]>
Commit | Line | Data |
---|---|---|
a42df7c9 | 1 | --- openssh-3.7.1p2/servconf.c 2003-09-23 11:24:21.000000000 +0200 |
2 | +++ openssh-3.7.1p2.pius/servconf.c 2003-10-07 20:49:08.000000000 +0200 | |
3 | @@ -41,7 +41,9 @@ | |
4 | ||
5 | /* Portable-specific options */ | |
6 | options->use_pam = -1; | |
7 | - | |
8 | + | |
9 | + options->use_chroot = -1; | |
10 | + | |
11 | /* Standard Options */ | |
12 | options->num_ports = 0; | |
13 | options->ports_from_cmdline = 0; | |
14 | @@ -112,6 +114,9 @@ | |
15 | if (options->use_pam == -1) | |
16 | options->use_pam = 0; | |
17 | ||
18 | + if (options->use_chroot == -1) | |
19 | + options->use_chroot = 0; | |
20 | + | |
21 | /* Standard Options */ | |
22 | if (options->protocol == SSH_PROTO_UNKNOWN) | |
23 | options->protocol = SSH_PROTO_1|SSH_PROTO_2; | |
24 | @@ -245,6 +250,7 @@ | |
25 | sBadOption, /* == unknown option */ | |
26 | /* Portable-specific options */ | |
27 | sUsePAM, | |
28 | + sUseChroot, | |
29 | /* Standard Options */ | |
30 | sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, | |
31 | sPermitRootLogin, sLogFacility, sLogLevel, | |
32 | @@ -278,6 +284,11 @@ | |
33 | #else | |
34 | { "usepam", sUnsupported }, | |
e5aad4e5 | 35 | #endif |
a42df7c9 | 36 | +#ifdef CHROOT |
37 | + { "usechroot", sUseChroot }, | |
38 | +#else | |
39 | + { "usechroot", sUnsupported }, | |
40 | +#endif /* CHROOT */ | |
41 | { "pamauthenticationviakbdint", sDeprecated }, | |
42 | /* Standard Options */ | |
43 | { "port", sPort }, | |
44 | @@ -437,6 +448,10 @@ | |
45 | intptr = &options->use_pam; | |
46 | goto parse_flag; | |
e5aad4e5 | 47 | |
a42df7c9 | 48 | + case sUseChroot: |
49 | + intptr = &options->use_chroot; | |
50 | + goto parse_flag; | |
e5aad4e5 | 51 | + |
a42df7c9 | 52 | /* Standard Options */ |
53 | case sBadOption: | |
54 | return -1; | |
55 | --- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200 | |
56 | +++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200 | |
57 | @@ -109,6 +109,7 @@ | |
58 | int max_startups_rate; | |
59 | int max_startups; | |
60 | char *banner; /* SSH-2 banner message */ | |
61 | + int use_chroot; /* Enable chrooted enviroment support */ | |
62 | int use_dns; | |
63 | int client_alive_interval; /* | |
64 | * poke the client this often to | |
65 | --- openssh-3.7.1p2/session.c 2003-09-23 10:59:08.000000000 +0200 | |
66 | +++ openssh-3.7.1p2.pius/session.c 2003-10-07 20:49:08.000000000 +0200 | |
67 | @@ -1231,6 +1231,10 @@ | |
e5aad4e5 | 68 | void |
69 | do_setusercontext(struct passwd *pw) | |
70 | { | |
e5aad4e5 | 71 | +#ifdef CHROOT |
72 | + char *user_dir; | |
73 | + char *new_root; | |
74 | +#endif /* CHROOT */ | |
e5aad4e5 | 75 | #ifndef HAVE_CYGWIN |
76 | if (getuid() == 0 || geteuid() == 0) | |
77 | #endif /* HAVE_CYGWIN */ | |
a42df7c9 | 78 | @@ -1268,6 +1272,28 @@ |
e5aad4e5 | 79 | exit(1); |
80 | } | |
81 | endgrent(); | |
82 | + | |
83 | +#ifdef CHROOT | |
a42df7c9 | 84 | + if (options.use_chroot) { |
85 | + user_dir = xstrdup(pw->pw_dir); | |
86 | + new_root = user_dir + 1; | |
e5aad4e5 | 87 | + |
a42df7c9 | 88 | + while((new_root = strchr(new_root, '.')) != NULL) { |
89 | + new_root--; | |
90 | + if(strncmp(new_root, "/./", 3) == 0) { | |
91 | + *new_root = '\0'; | |
92 | + new_root += 2; | |
e5aad4e5 | 93 | + |
a42df7c9 | 94 | + if(chroot(user_dir) != 0) |
95 | + fatal("Couldn't chroot to user directory % s", user_dir); | |
96 | + pw->pw_dir = new_root; | |
97 | + break; | |
98 | + } | |
99 | + new_root += 2; | |
100 | + } | |
e5aad4e5 | 101 | + } |
102 | +#endif /* CHROOT */ | |
e5aad4e5 | 103 | + |
104 | # ifdef USE_PAM | |
105 | /* | |
106 | * PAM credentials may take the form of supplementary groups. | |
a42df7c9 | 107 | --- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200 |
108 | +++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200 | |
109 | @@ -71,6 +71,10 @@ | |
110 | # bypass the setting of 'PasswordAuthentication' | |
111 | #UsePAM yes | |
112 | ||
113 | +# Set this to 'yes' to enable support for chrooted user environment. | |
114 | +# You must create such environment before you can use this feature. | |
115 | +#UseChroot yes | |
116 | + | |
117 | #AllowTcpForwarding yes | |
118 | #GatewayPorts no | |
119 | #X11Forwarding no | |
120 | --- openssh-3.7.1p2/sshd_config.0 2003-09-23 11:55:19.000000000 +0200 | |
121 | +++ openssh-3.7.1p2.pius/sshd_config.0 2003-10-07 20:49:08.000000000 +0200 | |
122 | @@ -349,6 +349,16 @@ | |
123 | CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- | |
124 | fault is AUTH. | |
125 | ||
126 | + UseChroot | |
127 | + Specifies whether to use chroot-jail environment with ssh/sftp, | |
128 | + i.e. restrict users to a particular area in the filesystem. This | |
129 | + is done by setting user home directory to, for example, | |
130 | + /path/to/chroot/./home/username. sshd looks for a '.' in the | |
131 | + users home directory, then calls chroot(2) to whatever directory | |
132 | + was before the . and continues with the normal ssh functionality. | |
133 | + For this to work properly you have to create special chroot-jail | |
134 | + environment in a /path/to/chroot directory. | |
135 | + | |
136 | UseDNS Specifies whether sshd should lookup the remote host name and | |
137 | check that the resolved host name for the remote IP address maps | |
138 | back to the very same IP address. The default is ``yes''. | |
139 | --- openssh-3.7.1p2/sshd_config.5 2003-09-02 14:57:05.000000000 +0200 | |
140 | +++ openssh-3.7.1p2.pius/sshd_config.5 2003-10-07 20:49:08.000000000 +0200 | |
141 | @@ -580,6 +580,16 @@ | |
142 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, | |
143 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. | |
144 | The default is AUTH. | |
145 | +.It Cm UseChroot | |
146 | +Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict | |
147 | +users to a particular area in the filesystem. This is done by setting user | |
148 | +home directory to, for example, /path/to/chroot/./home/username. | |
149 | +.Nm sshd | |
150 | +looks for a '.' in the users home directory, then calls | |
151 | +.Xr chroot 2 | |
152 | +to whatever directory was before the . and continues with the normal ssh | |
153 | +functionality. For this to work properly you have to create special chroot-jail | |
154 | +environment in a /path/to/chroot directory. | |
155 | .It Cm UseDNS | |
156 | Specifies whether | |
157 | .Nm sshd |