On 2021/09/22 13:06, Jochen Bern wrote: > What do the chrooted users have for a homedir *within* the chroot? Would it > be possible to have /var/data/chroot be a local FS and mount only > /var/data/chroot/home from the NFS server? (If there are files that you need > to keep identical on both servers, e.g., under /var/data/chroot/etc, you can > still symlink those to some special subdir like /var/data/chroot/home/ETC to > put the actual data onto the NFS share.) The description was for /var/data/chroot/<username>/dev/log i.e. each user has their own separate chroot. So this type of approach would require mounting a local fs of some sort over the top of each user's dir which soon gets messy. This is amongst the reasons why OpenBSD has the sendsyslog(2) syscall, https://man.openbsd.org/sendsyslog.2 - the syslog daemon opens a kernel socket to receive those messages, and processes which want to write a log entry just call the standard syslog functions which use sendsyslog(2) rather than /dev/log, so it works even through FD exhaustion, in chroot, and with syscall filters that prohibit filesystem access. Not entirely pleasant but I suppose it could alternatively be done by using a LD_PRELOAD wrapper to override syslog functions (I think just syslog_r is probably enough for openssh) and have them send over a network socket instead. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev