<div dir="ltr"><div>Well I'm glad I could piss you off</div><div>Next time I won't start my post with OT unless it involves a joke</div><div>thanks for your time and input</div><div>As I said, I mimicked my setup that worked for me on 5.10 but for some reason complains with the exact same setup on centos 7</div><div>I know sftp works out of the box on centos 7 - but these users should be jailed and not able to navigate around other than to their 'attachments' directory- they drop off files and that's it....</div><div>I'll look at my configuration again and see if everything is in order</div><div>moving forward I'll make sure I have my checkbook in hand when asking for any assistance from this 'community'</div><div><br></div></div><br><div class="gmail_quote"><div class="gmail_attr" dir="ltr">On Tue, Mar 26, 2019 at 9:11 PM Fairlight via Filepro-list <<a href="mailto:filepro-list@lists.celestial.com">filepro-list@lists.celestial.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">This is way outside the scope of filePro. For that matter, so was the mail<br>
stuff last week.<br>
<br>
At this point, you've come to the filePro list for a good percentage of<br>
what should be Linux 101 and done within the scope of a CentOS community,<br>
asking us to help set up your new box. While it's been a form of cheap<br>
amusement to watch you go on this journey, that benefit has outstayed its<br>
welcome, at least for me. In fact, it's annoying the hell out of me,<br>
because you should be either researching your problems, or paying someone<br>
to do it. As someone who does systems administration for a living, I<br>
can say I'm quite irked on principle to see you repeatedly trying to get<br>
something for nothing in terms of systems administration. It's like going<br>
to a professional car mechanics' retreat without being a professional<br>
mechanic yourself, and trying to get your car fixed for free. Insulting<br>
doesn't quite do it justice.<br>
<br>
At the -very- least, you should be leaning on a community actually focused<br>
on the platform at hand.<br>
<br>
Respectfully, I would suggest you either hire someone who can get it<br>
done, or find a community better suited to handling the *nix-specific<br>
issues you keep running into which are wholly unrelated to filePro<br>
itself. You may use filePro, but these aren't even filePro integration<br>
problems/issues/questions, at this point. These are *nix subsystem and<br>
functionality issues, full stop.<br>
<br>
What you've been doing is the equivalent of someone coming in here and<br>
asking how to configure IIS on Windows. It makes about as much sense, and<br>
it's really not the venue.<br>
<br>
If this is for a hobby, figure it out. If this is for business, it should<br>
be paid work for someone, past a certain point. You've really been pushing<br>
it lately.<br>
<br>
And for the record, stock sftp on CentOS 7 works just fine. I've got it<br>
working on many boxes, and there are no issues as long as permissions and<br>
groups are correct.<br>
<br>
/home/ should be root:root 0755.<br>
<br>
/home/frontier/ should be root:root 0755.<br>
<br>
Under there, you should have subdirectories for file storage and retrieval.<br>
Assume a common idiom of inbound and outbound:<br>
<br>
/home/frontier/inbound/ frontier:users 0755<br>
/home/frontier/outbound/ frontier:users 0755<br>
<br>
You need those subdirectories, because frontier will not be able to write<br>
directly to a directory owned by root with 0755, which is mandatory.<br>
<br>
You do -not- actually need the sftponly group on the subdirectories. That<br>
group serves only as a trigger for sftp jailing.<br>
<br>
The user -must- have sftponly as their primary group.<br>
<br>
This is the sshd_config section which works for me:<br>
<br>
Match group sftponly<br>
X11Forwarding no<br>
AllowTcpForwarding no<br>
ForceCommand internal-sftp<br>
ChrootDirectory %h<br>
<br>
I wonder if you have /home/ set incorrectly. Aside from ChrootDirectory<br>
expando differences, the rest of what you have looks correct.<br>
<br>
I can, however, confirm that sftp works just fine on CentOS 7 with<br>
openssh-7.4p1-16.el7.x86_64. I'm looking directly at a working one which<br>
has been verified and is in production.<br>
<br>
mark-><br>
<br>
<br>
<br>
On Tue, Mar 26, 2019 at 07:13:33PM -0400, scooter6--- via Filepro-list thus spoke:<br>
> Is anyone aware of anything changing as to how to chroot sftp users on<br>
> centos 7?<br>
> I have everything setup identically on new server and keep getting<br>
> fatal: bad ownership or modes for chroot di<br>
> rectory component "/" [postauth]<br>
> <br>
> Every thing I know root has to own the directory in full path up until<br>
> chroot directory<br>
> <br>
> The only way I can even get a sftpuser to connect is if I make them the own<br>
> of the /home directory<br>
> <br>
> Old server: this is in /home<br>
> <br>
> drwxr-xr-x 3 root root 4096 Oct 16 11:15 frontier<br>
> <br>
> Then, if you go to /home/frontier:<br>
> <br>
> drwxr-xr-x 3 frontier sftponly 4096 Mar 19 15:45 attachments<br>
> <br>
> sshd_config:<br>
> <br>
> Match Group sftponly<br>
> ChrootDirectory /home/%u<br>
> ForceCommand internal-sftp<br>
> X11Forwarding no<br>
> AllowTcpForwarding no<br>
> <br>
> New server: this is in /home<br>
> <br>
> drwxr-xr-x 4 root root 38 Mar 26 18:17 frontier<br>
> <br>
> Then, if you do to /home/frontier:<br>
> <br>
> drwxr-xr-x 2 frontier sftponly 6 Mar 26 19:05 attachments<br>
> <br>
> sshd_config has:<br>
> <br>
> Match Group sftponly<br>
> ChrootDirectory /home/%u<br>
> ForceCommand internal-sftp<br>
> X11Forwarding no<br>
> AllowTcpForwarding no<br>
> <br>
> Only thing different on serves are the UID/GIDs<br>
> <br>
> Old server for frontier:<br>
> <br>
> id frontier<br>
> <br>
> uid=1014(frontier) gid=502(sftponly) groups=502(sftponly)<br>
> <br>
> New server:<br>
> <br>
> id frontier<br>
> <br>
> uid=2043(frontier) gid=1503(sftponly) groups=1503(sftponly)<br>
> <br>
> Old server, /etc/passwd<br>
> frontier:x:1014:502::/attachments:/bin/false<br>
> <br>
> New server, /etc/passwd<br>
> frontier:x:2043:1503::/attachments:/bin/false<br>
> <br>
> I even tried creating a new group, new user, etc - it's typically straight<br>
> forward, but I can't get any combination to work that others swear works<br>
> for them. This isn't normally difficult but I've been working on this for<br>
> 4 hours and can't get the right combination to seem to work<br>
> <br>
> Has anyone successfully gotten this to work on centos 7?<br>
> <br>
> thanks<br>
> -------------- next part --------------<br>
> An HTML attachment was scrubbed...<br>
> URL: <<a href="http://mailman.celestial.com/pipermail/filepro-list/attachments/20190326/6ae6eec6/attachment.html" target="_blank" rel="noreferrer">http://mailman.celestial.com/pipermail/filepro-list/attachments/20190326/6ae6eec6/attachment.html</a>><br>
> _______________________________________________<br>
> Filepro-list mailing list<br>
> <a href="mailto:Filepro-list@lists.celestial.com" target="_blank">Filepro-list@lists.celestial.com</a><br>
> Subscribe/Unsubscribe/Subscription Changes<br>
> <a href="http://mailman.celestial.com/mailman/listinfo/filepro-list" target="_blank" rel="noreferrer">http://mailman.celestial.com/mailman/listinfo/filepro-list</a><br>
> <br>
<br>
-- <br>
Audio panton, cogito singularis.<br>
_______________________________________________<br>
Filepro-list mailing list<br>
<a href="mailto:Filepro-list@lists.celestial.com" target="_blank">Filepro-list@lists.celestial.com</a><br>
Subscribe/Unsubscribe/Subscription Changes<br>
<a href="http://mailman.celestial.com/mailman/listinfo/filepro-list" target="_blank" rel="noreferrer">http://mailman.celestial.com/mailman/listinfo/filepro-list</a><br>
</blockquote></div>