On 10/28/2020 6:51 PM, Markus Schönhaber wrote:
28.10.20, 18:30 +0100 john doe:
On 10/21/2020 11:02 PM, Markus Schönhaber wrote:
21.10.20, 19:11 +0200, john doe:
On 10/20/2020 7:59 PM, Markus Schönhaber wrote:
How about moving the 9pshare to a root-owned directory and pointing the
ChrootDirectory there, for example:
share -> /all/owned/by/root/9pshare
ChrootDirectory -> /all/owned/by/root
Thank you for this.
I can only do that if 'passthrough' is used, as I don't realy understand
the implecations of running qemu as root, I was hoping to find a way
with 'mapped'.
'mapped' requires that the directory on the host is set to the group and
user used by qemu, 'libvirt-qemu in this case.
I don't see the problem with chown'ing the 9pshare directory to the qemu
user in my example above.
Okay, following your instructions I can now connect using sftp but I can
not access the content of the share:
No, you seemingly didn't follow what I said.
On the host, the directory to be exported is set to
libvirt-qemu:libvirt-qemu.
In the guest, if I set the mount point to libvirt-qemu:libvirt-qemu, I
get the following error:
"fatal: bad ownership or modes for chroot directory "/srv/sftp/9p""
the above error is triggered by the chrootdirectory directive which
requires 'root:root 0700' as ownership and mode.
From (1):
"ChrootDirectory
Specifies a path to chroot(2) to after authentication. This path, and
all its components, must be root-owned directories that are not writable
by any other user or group. After the chroot, sshd(8)"
$ ls -dl /srv/sftp/9p
drwx------ 8 root root ... /srv/sftp/9p
Isn't "9p" supposed to be the share directory? If it is, why is it owned
by root and has these restrictive permissions?
Because of the chrootdirectory directive (see above).
Assuming
ChrootDirectory -> /srv/sftp -> make this root:root, drwxr-xr-x
share -> /srv/sftp/9p -> make this libvirt-qemu:libvirt-qemu, drwxr-xr-x
If I do that, I can't even connect to the sftp server:
$ sftp sftp9p
packet_write_wait: Connection to ::1 port 22: Broken pipe
Connection closed
$ sftp sftp9p
Connected to sftp9p.
sftp> ls
remote readdir("/"): Permission denied
Of course. Guessing from what you wrote above, only root can even list
the directory's contents (or change into it, in the first place).
No argument there.
I appriciate your help/feedback.
1) https://linux.die.net/man/5/sshd_config
--
John Doe
