openssh-chroot.patch

   1 --- openssh-4.4p1/servconf.c.orig       2006-08-18 16:23:15.000000000 +0200
   2 +++ openssh-4.4p1/servconf.c    2006-10-05 10:11:17.065971000 +0200
   3 @@ -56,7 +56,9 @@
   4
   5         /* Portable-specific options */
   6         options->use_pam = -1;
   7 -
   8 +
   9 +       options->use_chroot = -1;
  10 +
  11         /* Standard Options */
  12         options->num_ports = 0;
  13         options->ports_from_cmdline = 0;
  14 @@ -131,6 +133,9 @@
  15         if (options->use_pam == -1)
  16                 options->use_pam = 0;
  17
  18 +       if (options->use_chroot == -1)
  19 +               options->use_chroot = 0;
  20 +
  21         /* Standard Options */
  22         if (options->protocol == SSH_PROTO_UNKNOWN)
  23                 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
  24 @@ -270,6 +275,7 @@
  25         sBadOption,             /* == unknown option */
  26         /* Portable-specific options */
  27         sUsePAM,
  28 +       sUseChroot,
  29         /* Standard Options */
  30         sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
  31         sPermitRootLogin, sLogFacility, sLogLevel,
  32 @@ -312,6 +318,11 @@
  33  #else
  34         { "usepam", sUnsupported, SSHCFG_GLOBAL },
  35  #endif
  36 +#ifdef CHROOT
  37 +       { "usechroot", sUseChroot, SSHCFG_GLOBAL },
  38 +#else
  39 +       { "usechroot", sUnsupported, SSHCFG_GLOBAL },
  40 +#endif /* CHROOT */
  41         { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
  42         /* Standard Options */
  43         { "port", sPort, SSHCFG_GLOBAL },
  44 @@ -662,6 +673,10 @@
  45                 intptr = &options->use_pam;
  46                 goto parse_flag;
  47
  48 +       case sUseChroot:
  49 +               intptr = &options->use_chroot;
  50 +               goto parse_flag;
  51 +
  52         /* Standard Options */
  53         case sBadOption:
  54                 return -1;
  55 --- openssh-3.7.1p2/servconf.h  2003-09-02 14:58:22.000000000 +0200
  56 +++ openssh-3.7.1p2.pius/servconf.h     2003-10-07 20:49:08.000000000 +0200
  57 @@ -109,6 +109,7 @@
  58         int     max_startups_rate;
  59         int     max_startups;
  60         char   *banner;                 /* SSH-2 banner message */
  61 +       int     use_chroot;             /* Enable chrooted enviroment support */
  62         int     use_dns;
  63         int     client_alive_interval;  /*
  64                                          * poke the client this often to
  65 --- openssh-7.2p1/session.c.orig        2016-03-05 10:24:44.227756638 +0100
  66 +++ openssh-7.2p1/session.c     2016-03-05 10:24:50.237756386 +0100
  67 @@ -1492,6 +1492,10 @@ do_setusercontext(struct passwd *pw)
  68  do_setusercontext(struct passwd *pw)
  69  {
  70         char *chroot_path, *tmp;
  71 +#ifdef CHROOT
  72 +       char *user_dir;
  73 +       char *new_root;
  74 +#endif /* CHROOT */
  75
  76         platform_setusercontext(pw);
  77
  78 @@ -1532,6 +1536,29 @@ do_setusercontext(struct passwd *pw)
  79                         free(options.chroot_directory);
  80                         options.chroot_directory = NULL;
  81                         in_chroot = 1;
  82 +#ifdef CHROOT
  83 +               } else if (!in_chroot && options.use_chroot) {
  84 +                       user_dir = xstrdup(pw->pw_dir);
  85 +                       new_root = user_dir + 1;
  86 +
  87 +                       while ((new_root = strchr(new_root, '.')) != NULL) {
  88 +                               new_root--;
  89 +                               if (strncmp(new_root, "/./", 3) == 0) {
  90 +                                       *new_root = '\0';
  91 +                                       new_root += 2;
  92 +
  93 +                                       if (chroot(user_dir) != 0)
  94 +                                               fatal("Couldn't chroot to user directory %s", user_dir);
  95 +                                       /* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */
  96 +                                       free(pw->pw_dir);
  97 +                                       pw->pw_dir = xstrdup(new_root);
  98 +                                       in_chroot = 1;
  99 +                                       break;
 100 +                               }
 101 +                               new_root += 2;
 102 +                       }
 103 +                       free(user_dir);
 104 +#endif /* CHROOT */
 105                 }
 106
 107  #ifdef HAVE_LOGIN_CAP
 108 --- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200
 109 +++ openssh-3.7.1p2.pius/sshd_config    2003-10-07 20:49:08.000000000 +0200
 110 @@ -91,6 +91,10 @@
 111  # and ChallengeResponseAuthentication to 'no'.
 112  UsePAM yes
 113
 114 +# Set this to 'yes' to enable support for chrooted user environment.
 115 +# You must create such environment before you can use this feature.
 116 +#UseChroot yes
 117 +
 118  #AllowAgentForwarding yes
 119  # Security advisory:
 120  # http://securitytracker.com/alerts/2004/Sep/1011143.html
 121 --- openssh-4.4p1/sshd_config.0.orig    2006-09-26 13:03:48.000000000 +0200
 122 +++ openssh-4.4p1/sshd_config.0 2006-10-05 10:11:41.615971000 +0200
 123 @@ -921,6 +921,16 @@ DESCRIPTION
 124               TrustedUserCAKeys.  For more details on certificates, see the
 125               CERTIFICATES section in ssh-keygen(1).
 126
 127 +     UseChroot
 128 +             Specifies whether to use chroot-jail environment with ssh/sftp,
 129 +             i.e. restrict users to a particular area in the filesystem. This
 130 +             is done by setting user home directory to, for example,
 131 +             /path/to/chroot/./home/username.  sshd looks for a '.' in the
 132 +             users home directory, then calls chroot(2) to whatever directory
 133 +             was before the . and continues with the normal ssh functionality.
 134 +             For this to work properly you have to create special chroot-jail
 135 +             environment in a /path/to/chroot directory.
 136 +
 137       UseDNS  Specifies whether sshd(8) should look up the remote host name,
 138               and to check that the resolved host name for the remote IP
 139               address maps back to the very same IP address.
 140 --- openssh-3.8p1/sshd_config.5.orig    2004-02-18 04:31:24.000000000 +0100
 141 +++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100
 142 @@ -552,6 +552,16 @@
 143  The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 144  LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 145  The default is AUTH.
 146 +.It Cm UseChroot
 147 +Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
 148 +users to a particular area in the filesystem. This is done by setting user
 149 +home directory to, for example, /path/to/chroot/./home/username.
 150 +.Nm sshd
 151 +looks for a '.' in the users home directory, then calls
 152 +.Xr chroot 2
 153 +to whatever directory was before the . and continues with the normal ssh
 154 +functionality. For this to work properly you have to create special chroot-jail
 155 +environment in a /path/to/chroot directory.
 156  .It Cm TCPKeepAlive
 157  Specifies whether the system should send TCP keepalive messages to the
 158  other side.