuration management sy
ii  dpkg            1.14.31                  Debian package management system
ii  libc6           2.7-18lenny7             GNU C Library: Shared libraries
ii  libcomerr2      1.41.3-1                 common error description library
ii  libkrb53        1.6.dfsg.4~beta1-5lenny6 MIT Kerberos runtime libraries
ii  libpam-modules  1.0.1-5+lenny1           Pluggable Authentication Modules f
ii  libpam-runtime  1.0.1-5+lenny1           Runtime support for the PAM librar
ii  libpam0g        1.0.1-5+lenny1           Pluggable Authentication Modules l
ii  libselinux1     2.0.65-5                 SELinux shared libraries
ii  libssl0.9.8     0.9.8g-15+lenny11        SSL shared libraries
ii  libwrap0        7.6.q-16                 Wietse Venema's TCP wrappers libra
ii  lsb-base        3.2-20                   Linux Standard Base 3.2 init scrip
ii  openssh-blackli 0.4.1                    list of default blacklisted OpenSS
ii  openssh-client  1:5.1p1-5                secure shell client, an rlogin/rsh
ii  procps          1:3.2.7-11               /proc file system utilities
ii  zlib1g          1:1.2.3.3.dfsg-12        compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.3-2  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                  <none>      (no description available)
pn  rssh                         <none>      (no description available)
ii  ssh-askpass                  1:1.2.4.1-7 under X, asks user for a passphras

-- debconf information excluded

Reply to:

Prev by Date: Bug#609546: possibel bug in sshd: pubkey auth does not more work if ${HOME} is NFS
Next by Date: [bts-link] source package openssh
Previous by thread: Bug#610590: openssh: support for host:port format
Next by thread: [bts-link] source package openssh
Index(es):
- Date
- Thread