Re: [DIFF] sftp-server.8, sshd_config.5 after syslog_r change
Theo de Raadt wrote on Mon, Jul 28, 2014 at 09:20:36AM -0600: > The mention of sendsyslog is not acceptable. When this man page shows up > on some other system, it will be an Xr pointing to nowhere. > > The information is too specific. Frankly, noone will care. Old systems > will continue doing what they have, which is the provided advice to have > /dev/log in the chroot space. In attempting to remove this advice for > OpenBSD-only, you are just plain being too specific. > > Meaning if someone leaves /dev/log in an OpenBSD chroot space, nothing at > all is harmed. Fair enough, that makes the patch even simpler. OK? Ingo Index: sftp-server.8 === RCS file: /cvs/src/usr.bin/ssh/sftp-server.8,v retrieving revision 1.25 diff -u -r1.25 sftp-server.8 --- sftp-server.8 14 Oct 2013 14:18:56 - 1.25 +++ sftp-server.8 28 Jul 2014 15:24:16 - @@ -140,11 +140,11 @@ user's default mask. .El .Pp -For logging to work, +On some systems, .Nm must be able to access -.Pa /dev/log . -Use of +.Pa /dev/log +for logging to work, and use of .Nm in a chroot configuration therefore requires that .Xr syslogd 8 Index: sshd_config.5 === RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v retrieving revision 1.175 diff -u -r1.175 sshd_config.5 --- sshd_config.5 15 Jul 2014 15:54:14 - 1.175 +++ sshd_config.5 28 Jul 2014 15:24:17 - @@ -345,9 +345,9 @@ .Dq sftp , no additional configuration of the environment is necessary if the in-process sftp server is used, -though sessions which use logging do require +though sessions which use logging may require .Pa /dev/log -inside the chroot directory (see +inside the chroot directory on some operating systems (see .Xr sftp-server 8 for details). .Pp
Re: [DIFF] sftp-server.8, sshd_config.5 after syslog_r change
>> Unfortunately, no. >> >> The ssh manual pages are also used by the -portable effort. We do not >> bother documenting these divergences; there is little harm. >> >> Actually you could submit a new diff which suggest that logging >> "might" need a /dev/log setup. If written carefully to cover both >> kinds of systems, that would be accepted. The mention of sendsyslog is not acceptable. When this man page shows up on some other system, it will be an Xr pointing to nowhere. The information is too specific. Frankly, noone will care. Old systems will continue doing what they have, which is the provided advice to have /dev/log in the chroot space. In attempting to remove this advice for OpenBSD-only, you are just plain being too specific. Meaning if someone leaves /dev/log in an OpenBSD chroot space, nothing at all is harmed. >Index: sftp-server.8 >=== >RCS file: /cvs/src/usr.bin/ssh/sftp-server.8,v >retrieving revision 1.25 >diff -u -r1.25 sftp-server.8 >--- sftp-server.8 14 Oct 2013 14:18:56 - 1.25 >+++ sftp-server.8 28 Jul 2014 15:14:45 - >@@ -140,15 +140,21 @@ > user's default mask. > .El > .Pp >-For logging to work, >+On many systems, > .Nm > must be able to access >-.Pa /dev/log . >-Use of >+.Pa /dev/log >+for logging to work, and use of > .Nm > in a chroot configuration therefore requires that > .Xr syslogd 8 > establish a logging socket inside the chroot directory. >+This is not needed on systems implementing the >+.Xr syslog 3 >+family of functions in terms of a >+.Xr sendsyslog 2 >+system call, for example >+.Ox . > .Sh SEE ALSO > .Xr sftp 1 , > .Xr ssh 1 , >Index: sshd_config.5 >=== >RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v >retrieving revision 1.175 >diff -u -r1.175 sshd_config.5 >--- sshd_config.5 15 Jul 2014 15:54:14 - 1.175 >+++ sshd_config.5 28 Jul 2014 15:14:45 - >@@ -345,9 +345,9 @@ > .Dq sftp , > no additional configuration of the environment is necessary if the > in-process sftp server is used, >-though sessions which use logging do require >+though sessions which use logging may require > .Pa /dev/log >-inside the chroot directory (see >+inside the chroot directory on some operating systems (see > .Xr sftp-server 8 > for details). > .Pp >
Re: [DIFF] sftp-server.8, sshd_config.5 after syslog_r change
Theo de Raadt wrote on Fri, Jul 18, 2014 at 03:04:28PM -0600: > Unfortunately, no. > > The ssh manual pages are also used by the -portable effort. We do not > bother documenting these divergences; there is little harm. > > Actually you could submit a new diff which suggest that logging > "might" need a /dev/log setup. If written carefully to cover both > kinds of systems, that would be accepted. OK? Ingo Index: sftp-server.8 === RCS file: /cvs/src/usr.bin/ssh/sftp-server.8,v retrieving revision 1.25 diff -u -r1.25 sftp-server.8 --- sftp-server.8 14 Oct 2013 14:18:56 - 1.25 +++ sftp-server.8 28 Jul 2014 15:14:45 - @@ -140,15 +140,21 @@ user's default mask. .El .Pp -For logging to work, +On many systems, .Nm must be able to access -.Pa /dev/log . -Use of +.Pa /dev/log +for logging to work, and use of .Nm in a chroot configuration therefore requires that .Xr syslogd 8 establish a logging socket inside the chroot directory. +This is not needed on systems implementing the +.Xr syslog 3 +family of functions in terms of a +.Xr sendsyslog 2 +system call, for example +.Ox . .Sh SEE ALSO .Xr sftp 1 , .Xr ssh 1 , Index: sshd_config.5 === RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v retrieving revision 1.175 diff -u -r1.175 sshd_config.5 --- sshd_config.5 15 Jul 2014 15:54:14 - 1.175 +++ sshd_config.5 28 Jul 2014 15:14:45 - @@ -345,9 +345,9 @@ .Dq sftp , no additional configuration of the environment is necessary if the in-process sftp server is used, -though sessions which use logging do require +though sessions which use logging may require .Pa /dev/log -inside the chroot directory (see +inside the chroot directory on some operating systems (see .Xr sftp-server 8 for details). .Pp
Re: [DIFF] sftp-server.8, sshd_config.5 after syslog_r change
Unfortunately, no. The ssh manual pages are also used by the -portable effort. We do not bother documenting these divergences; there is little harm. Actually you could submit a new diff which suggest that logging "might" need a /dev/log setup. If written carefully to cover both kinds of systems, that would be accepted. > is this correct to reflect syslog_r(3) change? > > I tested chrooted internal-sftp without /dev/log in the chroot > and it was logging fine. > > j. > > Index: sftp-server.8 > === > RCS file: /cvs/src/usr.bin/ssh/sftp-server.8,v > retrieving revision 1.25 > diff -u -p -r1.25 sftp-server.8 > --- sftp-server.8 14 Oct 2013 14:18:56 - 1.25 > +++ sftp-server.8 18 Jul 2014 20:58:23 - > @@ -139,16 +139,6 @@ Sets an explicit > to be applied to newly-created files and directories, instead of the > user's default mask. > .El > -.Pp > -For logging to work, > -.Nm > -must be able to access > -.Pa /dev/log . > -Use of > -.Nm > -in a chroot configuration therefore requires that > -.Xr syslogd 8 > -establish a logging socket inside the chroot directory. > .Sh SEE ALSO > .Xr sftp 1 , > .Xr ssh 1 , > Index: sshd_config.5 > === > RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v > retrieving revision 1.175 > diff -u -p -r1.175 sshd_config.5 > --- sshd_config.5 15 Jul 2014 15:54:14 - 1.175 > +++ sshd_config.5 18 Jul 2014 20:58:24 - > @@ -344,12 +344,7 @@ devices. > For file transfer sessions using > .Dq sftp , > no additional configuration of the environment is necessary if the > -in-process sftp server is used, > -though sessions which use logging do require > -.Pa /dev/log > -inside the chroot directory (see > -.Xr sftp-server 8 > -for details). > +in-process sftp server is used. > .Pp > The default is not to > .Xr chroot 2 . >
[DIFF] sftp-server.8, sshd_config.5 after syslog_r change
Hi, is this correct to reflect syslog_r(3) change? I tested chrooted internal-sftp without /dev/log in the chroot and it was logging fine. j. Index: sftp-server.8 === RCS file: /cvs/src/usr.bin/ssh/sftp-server.8,v retrieving revision 1.25 diff -u -p -r1.25 sftp-server.8 --- sftp-server.8 14 Oct 2013 14:18:56 - 1.25 +++ sftp-server.8 18 Jul 2014 20:58:23 - @@ -139,16 +139,6 @@ Sets an explicit to be applied to newly-created files and directories, instead of the user's default mask. .El -.Pp -For logging to work, -.Nm -must be able to access -.Pa /dev/log . -Use of -.Nm -in a chroot configuration therefore requires that -.Xr syslogd 8 -establish a logging socket inside the chroot directory. .Sh SEE ALSO .Xr sftp 1 , .Xr ssh 1 , Index: sshd_config.5 === RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v retrieving revision 1.175 diff -u -p -r1.175 sshd_config.5 --- sshd_config.5 15 Jul 2014 15:54:14 - 1.175 +++ sshd_config.5 18 Jul 2014 20:58:24 - @@ -344,12 +344,7 @@ devices. For file transfer sessions using .Dq sftp , no additional configuration of the environment is necessary if the -in-process sftp server is used, -though sessions which use logging do require -.Pa /dev/log -inside the chroot directory (see -.Xr sftp-server 8 -for details). +in-process sftp server is used. .Pp The default is not to .Xr chroot 2 .
