Beiträge von NAS-i-Goreng

Hmm, yes that's what I need to figure out then: What is in there that could be needed?

The other issue with a scheduled reboot is that it sometimes hangs on reboot (rarely but it has happened).

And for a NAS that's not ideal.

Hence I'd like to avoid a reboot and let the cron job do something else.

What could be the reason for this unlimited groth of /tmp? I'm guessing that images are stored on /tmp while being processed to their final location.

Hello,

This is a strange phenomenon, but maybe someone else has experienced this before:

Setup:

I've got some CCTV IP cameras where I store the images via a ffmpeg cronjob onto an OMV partition.

At a set limit the first files get overwritten, so this directory wont grow unlimited.

It is still in a test phase and not 24/7 online.

Issue:

However, whenever I've got this running, /tmp grows to 100% and I've experienced OMV to be completely frozen my that (no login, had to perform a cold reboot).

Idea:

I understand that /tmp is usually emptied on reboot, but can one manage this e.g. by setting up another cron job to empty /tmp periodically?

Got some output. Yes missed the $ character...

"Zugriff auf '...' nicht möglich: Datei oder Verzeichnis nicht gefunden" = "Access to '...' not possible: File or directory not found"

USER@OMV:~$ ls $( getent passwd $USER | cut -d: -f6 )/.bashrc | more
ls: Zugriff auf '/var/cache/man' nicht möglich: Datei oder Verzeichnis nicht gefunden
ls: Zugriff auf '/var/spool/lpd' nicht möglich: Datei oder Verzeichnis nicht gefunden
ls: Zugriff auf '/var/spool/news' nicht möglich: Datei oder Verzeichnis nicht gefunden
ls: Zugriff auf '/var/spool/uucp' nicht möglich: Datei oder Verzeichnis nicht gefunden
ls: Zugriff auf '/var/list' nicht möglich: Datei oder Verzeichnis nicht gefunden
ls: Zugriff auf '/var/run/ircd' nicht möglich: Datei oder Verzeichnis nicht gefunden
ls: Zugriff auf '/var/lib/gnats' nicht möglich: Datei oder Verzeichnis nicht gefunden
ls: Zugriff auf '/nonexistent' nicht möglich: Datei oder Verzeichnis nicht gefunden
ls: Zugriff auf '/nonexistent' nicht möglich: Datei oder Verzeichnis nicht gefunden
ls: Zugriff auf '/nonexistent' nicht möglich: Datei oder Verzeichnis nicht gefunden
ls: Zugriff auf '/run/proftpd' nicht möglich: Datei oder Verzeichnis nicht gefunden
ls: Zugriff auf '/home/openmediavault-webgui' nicht möglich: Datei oder Verzeichnis nicht gefunden
ls: Zugriff auf '/home/admin' nicht möglich: Datei oder Verzeichnis nicht gefunden
ls: Zugriff auf '/nonexistent' nicht möglich: Datei oder Verzeichnis nicht gefunden
/srv/dev-disk-by-label-STORAGE/USER/USER2/.bashrc

/:
bin
boot
dev
etc
export
home
initrd.img
initrd.img.old
lib
lib32
lib64
libx32

To my surprise USER seems to be directed to use a bashrc in /srv/.../USER/USER2

After this line, it only returns a long list of files, so I cut it short.

The same command with USER2 returns the same path to this ./bashrc.

So to test that this is correct, I assed to the ./bashrc:

HISTTIMEFORMAT="%Y-%m-%d %T "

However, the command works as a temporary one for a terminal session but it won't stay permanent via this entry.

So I still wonder if this was the correct ./bashrc

echo $( getent passwd "$USER" | cut -d: -f6 )

returns a simple /home/USER (not USER2)

Ahh yes.... [where is the had bang smiley?].

ssh-copy-id -f -p '123' -i ~/.ssh/id_ed25519-A.pub USER@192.177.3.22

...did it after all.

-n was left over from a dry-run attempt.

This is actually a non-thread now, nobody would learn anything from this (apart from that too long hours or hot weather get your brain scrambled).

admin: feel free to delete, I'll mark it as solved.

Thanks Zoki once again!

Zitat von Zoki

This should show the .bashrc of $USER ls $( getent passwd "$USER" | cut -d: -f6 )/.bashrc

Replace $USER by the user name. echo $( getent passwd "$USER" | cut -d: -f6 ) will print the home dirctory of $USER

User names are case sensitive

ls: Access to '/home/USER/.bashrc' not possible: File or Directory not found

Hello,

My OMV seems inconsistent, but I'm not sure if I should really blame it.

From machine 1 I can login via public key authentication.

From machine 2 I can only login via password authentication.

The above is the same for ssh via the terminal or sftp via Nemo.

User is the same.

Machine one runs on Bodhi

Machine 2 runs on Sparky

sshd_config allows both, PW and public key as I wanted this "backdoor" still open in case I lose a key file, not ideal, I know.

On machine 2 I generated the key and ssh-copy-id ..ed it over to the OMV however with option -f (forced mode).

Without the forced mode, it returns:

ssh-copy-id -n -p '123' -i ~/.ssh/id_ed25519-1.pub @192.177.3.22
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/USER/.ssh/id_ed25519-A.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: ERROR: usage: ssh [-42AaCfGLKkcNnqgTtTvXxsy] [-B bind_interface]
ERROR:            [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
ERROR:            [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
ERROR:            [-i identity_file] [-J [user@]host[:port]] [-L address]
ERROR:            [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
ERROR:            [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
ERROR:            [-w local_tun[:remote_tun]] destination [command]

I named the key of machine to ...-1 to avoid potential douplicate issues.

What explains this different behaviour for one and the same user?

Hello,

I tried to add some features to a user's bashrc. But if I open ~/.bashrc it is an empty (=new) file.

The user does have a home directory and e.g. ~/.bash_history does exist (so no skeleton .bashrc as suggested here Where is bashrc?

But where is ~/.bashrc as I'd assume the "the shared folder you select under the user's name" is the user's home directory?

Yes, something to go through now before I try again. Also need to check the sections in the sshd_config as I somehow messed up the sectioning.

I might do a dry-run on another local machine regarding the user jail before I go to OMV again.

I'll mark this one as solved now, thanks for all help!

Zitat von Zoki

matchgroup defines a block. It should go last.

To test, simply keep a ssh session open and restart sshd instead of rebooting.

So keep one terminal session open, add MatchGroup last and try to open a new ssh session from another terminal?

The manpage sshd_config(5) says:

Zitat

Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.

In other words: MatchGroup overrides all AllowGroup and as a consequence also AllowUsers unless they match the given group specification?

And if I place it at the end of the file, it won't find anything anyway, so I could leave it out as well?!?

Update:

I've unexpectedly gained access again via terminal login directly on the machine itself without the suggested procedure in #8.

Changed the sshd_config and commented / uncommented last changes and then I was able to log in via shell as well as sftp (via Nemo).

So against all error messages, this didn't seem to be a permission issue. It would have surprised me because I only changed/set the permissions for the new jailed users and their homes, not for any existing one (user Andi who is not jailed and part of ssh, sudo, root).

Below is the sshd_config with amendmends as commented.

UsePAM yes
# uncommented the next entry to revert to default
Subsystem sftp /usr/lib/openssh/sftp-server
# commented the next 4 lines as they were added changes
# Subsystem sftp internal-sftp
# ForceCommand internal-sftp
# Match Group jail
# ChrootDirectory %h
PermitTunnel no
# originally the following also contained the group called jail
AllowGroups users root ssh
AllowUsers root Andi sepp
# should the following be of any concern? Haven't seen this before
AddressFamily any
Port 123
PermitRootLogin yes
AllowTcpForwarding no
Compression no
PasswordAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 /var/lib/openmedi$
PubkeyAuthentication yes

Zitat von Zoki

Why don't you just comment it in sshd_config?

See #8 on how to do it.

...

Zitat

- install docker

- install portainer

- create an debin container and mount the os disk (yes /) to /rootfs give it a command which does not termiante the container (e.g. sleep 3600)

- open a shell in portainer for the container

- in /rootfs you will find the os disk

- undo any changes

- reboot

- remove the dangerous debin container if it works.

Alles anzeigen

That's an adventure for tomorrow.

I'm indeed still hoping to fix it rather than re-setting/restoring it.

Yes, just saw this:

Zitat

'This is caused by permissions set on the chroot directory.

The fix is to remove the SFTP user's write access to the chroot directory.

However, as it only accepts tokens, it seems on cannot just specify a directory where everything is present.

I tried removing write permissions for users but that didn't make a difference.

If I understand this reference correctly, adding ForceCommand internal-sftp to the sshd_config would get around the requirement of files in the chroot directory:

Zitat

Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory

...or not?

I wish I could display and potentially chmod permissions via the GUI.

Ah ok, that is good to know, thanks!

I also added the option

ChrootDirectory %h

This doesn't sound wrong to me as it would lead any user to his home directory.

But the error message seems to indicate a problem with the directory.

If I disable this option in the 'SSH' section of the GUI,

# ChrootDirectory %h

could this disable the existing entry or will it simply add another entry that is inactive?

After I set up a new (jailed) user, I also changed the file permissions for this user's home to 0700 (recursively) along with the group.

But I never touched root or the one pre-existing user.

As linked above, I started along a template process that involves creating a group, new user, adjusting respective file permissions and adapting the sshd_config.

What made me wonder is why the 'bad ownership' error refers to root "/" , not the user's specified /home directory.

bad ownership or modes for chroot directory component "/"

Zitat von Zoki

The original sshd_config has AllowGroups root ssh. No need for AllowUsers.

...

This was something that I added because I wanted to allow users who on the other hand were not part of any group.

I created a new group 'Jailed' that was supposed to contain jailed users and intended to make the jail secure by filtering groups and users.

What I wasn't sure about was whether AllowGroups or AllowUsers might take priority over the other (thus blocking users that aren't in any allowed group e.g.).

I will try to add an explicit 'AllowGroups' option under SSH.

Question: Could I potentially paste a full (re-modelled) sshd_config into the 'options' fiels under 'SSH' ?

Yes, same as with one of the other users who is actually in the ssh and sudo groups as well and also listed previously as AllowedUser.

Auth log says:

Jun 23 16:01:18 OMV sshd[10856]: User root from 192.168.2.31 not allowed because not listed in AllowUsers
Jun 23 16:01:18 OMV sshd[10856]: Postponed keyboard-interactive for invalid user root from 192.168.2.31 port 42262 ssh2 [preauth]
Jun 23 16:01:25 OMV sshd[10860]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.31  user=root
Jun 23 16:01:26 OMV sshd[10856]: error: PAM: Authentication failure for illegal user root from 192.168.2.31
Jun 23 16:01:26 OMV sshd[10856]: Failed keyboard-interactive/pam for invalid user root from 192.168.2.31 port 42262 ssh2
Jun 23 16:01:26 OMV sshd[10856]: Postponed keyboard-interactive for invalid user root from 192.168.2.31 port 42262 ssh2 [preauth]

So dilligently added 'root' to AllowUsers but the result is the same.

I also rebooted the system, no change. It still thinks 'root' is illegal because it's not listed under 'AllowUsers' although this line is added under 'SSH'

Now this gets interesting:

Added user 'Help' and put him into those two groups.

Jun 23 15:16:42 OMV sshd[2013]: User Help from 192.168.2.31 not allowed because not listed in AllowUsers
Jun 23 15:16:43 OMV sshd[2013]: Postponed keyboard-interactive for invalid user Help from 192.168.2.31 port 40808 ssh2 [preauth]
Jun 23 15:16:48 OMV sshd[2015]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.31  user=Help
Jun 23 15:16:50 OMV sshd[2013]: error: PAM: Authentication failure for illegal user Help from 192.168.2.31
Jun 23 15:16:50 OMV sshd[2013]: Failed keyboard-interactive/pam for invalid user Help from 192.168.2.31 port 40808 ssh2
Jun 23 15:16:50 OMV sshd[2013]: Postponed keyboard-interactive for invalid user Help from 192.168.2.31 port 40808 ssh2 [preauth]

Ok, since I cannot edid the sshd_config, I added a further option under 'SSH' via the GUI:

AllowUsers Help

In a furthe modification, I also added previously allowed users but 'Help' should have gone through in any case- but it didn't!

Then I added another user (just to re-confirm): sepp (and also added him to the AllowUsers list.

AuthLog shows this however:

Jun 23 15:22:42 OMV useradd[2573]: new user: name=sepp, UID=1002, GID=100, home=/srv/dev-disk-by-label-NAS/OMV/sepp, shell=/bin/sh
Jun 23 15:22:42 OMV useradd[2573]: add 'sepp' to group 'sudo'
Jun 23 15:22:42 OMV useradd[2573]: add 'sepp' to group 'users'
Jun 23 15:22:42 OMV useradd[2573]: add 'sepp' to group 'ssh'
Jun 23 15:22:42 OMV useradd[2573]: add 'sepp' to shadow group 'sudo'
Jun 23 15:22:42 OMV useradd[2573]: add 'sepp' to shadow group 'users'
Jun 23 15:22:42 OMV useradd[2573]: add 'sepp' to shadow group 'ssh'
Jun 23 15:23:33 OMV sshd[4532]: Accepted keyboard-interactive/pam for sepp from 192.168.2.31 port 40962 ssh2
Jun 23 15:23:33 OMV sshd[4532]: pam_unix(sshd:session): session opened for user sepp by (uid=0)
Jun 23 15:23:33 OMV systemd-logind[464]: New session 6 of user sepp.
Jun 23 15:23:33 OMV systemd: pam_unix(systemd-user:session): session opened for user sepp by (uid=0)
Jun 23 15:23:33 OMV sshd[4560]: fatal: bad ownership or modes for chroot directory component "/"
Jun 23 15:23:33 OMV sshd[4532]: pam_unix(sshd:session): session closed for user sepp
Jun 23 15:23:33 OMV systemd-logind[464]: Session 6 logged out. Waiting for processes to exit.
Jun 23 15:23:33 OMV systemd-logind[464]: Removed session 6.
Jun 23 15:23:43 OMV systemd: pam_unix(systemd-user:session): session closed for user sepp

On the other end I'm getting the 'broken pipe' error obviously.

Is there any way to see the whole sshd_config or am I searching in the wrong direction here regarding the 'bad ownership' error?

Ah thanks.

Will try!

Hello,

I think I locked myself out of OMV.

This happened (probably) after I changed file permission as part of an attempt to creat a user jail (as a reference, I went along the lines of this: Chroot Jail and this (not in English): Chroot Jail - Ubuntuusers.de)

It didn't happen immediately but only after I logged out and tried to log in again a few days later now.

Login usually happens via public key, not PW, although I still left this option active in the sshd_config (as a backup I thought and for other machines...).

Auth log shows this line:

Jun 23 13:12:42 OMV sshd[1460]: fatal: bad ownership or modes for chroot directory component "/"

Shell login attempt from the client returns:

Enter passphrase for key '/home/laptop/.ssh/id_ed25519':
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.2.33 ([192.168.2.33]:123).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
packet_write_wait: Connection to 192.168.2.33 port 123: Broken pipe

Similarly I obviously cannot login from a client via Nemo or any GUI file managers.

I have a suspicion that I need to check and perhaps modify some permissions here but how can this be done w.o shell or file manager access with only the IMV GUI available?

Another suspicion I have is that I might need to modify the /etc/sshd_config but again, this needs some writable access.

Any suggestions would be much appreciated.

Hello,

I wanted to open the user crontab, so typed 'crontab -e' and as a result received this:

/tmp/crontab.SSGOfJ/crontab: No space left on device

So checked /tmp and found three files:

npm-26318-bc545970

systemd-private-9599c278efaf4e8980a22942458b471c-chrony.service-jP6vh4

systemd-private-9599c278efaf4e8980a22942458b471c-systemd-resolved.service-PKtX2n

There is plenty of space available.

Why do I get a "no space" reply?

And if I try to cd into (to check what's in there)

/tmp/crontab.SSGOfJ/crontab

or

/tmp/crontab.SSGOfJ/

it returns that the file or directory is not found.

'df -h' however shows that /tmp is at 100%

I'm currently using FFMPEG to record a video stream in sections onto /srv/USB, so totally bypassing the local file system. I'm assuming this should not affect /tmp.

What can fill /tmp ?