openssh-chroot.patch

   1 --- openssh-3.7.1p2/servconf.c  2003-09-23 11:24:21.000000000 +0200
   2 +++ openssh-3.7.1p2.pius/servconf.c     2003-10-07 20:49:08.000000000 +0200
   3 @@ -41,7 +41,9 @@
   4
   5         /* Portable-specific options */
   6         options->use_pam = -1;
   7 -
   8 +
   9 +       options->use_chroot = -1;
  10 +
  11         /* Standard Options */
  12         options->num_ports = 0;
  13         options->ports_from_cmdline = 0;
  14 @@ -112,6 +114,9 @@
  15         if (options->use_pam == -1)
  16                 options->use_pam = 0;
  17
  18 +       if (options->use_chroot == -1)
  19 +               options->use_chroot = 0;
  20 +
  21         /* Standard Options */
  22         if (options->protocol == SSH_PROTO_UNKNOWN)
  23                 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
  24 @@ -245,6 +250,7 @@
  25         sBadOption,             /* == unknown option */
  26         /* Portable-specific options */
  27         sUsePAM,
  28 +       sUseChroot,
  29         /* Standard Options */
  30         sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
  31         sPermitRootLogin, sLogFacility, sLogLevel,
  32 @@ -278,6 +284,11 @@
  33  #else
  34         { "usepam", sUnsupported },
  35  #endif
  36 +#ifdef CHROOT
  37 +       { "usechroot", sUseChroot },
  38 +#else
  39 +       { "usechroot", sUnsupported },
  40 +#endif /* CHROOT */
  41         { "pamauthenticationviakbdint", sDeprecated },
  42         /* Standard Options */
  43         { "port", sPort },
  44 @@ -437,6 +448,10 @@
  45                 intptr = &options->use_pam;
  46                 goto parse_flag;
  47
  48 +       case sUseChroot:
  49 +               intptr = &options->use_chroot;
  50 +               goto parse_flag;
  51 +
  52         /* Standard Options */
  53         case sBadOption:
  54                 return -1;
  55 --- openssh-3.7.1p2/servconf.h  2003-09-02 14:58:22.000000000 +0200
  56 +++ openssh-3.7.1p2.pius/servconf.h     2003-10-07 20:49:08.000000000 +0200
  57 @@ -109,6 +109,7 @@
  58         int     max_startups_rate;
  59         int     max_startups;
  60         char   *banner;                 /* SSH-2 banner message */
  61 +       int     use_chroot;             /* Enable chrooted enviroment support */
  62         int     use_dns;
  63         int     client_alive_interval;  /*
  64                                          * poke the client this often to
  65 --- openssh-3.7.1p2/session.c   2003-09-23 10:59:08.000000000 +0200
  66 +++ openssh-3.7.1p2.pius/session.c      2003-10-07 20:49:08.000000000 +0200
  67 @@ -1231,6 +1231,10 @@
  68  void
  69  do_setusercontext(struct passwd *pw)
  70  {
  71 +#ifdef CHROOT
  72 +       char *user_dir;
  73 +       char *new_root;
  74 +#endif /* CHROOT */
  75  #ifndef HAVE_CYGWIN
  76         if (getuid() == 0 || geteuid() == 0)
  77  #endif /* HAVE_CYGWIN */
  78 @@ -1268,6 +1272,28 @@
  79                         exit(1);
  80                 }
  81                 endgrent();
  82 +
  83 +#ifdef CHROOT
  84 +               if (options.use_chroot) {
  85 +                       user_dir = xstrdup(pw->pw_dir);
  86 +                       new_root = user_dir + 1;
  87 +
  88 +                       while((new_root = strchr(new_root, '.')) != NULL) {
  89 +                               new_root--;
  90 +                               if(strncmp(new_root, "/./", 3) == 0) {
  91 +                                       *new_root = '\0';
  92 +                                       new_root += 2;
  93 +
  94 +                                       if(chroot(user_dir) != 0)
  95 +                                               fatal("Couldn't chroot to user directory % s", user_dir);
  96 +                                               pw->pw_dir = new_root;
  97 +                                               break;
  98 +                                       }
  99 +                                       new_root += 2;
 100 +                       }
 101 +               }
 102 +#endif /* CHROOT */
 103 +
 104  # ifdef USE_PAM
 105                 /*
 106                  * PAM credentials may take the form of supplementary groups.
 107 --- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200
 108 +++ openssh-3.7.1p2.pius/sshd_config    2003-10-07 20:49:08.000000000 +0200
 109 @@ -71,6 +71,10 @@
 110  # bypass the setting of 'PasswordAuthentication'
 111  #UsePAM yes
 112
 113 +# Set this to 'yes' to enable support for chrooted user environment.
 114 +# You must create such environment before you can use this feature.
 115 +#UseChroot yes
 116 +
 117  #AllowTcpForwarding yes
 118  #GatewayPorts no
 119  #X11Forwarding no
 120 --- openssh-3.7.1p2/sshd_config.0       2003-09-23 11:55:19.000000000 +0200
 121 +++ openssh-3.7.1p2.pius/sshd_config.0  2003-10-07 20:49:08.000000000 +0200
 122 @@ -349,6 +349,16 @@
 123               CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The de-
 124               fault is AUTH.
 125
 126 +     UseChroot
 127 +             Specifies whether to use chroot-jail environment with ssh/sftp,
 128 +             i.e. restrict users to a particular area in the filesystem. This
 129 +             is done by setting user home directory to, for example,
 130 +             /path/to/chroot/./home/username.  sshd looks for a '.' in the
 131 +             users home directory, then calls chroot(2) to whatever directory
 132 +             was before the . and continues with the normal ssh functionality.
 133 +             For this to work properly you have to create special chroot-jail
 134 +             environment in a /path/to/chroot directory.
 135 +
 136       UseDNS  Specifies whether sshd should lookup the remote host name and
 137               check that the resolved host name for the remote IP address maps
 138               back to the very same IP address.  The default is ``yes''.
 139 --- openssh-3.7.1p2/sshd_config.5       2003-09-02 14:57:05.000000000 +0200
 140 +++ openssh-3.7.1p2.pius/sshd_config.5  2003-10-07 20:49:08.000000000 +0200
 141 @@ -580,6 +580,16 @@
 142  The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 143  LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 144  The default is AUTH.
 145 +.It Cm UseChroot
 146 +Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
 147 +users to a particular area in the filesystem. This is done by setting user
 148 +home directory to, for example, /path/to/chroot/./home/username.
 149 +.Nm sshd
 150 +looks for a '.' in the users home directory, then calls
 151 +.Xr chroot 2
 152 +to whatever directory was before the . and continues with the normal ssh
 153 +functionality. For this to work properly you have to create special chroot-jail
 154 +environment in a /path/to/chroot directory.
 155  .It Cm UseDNS
 156  Specifies whether
 157  .Nm sshd