[packages/openssh.git] / openssh-chroot.patch

--- openssh-3.7.1p2/servconf.c	2003-09-23 11:24:21.000000000 +0200
+++ openssh-3.7.1p2.pius/servconf.c	2003-10-07 20:49:08.000000000 +0200
@@ -41,7 +41,9 @@
 
 	/* Portable-specific options */
 	options->use_pam = -1;
-
+	
+	options->use_chroot = -1;
+	
 	/* Standard Options */
 	options->num_ports = 0;
 	options->ports_from_cmdline = 0;
@@ -112,6 +114,9 @@
 	if (options->use_pam == -1)
 		options->use_pam = 0;
 
+	if (options->use_chroot == -1)
+		options->use_chroot = 0;
+	
 	/* Standard Options */
 	if (options->protocol == SSH_PROTO_UNKNOWN)
 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
@@ -245,6 +250,7 @@
 	sBadOption,		/* == unknown option */
 	/* Portable-specific options */
 	sUsePAM,
+	sUseChroot,
 	/* Standard Options */
 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
 	sPermitRootLogin, sLogFacility, sLogLevel,
@@ -278,6 +284,11 @@
 #else
 	{ "usepam", sUnsupported },
 #endif
+#ifdef CHROOT
+	{ "usechroot", sUseChroot },
+#else
+	{ "usechroot", sUnsupported },
+#endif /* CHROOT */
 	{ "pamauthenticationviakbdint", sDeprecated },
 	/* Standard Options */
 	{ "port", sPort },
@@ -437,6 +448,10 @@
 		intptr = &options->use_pam;
 		goto parse_flag;
 
+	case sUseChroot:
+		intptr = &options->use_chroot;
+		goto parse_flag;
+
 	/* Standard Options */
 	case sBadOption:
 		return -1;
--- openssh-3.7.1p2/servconf.h	2003-09-02 14:58:22.000000000 +0200
+++ openssh-3.7.1p2.pius/servconf.h	2003-10-07 20:49:08.000000000 +0200
@@ -109,6 +109,7 @@
 	int	max_startups_rate;
 	int	max_startups;
 	char   *banner;			/* SSH-2 banner message */
+	int     use_chroot;		/* Enable chrooted enviroment support */
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
--- openssh-3.7.1p2/session.c	2003-09-23 10:59:08.000000000 +0200
+++ openssh-3.7.1p2.pius/session.c	2003-10-07 20:49:08.000000000 +0200
@@ -1231,6 +1231,10 @@
 void
 do_setusercontext(struct passwd *pw)
 {
+#ifdef CHROOT
+	char *user_dir;
+	char *new_root;
+#endif /* CHROOT */
 #ifndef HAVE_CYGWIN
 	if (getuid() == 0 || geteuid() == 0)
 #endif /* HAVE_CYGWIN */
@@ -1268,6 +1272,28 @@
 			exit(1);
 		}
 		endgrent();
+
+#ifdef CHROOT
+		if (options.use_chroot) {
+			user_dir = xstrdup(pw->pw_dir);
+			new_root = user_dir + 1;
+
+			while((new_root = strchr(new_root, '.')) != NULL) {
+				new_root--;
+				if(strncmp(new_root, "/./", 3) == 0) {
+					*new_root = '\0';
+					new_root += 2;
+
+					if(chroot(user_dir) != 0)
+						fatal("Couldn't chroot to user directory % s", user_dir);
+						pw->pw_dir = new_root;
+						break;
+					}
+					new_root += 2;
+			}
+		}
+#endif /* CHROOT */
+
 # ifdef USE_PAM
 		/*
 		 * PAM credentials may take the form of supplementary groups. 
--- openssh-3.7.1p2/sshd_config	2003-09-02 14:51:18.000000000 +0200
+++ openssh-3.7.1p2.pius/sshd_config	2003-10-07 20:49:08.000000000 +0200
@@ -71,6 +71,10 @@
 # bypass the setting of 'PasswordAuthentication'
 #UsePAM yes
 
+# Set this to 'yes' to enable support for chrooted user environment.
+# You must create such environment before you can use this feature. 
+#UseChroot yes
+
 #AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
--- openssh-3.7.1p2/sshd_config.0	2003-09-23 11:55:19.000000000 +0200
+++ openssh-3.7.1p2.pius/sshd_config.0	2003-10-07 20:49:08.000000000 +0200
@@ -349,6 +349,16 @@
              CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The de-
              fault is AUTH.
 
+     UseChroot
+             Specifies whether to use chroot-jail environment with ssh/sftp,
+             i.e. restrict users to a particular area in the filesystem. This
+             is done by setting user home directory to, for example,
+             /path/to/chroot/./home/username.  sshd looks for a '.' in the
+             users home directory, then calls chroot(2) to whatever directory
+             was before the . and continues with the normal ssh functionality.
+             For this to work properly you have to create special chroot-jail
+             environment in a /path/to/chroot directory.
+
      UseDNS  Specifies whether sshd should lookup the remote host name and
              check that the resolved host name for the remote IP address maps
              back to the very same IP address.  The default is ``yes''.
--- openssh-3.7.1p2/sshd_config.5	2003-09-02 14:57:05.000000000 +0200
+++ openssh-3.7.1p2.pius/sshd_config.5	2003-10-07 20:49:08.000000000 +0200
@@ -580,6 +580,16 @@
 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
+.It Cm UseChroot
+Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
+users to a particular area in the filesystem. This is done by setting user
+home directory to, for example, /path/to/chroot/./home/username.
+.Nm sshd
+looks for a '.' in the users home directory, then calls
+.Xr chroot 2
+to whatever directory was before the . and continues with the normal ssh
+functionality. For this to work properly you have to create special chroot-jail
+environment in a /path/to/chroot directory.
 .It Cm UseDNS
 Specifies whether
 .Nm sshd
Commit	Line	Data
a42df7c9	1	--- openssh-3.7.1p2/servconf.c 2003-09-23 11:24:21.000000000 +0200
	2	+++ openssh-3.7.1p2.pius/servconf.c 2003-10-07 20:49:08.000000000 +0200
	3	@@ -41,7 +41,9 @@
	4
	5	/* Portable-specific options */
	6	options->use_pam = -1;
	7	-
	8	+
	9	+ options->use_chroot = -1;
	10	+
	11	/* Standard Options */
	12	options->num_ports = 0;
	13	options->ports_from_cmdline = 0;
	14	@@ -112,6 +114,9 @@
	15	if (options->use_pam == -1)
	16	options->use_pam = 0;
	17
	18	+ if (options->use_chroot == -1)
	19	+ options->use_chroot = 0;
	20	+
	21	/* Standard Options */
	22	if (options->protocol == SSH_PROTO_UNKNOWN)
	23	options->protocol = SSH_PROTO_1\|SSH_PROTO_2;
	24	@@ -245,6 +250,7 @@
	25	sBadOption, /* == unknown option */
	26	/* Portable-specific options */
	27	sUsePAM,
	28	+ sUseChroot,
	29	/* Standard Options */
	30	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
	31	sPermitRootLogin, sLogFacility, sLogLevel,
	32	@@ -278,6 +284,11 @@
	33	#else
	34	{ "usepam", sUnsupported },
e5aad4e5	35	#endif
a42df7c9	36	+#ifdef CHROOT
	37	+ { "usechroot", sUseChroot },
	38	+#else
	39	+ { "usechroot", sUnsupported },
	40	+#endif /* CHROOT */
	41	{ "pamauthenticationviakbdint", sDeprecated },
	42	/* Standard Options */
	43	{ "port", sPort },
	44	@@ -437,6 +448,10 @@
	45	intptr = &options->use_pam;
	46	goto parse_flag;
e5aad4e5	47
a42df7c9	48	+ case sUseChroot:
	49	+ intptr = &options->use_chroot;
	50	+ goto parse_flag;
e5aad4e5	51	+
a42df7c9	52	/* Standard Options */
	53	case sBadOption:
	54	return -1;
	55	--- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200
	56	+++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200
	57	@@ -109,6 +109,7 @@
	58	int max_startups_rate;
	59	int max_startups;
	60	char banner; / SSH-2 banner message */
	61	+ int use_chroot; /* Enable chrooted enviroment support */
	62	int use_dns;
	63	int client_alive_interval; /*
	64	* poke the client this often to
	65	--- openssh-3.7.1p2/session.c 2003-09-23 10:59:08.000000000 +0200
	66	+++ openssh-3.7.1p2.pius/session.c 2003-10-07 20:49:08.000000000 +0200
	67	@@ -1231,6 +1231,10 @@
e5aad4e5	68	void
	69	do_setusercontext(struct passwd *pw)
	70	{
e5aad4e5	71	+#ifdef CHROOT
	72	+ char *user_dir;
	73	+ char *new_root;
	74	+#endif /* CHROOT */
e5aad4e5	75	#ifndef HAVE_CYGWIN
	76	if (getuid() == 0 \|\| geteuid() == 0)
	77	#endif /* HAVE_CYGWIN */
a42df7c9	78	@@ -1268,6 +1272,28 @@
e5aad4e5	79	exit(1);
	80	}
	81	endgrent();
	82	+
	83	+#ifdef CHROOT
a42df7c9	84	+ if (options.use_chroot) {
	85	+ user_dir = xstrdup(pw->pw_dir);
	86	+ new_root = user_dir + 1;
e5aad4e5	87	+
a42df7c9	88	+ while((new_root = strchr(new_root, '.')) != NULL) {
	89	+ new_root--;
	90	+ if(strncmp(new_root, "/./", 3) == 0) {
	91	+ *new_root = '\0';
	92	+ new_root += 2;
e5aad4e5	93	+
a42df7c9	94	+ if(chroot(user_dir) != 0)
	95	+ fatal("Couldn't chroot to user directory % s", user_dir);
	96	+ pw->pw_dir = new_root;
	97	+ break;
	98	+ }
	99	+ new_root += 2;
	100	+ }
e5aad4e5	101	+ }
e5aad4e5	102	+#endif /* CHROOT */
e5aad4e5	103	+
	104	# ifdef USE_PAM
	105	/*
	106	* PAM credentials may take the form of supplementary groups.
a42df7c9	107	--- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200
	108	+++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200
	109	@@ -71,6 +71,10 @@
	110	# bypass the setting of 'PasswordAuthentication'
	111	#UsePAM yes
	112
	113	+# Set this to 'yes' to enable support for chrooted user environment.
	114	+# You must create such environment before you can use this feature.
	115	+#UseChroot yes
	116	+
	117	#AllowTcpForwarding yes
	118	#GatewayPorts no
	119	#X11Forwarding no
	120	--- openssh-3.7.1p2/sshd_config.0 2003-09-23 11:55:19.000000000 +0200
	121	+++ openssh-3.7.1p2.pius/sshd_config.0 2003-10-07 20:49:08.000000000 +0200
	122	@@ -349,6 +349,16 @@
	123	CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
	124	fault is AUTH.
	125
	126	+ UseChroot
	127	+ Specifies whether to use chroot-jail environment with ssh/sftp,
	128	+ i.e. restrict users to a particular area in the filesystem. This
	129	+ is done by setting user home directory to, for example,
	130	+ /path/to/chroot/./home/username. sshd looks for a '.' in the
	131	+ users home directory, then calls chroot(2) to whatever directory
	132	+ was before the . and continues with the normal ssh functionality.
	133	+ For this to work properly you have to create special chroot-jail
	134	+ environment in a /path/to/chroot directory.
	135	+
	136	UseDNS Specifies whether sshd should lookup the remote host name and
	137	check that the resolved host name for the remote IP address maps
	138	back to the very same IP address. The default is ``yes''.
	139	--- openssh-3.7.1p2/sshd_config.5 2003-09-02 14:57:05.000000000 +0200
	140	+++ openssh-3.7.1p2.pius/sshd_config.5 2003-10-07 20:49:08.000000000 +0200
	141	@@ -580,6 +580,16 @@
	142	The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
	143	LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
	144	The default is AUTH.
	145	+.It Cm UseChroot
	146	+Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
	147	+users to a particular area in the filesystem. This is done by setting user
	148	+home directory to, for example, /path/to/chroot/./home/username.
	149	+.Nm sshd
	150	+looks for a '.' in the users home directory, then calls
	151	+.Xr chroot 2
	152	+to whatever directory was before the . and continues with the normal ssh
	153	+functionality. For this to work properly you have to create special chroot-jail
	154	+environment in a /path/to/chroot directory.
	155	.It Cm UseDNS
	156	Specifies whether
	157	.Nm sshd