]>
Commit | Line | Data |
---|---|---|
f11993b4 PG |
1 | --- openssh-4.4p1/servconf.c.orig 2006-08-18 16:23:15.000000000 +0200 |
2 | +++ openssh-4.4p1/servconf.c 2006-10-05 10:11:17.065971000 +0200 | |
3 | @@ -56,7 +56,9 @@ | |
4 | ||
5 | /* Portable-specific options */ | |
6 | options->use_pam = -1; | |
7 | - | |
8 | + | |
9 | + options->use_chroot = -1; | |
10 | + | |
11 | /* Standard Options */ | |
12 | options->num_ports = 0; | |
13 | options->ports_from_cmdline = 0; | |
14 | @@ -131,6 +133,9 @@ | |
15 | if (options->use_pam == -1) | |
16 | options->use_pam = 0; | |
17 | ||
18 | + if (options->use_chroot == -1) | |
19 | + options->use_chroot = 0; | |
20 | + | |
21 | /* Standard Options */ | |
22 | if (options->protocol == SSH_PROTO_UNKNOWN) | |
23 | options->protocol = SSH_PROTO_1|SSH_PROTO_2; | |
24 | @@ -270,6 +275,7 @@ | |
25 | sBadOption, /* == unknown option */ | |
26 | /* Portable-specific options */ | |
27 | sUsePAM, | |
28 | + sUseChroot, | |
29 | /* Standard Options */ | |
30 | sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, | |
31 | sPermitRootLogin, sLogFacility, sLogLevel, | |
32 | @@ -312,6 +318,11 @@ | |
33 | #else | |
34 | { "usepam", sUnsupported, SSHCFG_GLOBAL }, | |
35 | #endif | |
36 | +#ifdef CHROOT | |
37 | + { "usechroot", sUseChroot, SSHCFG_GLOBAL }, | |
38 | +#else | |
39 | + { "usechroot", sUnsupported, SSHCFG_GLOBAL }, | |
40 | +#endif /* CHROOT */ | |
41 | { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, | |
42 | /* Standard Options */ | |
43 | { "port", sPort, SSHCFG_GLOBAL }, | |
44 | @@ -662,6 +673,10 @@ | |
45 | intptr = &options->use_pam; | |
46 | goto parse_flag; | |
47 | ||
48 | + case sUseChroot: | |
49 | + intptr = &options->use_chroot; | |
50 | + goto parse_flag; | |
51 | + | |
52 | /* Standard Options */ | |
53 | case sBadOption: | |
54 | return -1; | |
55 | --- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200 | |
56 | +++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200 | |
57 | @@ -109,6 +109,7 @@ | |
58 | int max_startups_rate; | |
59 | int max_startups; | |
60 | char *banner; /* SSH-2 banner message */ | |
61 | + int use_chroot; /* Enable chrooted enviroment support */ | |
62 | int use_dns; | |
63 | int client_alive_interval; /* | |
64 | * poke the client this often to | |
65 | --- ./session.c.org 2008-05-05 16:22:11.935003283 +0200 | |
66 | +++ ./session.c 2008-05-05 16:32:50.025507650 +0200 | |
67 | @@ -1345,6 +1345,10 @@ void | |
68 | do_setusercontext(struct passwd *pw) | |
69 | { | |
70 | char *chroot_path, *tmp; | |
71 | +#ifdef CHROOT | |
72 | + char *user_dir; | |
73 | + char *new_root; | |
74 | +#endif /* CHROOT */ | |
75 | ||
76 | #ifdef WITH_SELINUX | |
77 | /* Cache selinux status for later use */ | |
78 | @@ -1425,8 +1429,28 @@ do_setusercontext(struct passwd *pw) | |
0fab2cab AM |
79 | /* Make sure we don't attempt to chroot again */ |
80 | free(options.chroot_directory); | |
81 | options.chroot_directory = NULL; | |
f11993b4 PG |
82 | +#ifdef CHROOT |
83 | + } else if (options.use_chroot) { | |
84 | + user_dir = xstrdup(pw->pw_dir); | |
85 | + new_root = user_dir + 1; | |
86 | + | |
87 | + while((new_root = strchr(new_root, '.')) != NULL) { | |
88 | + new_root--; | |
89 | + if(strncmp(new_root, "/./", 3) == 0) { | |
90 | + *new_root = '\0'; | |
91 | + new_root += 2; | |
92 | + | |
93 | + if(chroot(user_dir) != 0) | |
94 | + fatal("Couldn't chroot to user directory %s", user_dir); | |
95 | + pw->pw_dir = new_root; | |
96 | + break; | |
97 | + } | |
98 | + new_root += 2; | |
99 | + } | |
100 | +#endif /* CHROOT */ | |
101 | } | |
102 | ||
103 | + | |
08811ee8 AM |
104 | #ifdef HAVE_LOGIN_CAP |
105 | if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { | |
106 | perror("unable to set user context (setuser)"); | |
f11993b4 PG |
107 | --- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200 |
108 | +++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200 | |
fc8529e5 AM |
109 | @@ -91,6 +91,10 @@ |
110 | # and ChallengeResponseAuthentication to 'no'. | |
111 | UsePAM yes | |
f11993b4 PG |
112 | |
113 | +# Set this to 'yes' to enable support for chrooted user environment. | |
fc8529e5 | 114 | +# You must create such environment before you can use this feature. |
f11993b4 PG |
115 | +#UseChroot yes |
116 | + | |
fc8529e5 AM |
117 | #AllowAgentForwarding yes |
118 | # Security advisory: | |
119 | # http://securitytracker.com/alerts/2004/Sep/1011143.html | |
f11993b4 PG |
120 | --- openssh-4.4p1/sshd_config.0.orig 2006-09-26 13:03:48.000000000 +0200 |
121 | +++ openssh-4.4p1/sshd_config.0 2006-10-05 10:11:41.615971000 +0200 | |
122 | @@ -451,6 +451,16 @@ | |
123 | To disable TCP keepalive messages, the value should be set to | |
124 | ``no''. | |
125 | ||
126 | + UseChroot | |
127 | + Specifies whether to use chroot-jail environment with ssh/sftp, | |
128 | + i.e. restrict users to a particular area in the filesystem. This | |
129 | + is done by setting user home directory to, for example, | |
130 | + /path/to/chroot/./home/username. sshd looks for a '.' in the | |
131 | + users home directory, then calls chroot(2) to whatever directory | |
132 | + was before the . and continues with the normal ssh functionality. | |
133 | + For this to work properly you have to create special chroot-jail | |
134 | + environment in a /path/to/chroot directory. | |
135 | + | |
136 | UseDNS Specifies whether sshd(8) should look up the remote host name and | |
137 | check that the resolved host name for the remote IP address maps | |
138 | back to the very same IP address. The default is ``yes''. | |
139 | --- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100 | |
140 | +++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100 | |
141 | @@ -552,6 +552,16 @@ | |
142 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, | |
143 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. | |
144 | The default is AUTH. | |
145 | +.It Cm UseChroot | |
146 | +Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict | |
147 | +users to a particular area in the filesystem. This is done by setting user | |
148 | +home directory to, for example, /path/to/chroot/./home/username. | |
149 | +.Nm sshd | |
150 | +looks for a '.' in the users home directory, then calls | |
151 | +.Xr chroot 2 | |
152 | +to whatever directory was before the . and continues with the normal ssh | |
153 | +functionality. For this to work properly you have to create special chroot-jail | |
154 | +environment in a /path/to/chroot directory. | |
155 | .It Cm TCPKeepAlive | |
156 | Specifies whether the system should send TCP keepalive messages to the | |
157 | other side. |