X-Git-Url: http://git.pld-linux.org/?a=blobdiff_plain;f=openssh-chroot.patch;h=828de68ec749b3fb9fe88b749b73ce373a44d47b;hb=d6acc60248d6bdbe5e9cfdf18cd926215bf4d0cc;hp=92af31d037f6ef9b9a17ea55ec2f53e3a6ad20ee;hpb=fc8529e572a1fbf154ba686cb23e5c82932fbcab;p=packages%2Fopenssh.git diff --git a/openssh-chroot.patch b/openssh-chroot.patch index 92af31d..828de68 100644 --- a/openssh-chroot.patch +++ b/openssh-chroot.patch @@ -62,9 +62,9 @@ int use_dns; int client_alive_interval; /* * poke the client this often to ---- ./session.c.org 2008-05-05 16:22:11.935003283 +0200 -+++ ./session.c 2008-05-05 16:32:50.025507650 +0200 -@@ -1345,6 +1345,10 @@ void +--- openssh-7.2p1/session.c.orig 2016-03-05 10:24:44.227756638 +0100 ++++ openssh-7.2p1/session.c 2016-03-05 10:24:50.237756386 +0100 +@@ -1492,6 +1492,10 @@ do_setusercontext(struct passwd *pw) do_setusercontext(struct passwd *pw) { char *chroot_path, *tmp; @@ -73,37 +73,38 @@ + char *new_root; +#endif /* CHROOT */ - #ifdef WITH_SELINUX - /* Cache selinux status for later use */ -@@ -1425,8 +1429,28 @@ do_setusercontext(struct passwd *pw) - safely_chroot(chroot_path, pw->pw_uid); - free(tmp); - free(chroot_path); + platform_setusercontext(pw); + +@@ -1532,6 +1536,29 @@ do_setusercontext(struct passwd *pw) + free(options.chroot_directory); + options.chroot_directory = NULL; + in_chroot = 1; +#ifdef CHROOT -+ } else if (options.use_chroot) { ++ } else if (!in_chroot && options.use_chroot) { + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + -+ while((new_root = strchr(new_root, '.')) != NULL) { ++ while ((new_root = strchr(new_root, '.')) != NULL) { + new_root--; -+ if(strncmp(new_root, "/./", 3) == 0) { ++ if (strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + -+ if(chroot(user_dir) != 0) ++ if (chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s", user_dir); -+ pw->pw_dir = new_root; ++ /* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */ ++ free(pw->pw_dir); ++ pw->pw_dir = xstrdup(new_root); ++ in_chroot = 1; + break; + } + new_root += 2; + } ++ free(user_dir); +#endif /* CHROOT */ } -+ #ifdef HAVE_LOGIN_CAP - if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { - perror("unable to set user context (setuser)"); --- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200 +++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200 @@ -91,6 +91,10 @@ @@ -119,9 +120,9 @@ # http://securitytracker.com/alerts/2004/Sep/1011143.html --- openssh-4.4p1/sshd_config.0.orig 2006-09-26 13:03:48.000000000 +0200 +++ openssh-4.4p1/sshd_config.0 2006-10-05 10:11:41.615971000 +0200 -@@ -451,6 +451,16 @@ - To disable TCP keepalive messages, the value should be set to - ``no''. +@@ -921,6 +921,16 @@ DESCRIPTION + TrustedUserCAKeys. For more details on certificates, see the + CERTIFICATES section in ssh-keygen(1). + UseChroot + Specifies whether to use chroot-jail environment with ssh/sftp, @@ -133,9 +134,9 @@ + For this to work properly you have to create special chroot-jail + environment in a /path/to/chroot directory. + - UseDNS Specifies whether sshd(8) should look up the remote host name and - check that the resolved host name for the remote IP address maps - back to the very same IP address. The default is ``yes''. + UseDNS Specifies whether sshd(8) should look up the remote host name, + and to check that the resolved host name for the remote IP + address maps back to the very same IP address. --- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100 +++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100 @@ -552,6 +552,16 @@