X-Git-Url: http://git.pld-linux.org/?a=blobdiff_plain;f=openssh-chroot.patch;h=92af31d037f6ef9b9a17ea55ec2f53e3a6ad20ee;hb=141a04d1fdecda5efd3d0588eff5dd8b65ba3856;hp=23f1d8d8130887de745bd5a561f8fc54aeed628a;hpb=e5aad4e5e6d483d6c2746fc60bfa8b8197cf7c20;p=packages%2Fopenssh.git diff --git a/openssh-chroot.patch b/openssh-chroot.patch index 23f1d8d..92af31d 100644 --- a/openssh-chroot.patch +++ b/openssh-chroot.patch @@ -1,53 +1,157 @@ -diff -uNr openssh-3.7p1/session.c openssh-3.7p1-chroot/session.c ---- openssh-3.7p1/session.c Mon Sep 15 21:52:19 2003 -+++ openssh-3.7p1-chroot/session.c Tue Sep 16 14:23:34 2003 -@@ -62,6 +62,8 @@ - #include "ssh-gss.h" +--- openssh-4.4p1/servconf.c.orig 2006-08-18 16:23:15.000000000 +0200 ++++ openssh-4.4p1/servconf.c 2006-10-05 10:11:17.065971000 +0200 +@@ -56,7 +56,9 @@ + + /* Portable-specific options */ + options->use_pam = -1; +- ++ ++ options->use_chroot = -1; ++ + /* Standard Options */ + options->num_ports = 0; + options->ports_from_cmdline = 0; +@@ -131,6 +133,9 @@ + if (options->use_pam == -1) + options->use_pam = 0; + ++ if (options->use_chroot == -1) ++ options->use_chroot = 0; ++ + /* Standard Options */ + if (options->protocol == SSH_PROTO_UNKNOWN) + options->protocol = SSH_PROTO_1|SSH_PROTO_2; +@@ -270,6 +275,7 @@ + sBadOption, /* == unknown option */ + /* Portable-specific options */ + sUsePAM, ++ sUseChroot, + /* Standard Options */ + sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, + sPermitRootLogin, sLogFacility, sLogLevel, +@@ -312,6 +318,11 @@ + #else + { "usepam", sUnsupported, SSHCFG_GLOBAL }, #endif ++#ifdef CHROOT ++ { "usechroot", sUseChroot, SSHCFG_GLOBAL }, ++#else ++ { "usechroot", sUnsupported, SSHCFG_GLOBAL }, ++#endif /* CHROOT */ + { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, + /* Standard Options */ + { "port", sPort, SSHCFG_GLOBAL }, +@@ -662,6 +673,10 @@ + intptr = &options->use_pam; + goto parse_flag; -+#define CHROOT ++ case sUseChroot: ++ intptr = &options->use_chroot; ++ goto parse_flag; + - /* func */ - - Session *session_new(void); -@@ -1227,6 +1229,12 @@ - void + /* Standard Options */ + case sBadOption: + return -1; +--- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200 ++++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200 +@@ -109,6 +109,7 @@ + int max_startups_rate; + int max_startups; + char *banner; /* SSH-2 banner message */ ++ int use_chroot; /* Enable chrooted enviroment support */ + int use_dns; + int client_alive_interval; /* + * poke the client this often to +--- ./session.c.org 2008-05-05 16:22:11.935003283 +0200 ++++ ./session.c 2008-05-05 16:32:50.025507650 +0200 +@@ -1345,6 +1345,10 @@ void do_setusercontext(struct passwd *pw) { -+ + char *chroot_path, *tmp; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ -+ - #ifndef HAVE_CYGWIN - if (getuid() == 0 || geteuid() == 0) - #endif /* HAVE_CYGWIN */ -@@ -1264,6 +1272,27 @@ - exit(1); - } - endgrent(); -+ + + #ifdef WITH_SELINUX + /* Cache selinux status for later use */ +@@ -1425,8 +1429,28 @@ do_setusercontext(struct passwd *pw) + safely_chroot(chroot_path, pw->pw_uid); + free(tmp); + free(chroot_path); +#ifdef CHROOT -+ user_dir = xstrdup(pw->pw_dir); -+ new_root = user_dir + 1; ++ } else if (options.use_chroot) { ++ user_dir = xstrdup(pw->pw_dir); ++ new_root = user_dir + 1; + -+ while((new_root = strchr(new_root, '.')) != NULL) { -+ new_root--; -+ if(strncmp(new_root, "/./", 3) == 0) { -+ *new_root = '\0'; -+ new_root += 2; ++ while((new_root = strchr(new_root, '.')) != NULL) { ++ new_root--; ++ if(strncmp(new_root, "/./", 3) == 0) { ++ *new_root = '\0'; ++ new_root += 2; + -+ if(chroot(user_dir) != 0) -+ fatal("Couldn't chroot to user directory % s", user_dir); ++ if(chroot(user_dir) != 0) ++ fatal("Couldn't chroot to user directory %s", user_dir); + pw->pw_dir = new_root; + break; + } + new_root += 2; -+ } ++ } +#endif /* CHROOT */ + } + ++ + #ifdef HAVE_LOGIN_CAP + if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { + perror("unable to set user context (setuser)"); +--- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200 ++++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200 +@@ -91,6 +91,10 @@ + # and ChallengeResponseAuthentication to 'no'. + UsePAM yes + ++# Set this to 'yes' to enable support for chrooted user environment. ++# You must create such environment before you can use this feature. ++#UseChroot yes + + #AllowAgentForwarding yes + # Security advisory: + # http://securitytracker.com/alerts/2004/Sep/1011143.html +--- openssh-4.4p1/sshd_config.0.orig 2006-09-26 13:03:48.000000000 +0200 ++++ openssh-4.4p1/sshd_config.0 2006-10-05 10:11:41.615971000 +0200 +@@ -451,6 +451,16 @@ + To disable TCP keepalive messages, the value should be set to + ``no''. + ++ UseChroot ++ Specifies whether to use chroot-jail environment with ssh/sftp, ++ i.e. restrict users to a particular area in the filesystem. This ++ is done by setting user home directory to, for example, ++ /path/to/chroot/./home/username. sshd looks for a '.' in the ++ users home directory, then calls chroot(2) to whatever directory ++ was before the . and continues with the normal ssh functionality. ++ For this to work properly you have to create special chroot-jail ++ environment in a /path/to/chroot directory. + - # ifdef USE_PAM - /* - * PAM credentials may take the form of supplementary groups. + UseDNS Specifies whether sshd(8) should look up the remote host name and + check that the resolved host name for the remote IP address maps + back to the very same IP address. The default is ``yes''. +--- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100 ++++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100 +@@ -552,6 +552,16 @@ + The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, + LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. + The default is AUTH. ++.It Cm UseChroot ++Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict ++users to a particular area in the filesystem. This is done by setting user ++home directory to, for example, /path/to/chroot/./home/username. ++.Nm sshd ++looks for a '.' in the users home directory, then calls ++.Xr chroot 2 ++to whatever directory was before the . and continues with the normal ssh ++functionality. For this to work properly you have to create special chroot-jail ++environment in a /path/to/chroot directory. + .It Cm TCPKeepAlive + Specifies whether the system should send TCP keepalive messages to the + other side.