This was horrible.
So, it is quite easy to set up a chroot environment for some SFTP users.
Make an sftp-only group
sudo groupadd sftp-only
(I changed it to group id 500)
Add your user, along with an 'authorized_keys' file for public key authentication
cd /opt/chroot
sudo useradd --base-dir /opt/chroot --gid 500 --create-home --shell /sbin/nologin newsftpuser
sudo usermod -U newsftpuser
sudo mkdir newsftpuser/in
sudo chown root:root newsftpuser/
sudo chmod 755 newsftpuser/
sudo chown newsftpuser:sftp-only newsftpuser/in/
sudo mkdir newsftpuser/.ssh
sudo chown newsftpuser:sftp-only .ssh/
sudo touch newsftpuser/.ssh/authorized_keys
sudo chmod 700 newsftpuser/.ssh
sudo chmod 600 newsftpuser/.ssh/authorized_keys
sudo chown newsftpuser:sftp-only .ssh/authorized_keys
sudo restorecon -Rv newsftpuser/.ssh
Alter SSHD config file to enable chroot with authorized keys
/etc/ssh/sshd_config
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp internal-sftp -f AUTH -l INFO
Match Group sftp-only
ChrootDirectory /opt/chroot/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp -f AUTH -l INFO
Restart sshd
sudo systemctl restart sshd
That was the easy part.
But if you want to log those user's activities???
You have to edit rsyslog to create a socket to enable logging for each chrooted sftp user (because the chroot environment doesn't have permission to write to logs normally)...
/etc/rsyslog.conf
#### RULES ####
$AddUnixListenSocket /opt/chroot/newsftpuser/dev/log
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" stop
Then make a dev within each user's chroot directory
sudo mkdir newsftpuser/dev
sudo chmod 755 newsftpuser/dev
sudo chown root.root newsftpuser/dev
Restart rsyslog
sudo systemctl restart rsyslog
And it doesn't work. Of course. Because SElinux. /var/log/audit/audit.log shows it denying write access:
type=AVC msg=audit(1444444444.559:14128): avc: denied { write } for pid=19999 comm="rsyslogd" name="dev" dev="dm-1" ino=1234567 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
Turning off SElinux and restarting rsyslog then gets sftp logged to /var/log/sftp.log
sudo setenforce 0
sestatus
sudo systemctl restart rsyslog
But that isn't a good solution for when doing things 'properly'. So, I realised that I needed to set the context for /opt/chroot/newsftpuser/dev and /opt/chroot/newsftpuser/dev/log but the actual context seems to be a big secret, with people warning you need to configure SElinux to let rsyslog set up a socket in the chroot, but no-one telling how to configure it. Example: https://access.redhat.com/articles/1374633
Anyway, I finally found it thanks to a single article I found from 6 years ago by a Paul Howarth (http://www.redhat.com/archives/fedora-selinux-list/2009-September/msg00088.html)
sudo chcon -t device_t /opt/chroot/newsftpuser/dev
sudo chcon -t devlog_t /opt/chroot/newsftpuser/dev/log
sudo systemctl restart rsyslog
Turn SElinux back on!
sudo setenforce 1
And woohoo, chrooted sftp users now log to /var/log/sftp.log
Now to just set up the SElinux policy to make this change permanent, and of course set up logrotate on /var/log/sftp.log
