Re: Qemu 9pfs sftp chrootdirectory option issue

To: debian-user@lists.debian.org
Subject: Re: Qemu 9pfs sftp chrootdirectory option issue
From: john doe <johndoe65534@mail.com>
Date: Mon, 9 Nov 2020 09:58:39 +0100
Message-id: <[🔎] 534577b3-0154-09d0-da8e-1098f362e64f@mail.com>
In-reply-to: <3944f96f-f0c1-75eb-481c-6ed9d64f1c76@mail.com>
References: <c7056749-b0ca-a129-41a4-d8c45b8e3891@mail.com> <ead60944-9441-7709-bf1c-d0759f948187@list-post.mks-mail.de> <5b914b7d-af53-8f56-3927-b3be75a41f33@mail.com> <48717b31-4633-9c70-dd8a-188299c7d479@list-post.mks-mail.de> <d3c25b6b-7ed3-fb3d-f482-26f23b3aaa06@mail.com> <6ced988a-ed2d-26e7-e23f-b48e87c75c72@list-post.mks-mail.de> <7994d76f-3e2c-2db8-789e-03f1a135c12e@mail.com> <b65999a0-eaa1-0fa8-3951-0d4ddbdd6374@list-post.mks-mail.de> <3944f96f-f0c1-75eb-481c-6ed9d64f1c76@mail.com>

On 10/28/2020 8:00 PM, john doe wrote:

On 10/28/2020 7:50 PM, Markus Schönhaber wrote:

28.10.20, 19:19 +0100 john doe:

On 10/28/2020 6:51 PM, Markus Schönhaber wrote:

28.10.20, 18:30 +0100 john doe:

$ ls -dl /srv/sftp/9p
drwx------ 8 root root ... /srv/sftp/9p


Isn't "9p" supposed to be the share directory? If it is, why is it
owned
by root and has these restrictive permissions?


Because of the chrootdirectory directive (see above).


That's why I suggested (twice!) to set the ChrootDirectory to the
directory that *contains* the share directory.

Assuming
ChrootDirectory -> /srv/sftp -> make this root:root, drwxr-xr-x
share -> /srv/sftp/9p -> make this libvirt-qemu:libvirt-qemu,
drwxr-xr-x


If I do that, I can't even connect to the sftp server:

$ sftp sftp9p
packet_write_wait: Connection to ::1 port 22: Broken pipe
Connection closed


The logs will probably tell you what exactly is wrong.


Yes the cause of this message is explained by the fatal message
mentioned in my privious e-mail.

As I'm not able to properly describe the issue I'm facing I will need to
come at this from an other angle.

Thanks anyway for your help.


I managed to get it working by pointing the 'chrootdirective' to a root
own directory, then by mounting the 9p share in a subdirectory of that
directory.
I use the '-d' option to the 'internal-sftp' to make it transparent to
the users connecting to that VM.:


$ cat /etc/ssh/sshd_config
Match ...
        ChrootDirectory /mnt/sftp
        ForceCommand internal-sftp -d sftp

$ls -dl /mnt/sftp
drwxr-xr-x 3 root root 4096 ... /mnt/sftp

$ cat /etc/fstab
sftp_dir /mnt/sftp/sftp 9p trans=virtio,version=9p2000.L

$ ls -dl /mnt/sftp/sftp
drwxr-xrwx 2 64055 64055 4096 ... /mnt/sftp/sftp

Note that I still have not figured out why I need to sed the permission
for 'other' to 'rwx' for it to work or how to restrict access to the
share to a specific 'group'.


On the host I would invoke virt-install as follow:

virt-install --filesystem
type=mount,mode=mapped,source=/mnt/sftp,target=sftp_dir


Thanks to 'Markus Schönhaber <debian-user@list-post.mks-mail.de>' for
his input and for putting me on the right track.

--
John Doe

Reply to:

Prev by Date: Re: Virt-install setting hostname as extra args not working
Next by Date: How to decipher smartcl -x and nvme error-log output ?
Previous by thread: SOGo webmail: Mails page not accessible
Next by thread: How to decipher smartcl -x and nvme error-log output ?
Index(es):
- Date
- Thread