]>
Commit | Line | Data |
---|---|---|
f11993b4 PG |
1 | --- openssh-4.4p1/servconf.c.orig 2006-08-18 16:23:15.000000000 +0200 |
2 | +++ openssh-4.4p1/servconf.c 2006-10-05 10:11:17.065971000 +0200 | |
3 | @@ -56,7 +56,9 @@ | |
4 | ||
5 | /* Portable-specific options */ | |
6 | options->use_pam = -1; | |
7 | - | |
8 | + | |
9 | + options->use_chroot = -1; | |
10 | + | |
11 | /* Standard Options */ | |
12 | options->num_ports = 0; | |
13 | options->ports_from_cmdline = 0; | |
14 | @@ -131,6 +133,9 @@ | |
15 | if (options->use_pam == -1) | |
16 | options->use_pam = 0; | |
17 | ||
18 | + if (options->use_chroot == -1) | |
19 | + options->use_chroot = 0; | |
20 | + | |
21 | /* Standard Options */ | |
22 | if (options->protocol == SSH_PROTO_UNKNOWN) | |
23 | options->protocol = SSH_PROTO_1|SSH_PROTO_2; | |
24 | @@ -270,6 +275,7 @@ | |
25 | sBadOption, /* == unknown option */ | |
26 | /* Portable-specific options */ | |
27 | sUsePAM, | |
28 | + sUseChroot, | |
29 | /* Standard Options */ | |
30 | sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, | |
31 | sPermitRootLogin, sLogFacility, sLogLevel, | |
32 | @@ -312,6 +318,11 @@ | |
33 | #else | |
34 | { "usepam", sUnsupported, SSHCFG_GLOBAL }, | |
35 | #endif | |
36 | +#ifdef CHROOT | |
37 | + { "usechroot", sUseChroot, SSHCFG_GLOBAL }, | |
38 | +#else | |
39 | + { "usechroot", sUnsupported, SSHCFG_GLOBAL }, | |
40 | +#endif /* CHROOT */ | |
41 | { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, | |
42 | /* Standard Options */ | |
43 | { "port", sPort, SSHCFG_GLOBAL }, | |
44 | @@ -662,6 +673,10 @@ | |
45 | intptr = &options->use_pam; | |
46 | goto parse_flag; | |
47 | ||
48 | + case sUseChroot: | |
49 | + intptr = &options->use_chroot; | |
50 | + goto parse_flag; | |
51 | + | |
52 | /* Standard Options */ | |
53 | case sBadOption: | |
54 | return -1; | |
55 | --- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200 | |
56 | +++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200 | |
57 | @@ -109,6 +109,7 @@ | |
58 | int max_startups_rate; | |
59 | int max_startups; | |
60 | char *banner; /* SSH-2 banner message */ | |
61 | + int use_chroot; /* Enable chrooted enviroment support */ | |
62 | int use_dns; | |
63 | int client_alive_interval; /* | |
64 | * poke the client this often to | |
f685d17f JB |
65 | --- openssh-7.2p1/session.c.orig 2016-03-05 10:24:44.227756638 +0100 |
66 | +++ openssh-7.2p1/session.c 2016-03-05 10:24:50.237756386 +0100 | |
f6a10c37 | 67 | @@ -1492,6 +1492,10 @@ do_setusercontext(struct passwd *pw) |
f685d17f JB |
68 | do_setusercontext(struct passwd *pw) |
69 | { | |
70 | char *chroot_path, *tmp; | |
f11993b4 PG |
71 | +#ifdef CHROOT |
72 | + char *user_dir; | |
73 | + char *new_root; | |
74 | +#endif /* CHROOT */ | |
75 | ||
f6a10c37 AM |
76 | platform_setusercontext(pw); |
77 | ||
f685d17f JB |
78 | @@ -1532,6 +1536,29 @@ do_setusercontext(struct passwd *pw) |
79 | free(options.chroot_directory); | |
80 | options.chroot_directory = NULL; | |
81 | in_chroot = 1; | |
f11993b4 | 82 | +#ifdef CHROOT |
f685d17f | 83 | + } else if (!in_chroot && options.use_chroot) { |
f11993b4 PG |
84 | + user_dir = xstrdup(pw->pw_dir); |
85 | + new_root = user_dir + 1; | |
86 | + | |
f685d17f | 87 | + while ((new_root = strchr(new_root, '.')) != NULL) { |
f11993b4 | 88 | + new_root--; |
f685d17f | 89 | + if (strncmp(new_root, "/./", 3) == 0) { |
f11993b4 PG |
90 | + *new_root = '\0'; |
91 | + new_root += 2; | |
92 | + | |
f685d17f | 93 | + if (chroot(user_dir) != 0) |
f11993b4 | 94 | + fatal("Couldn't chroot to user directory %s", user_dir); |
f685d17f JB |
95 | + /* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */ |
96 | + free(pw->pw_dir); | |
97 | + pw->pw_dir = xstrdup(new_root); | |
98 | + in_chroot = 1; | |
f11993b4 PG |
99 | + break; |
100 | + } | |
101 | + new_root += 2; | |
102 | + } | |
f685d17f | 103 | + free(user_dir); |
f11993b4 PG |
104 | +#endif /* CHROOT */ |
105 | } | |
106 | ||
08811ee8 | 107 | #ifdef HAVE_LOGIN_CAP |
f11993b4 PG |
108 | --- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200 |
109 | +++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200 | |
fc8529e5 AM |
110 | @@ -91,6 +91,10 @@ |
111 | # and ChallengeResponseAuthentication to 'no'. | |
112 | UsePAM yes | |
f11993b4 PG |
113 | |
114 | +# Set this to 'yes' to enable support for chrooted user environment. | |
fc8529e5 | 115 | +# You must create such environment before you can use this feature. |
f11993b4 PG |
116 | +#UseChroot yes |
117 | + | |
fc8529e5 AM |
118 | #AllowAgentForwarding yes |
119 | # Security advisory: | |
120 | # http://securitytracker.com/alerts/2004/Sep/1011143.html | |
f11993b4 PG |
121 | --- openssh-4.4p1/sshd_config.0.orig 2006-09-26 13:03:48.000000000 +0200 |
122 | +++ openssh-4.4p1/sshd_config.0 2006-10-05 10:11:41.615971000 +0200 | |
f9d8b6a7 AM |
123 | @@ -921,6 +921,16 @@ DESCRIPTION |
124 | TrustedUserCAKeys. For more details on certificates, see the | |
125 | CERTIFICATES section in ssh-keygen(1). | |
f11993b4 PG |
126 | |
127 | + UseChroot | |
128 | + Specifies whether to use chroot-jail environment with ssh/sftp, | |
129 | + i.e. restrict users to a particular area in the filesystem. This | |
130 | + is done by setting user home directory to, for example, | |
131 | + /path/to/chroot/./home/username. sshd looks for a '.' in the | |
132 | + users home directory, then calls chroot(2) to whatever directory | |
133 | + was before the . and continues with the normal ssh functionality. | |
134 | + For this to work properly you have to create special chroot-jail | |
135 | + environment in a /path/to/chroot directory. | |
136 | + | |
f9d8b6a7 AM |
137 | UseDNS Specifies whether sshd(8) should look up the remote host name, |
138 | and to check that the resolved host name for the remote IP | |
139 | address maps back to the very same IP address. | |
f11993b4 PG |
140 | --- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100 |
141 | +++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100 | |
142 | @@ -552,6 +552,16 @@ | |
143 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, | |
144 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. | |
145 | The default is AUTH. | |
146 | +.It Cm UseChroot | |
147 | +Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict | |
148 | +users to a particular area in the filesystem. This is done by setting user | |
149 | +home directory to, for example, /path/to/chroot/./home/username. | |
150 | +.Nm sshd | |
151 | +looks for a '.' in the users home directory, then calls | |
152 | +.Xr chroot 2 | |
153 | +to whatever directory was before the . and continues with the normal ssh | |
154 | +functionality. For this to work properly you have to create special chroot-jail | |
155 | +environment in a /path/to/chroot directory. | |
156 | .It Cm TCPKeepAlive | |
157 | Specifies whether the system should send TCP keepalive messages to the | |
158 | other side. |