Monday, October 30, 2017

Setting VSFTP with Chroot option.

Today I  have got a requirement to setup a sftp user and restricting its access to a specific directory. My current running OS version Oracle Linux 5.11 which has latest openssh version openssh-4.3p2-82.el5. Now, initial plan to setup chroot to home directory using the below configuration which is quit straightforward.

1. Create a group called sftponly

        #groupadd sftponly
2.  Update /etc/ssh/sshd_config file with the below entries

AllowGroups root sftponly
Match Group sftponly
        ChrootDirectory /home/newuser
        ForceCommand    internal-sftp
        AllowTcpForwarding      no

While restarting sshd,

Starting sshd: /etc/ssh/sshd_config: line 123: Bad configuration option: Match
/etc/ssh/sshd_config: terminating, 1 bad configuration options [FAILED]

After googling for a while found that this feature is supported only with openssh 5 or above so not possible in my case

For an immediate workaround, I have decided to go for vsftp with chroot option. Here is what i have followed to set it up.

1. Install package vsftpd (#yum install vsftp*)

2. Change  anonymous_enable=NO

3. Add the below line

 chroot_local_user=YES

4. Add a user as below and set shell to /bin/false to restrict user not to login via shell

testuser:x:54332:54335::/home/testuser:/bin/false


NOTE: Ensure /bin/false is listed in the /etc/shells file




Posted by at No comments:

Friday, September 29, 2017

lock/nolock option for NFS mount option

lock/nolock option for NFS Share

I have explored internet for detailed information on nolock NFS mount option, there are very limited details are available. I have tried to consolidate all the details in this single page as below.

This option to enable whether to use NLM sideband protocol to lock files on the server. If neither option is specified(or if lock is specified), NLM locking is used for this mount point. When using nolock option, application can lock files, but such locks provide exclusion against other applications running on the same client. Remote applications are not affected by these locks. In other words when nolock option is used. This prevents the exchange of lock information between the NFS server and this client. The server is not aware of file locks on the client, and vice versa.

The failure to maintain proper locking between a write operation on one host and a read operation on another host may reader to get incomplete or inconsistent date.

Mount option for any share can be updated without really impacting the application. However, for this option, as this is going to change the behavior of locking mechanism for a mount and at the same if the mount is being  used as an application file system(such as weblogic domain) which is usually are  actively used, its always recommended to do it with a proper downtime, means bring down the application and perform the activity.  





Posted by at No comments: