[packages/openssh.git] / openssh-chroot.patch

--- openssh-3.7.1p2/servconf.c	2003-09-23 11:24:21.000000000 +0200
+++ openssh-3.7.1p2.pius/servconf.c	2003-10-07 20:49:08.000000000 +0200
@@ -41,7 +41,9 @@
 
 	/* Portable-specific options */
 	options->use_pam = -1;
-
+	
+	options->use_chroot = -1;
+	
 	/* Standard Options */
 	options->num_ports = 0;
 	options->ports_from_cmdline = 0;
@@ -112,6 +114,9 @@
 	if (options->use_pam == -1)
 		options->use_pam = 0;
 
+	if (options->use_chroot == -1)
+		options->use_chroot = 0;
+	
 	/* Standard Options */
 	if (options->protocol == SSH_PROTO_UNKNOWN)
 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
@@ -245,6 +250,7 @@
 	sBadOption,		/* == unknown option */
 	/* Portable-specific options */
 	sUsePAM,
+	sUseChroot,
 	/* Standard Options */
 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
 	sPermitRootLogin, sLogFacility, sLogLevel,
@@ -278,6 +284,11 @@
 #else
 	{ "usepam", sUnsupported },
 #endif
+#ifdef CHROOT
+	{ "usechroot", sUseChroot },
+#else
+	{ "usechroot", sUnsupported },
+#endif /* CHROOT */
 	{ "pamauthenticationviakbdint", sDeprecated },
 	/* Standard Options */
 	{ "port", sPort },
@@ -437,6 +448,10 @@
 		intptr = &options->use_pam;
 		goto parse_flag;
 
+	case sUseChroot:
+		intptr = &options->use_chroot;
+		goto parse_flag;
+
 	/* Standard Options */
 	case sBadOption:
 		return -1;
--- openssh-3.7.1p2/servconf.h	2003-09-02 14:58:22.000000000 +0200
+++ openssh-3.7.1p2.pius/servconf.h	2003-10-07 20:49:08.000000000 +0200
@@ -109,6 +109,7 @@
 	int	max_startups_rate;
 	int	max_startups;
 	char   *banner;			/* SSH-2 banner message */
+	int     use_chroot;		/* Enable chrooted enviroment support */
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
--- openssh-4.0p1/session.c.orig	2005-03-06 12:38:52.000000000 +0100
+++ openssh-4.0p1/session.c	2005-03-10 15:14:04.000000000 +0100
@@ -1258,6 +1258,10 @@
 void
 do_setusercontext(struct passwd *pw)
 {
+#ifdef CHROOT
+	char *user_dir;
+	char *new_root;
+#endif /* CHROOT */
 #ifndef HAVE_CYGWIN
 	if (getuid() == 0 || geteuid() == 0)
 #endif /* HAVE_CYGWIN */
@@ -1315,6 +1319,26 @@
 			restore_uid();
 		}
 #endif
+#ifdef CHROOT
+		if (options.use_chroot) {
+			user_dir = xstrdup(pw->pw_dir);
+			new_root = user_dir + 1;
+
+			while((new_root = strchr(new_root, '.')) != NULL) {
+				new_root--;
+				if(strncmp(new_root, "/./", 3) == 0) {
+					*new_root = '\0';
+					new_root += 2;
+
+					if(chroot(user_dir) != 0)
+						fatal("Couldn't chroot to user directory %s", user_dir);
+						pw->pw_dir = new_root;
+						break;
+					}
+					new_root += 2;
+			}
+		}
+#endif /* CHROOT */
 # ifdef USE_PAM
 		/*
 		 * PAM credentials may take the form of supplementary groups.
--- openssh-3.7.1p2/sshd_config	2003-09-02 14:51:18.000000000 +0200
+++ openssh-3.7.1p2.pius/sshd_config	2003-10-07 20:49:08.000000000 +0200
@@ -71,6 +71,10 @@
 # bypass the setting of 'PasswordAuthentication'
 #UsePAM yes
 
+# Set this to 'yes' to enable support for chrooted user environment.
+# You must create such environment before you can use this feature. 
+#UseChroot yes
+
 #AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
--- openssh-3.7.1p2/sshd_config.0	2003-09-23 11:55:19.000000000 +0200
+++ openssh-3.7.1p2.pius/sshd_config.0	2003-10-07 20:49:08.000000000 +0200
@@ -349,6 +349,16 @@
              To disable TCP keepalive messages, the value should be set to
              ``no''.
 
+     UseChroot
+             Specifies whether to use chroot-jail environment with ssh/sftp,
+             i.e. restrict users to a particular area in the filesystem. This
+             is done by setting user home directory to, for example,
+             /path/to/chroot/./home/username.  sshd looks for a '.' in the
+             users home directory, then calls chroot(2) to whatever directory
+             was before the . and continues with the normal ssh functionality.
+             For this to work properly you have to create special chroot-jail
+             environment in a /path/to/chroot directory.
+
      UseDNS  Specifies whether sshd should look up the remote host name and
              check that the resolved host name for the remote IP address maps
              back to the very same IP address.  The default is ``yes''.
--- openssh-3.8p1/sshd_config.5.orig	2004-02-18 04:31:24.000000000 +0100
+++ openssh-3.8p1/sshd_config.5	2004-02-25 21:17:23.000000000 +0100
@@ -552,6 +552,16 @@
 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
+.It Cm UseChroot
+Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
+users to a particular area in the filesystem. This is done by setting user
+home directory to, for example, /path/to/chroot/./home/username.
+.Nm sshd
+looks for a '.' in the users home directory, then calls
+.Xr chroot 2
+to whatever directory was before the . and continues with the normal ssh
+functionality. For this to work properly you have to create special chroot-jail
+environment in a /path/to/chroot directory.
 .It Cm TCPKeepAlive
 Specifies whether the system should send TCP keepalive messages to the
 other side.
Commit	Line	Data
ad07ca4f	1	--- openssh-3.7.1p2/servconf.c 2003-09-23 11:24:21.000000000 +0200
	2	+++ openssh-3.7.1p2.pius/servconf.c 2003-10-07 20:49:08.000000000 +0200
	3	@@ -41,7 +41,9 @@
	4
	5	/* Portable-specific options */
	6	options->use_pam = -1;
	7	-
	8	+
	9	+ options->use_chroot = -1;
	10	+
	11	/* Standard Options */
	12	options->num_ports = 0;
	13	options->ports_from_cmdline = 0;
	14	@@ -112,6 +114,9 @@
	15	if (options->use_pam == -1)
	16	options->use_pam = 0;
	17
	18	+ if (options->use_chroot == -1)
	19	+ options->use_chroot = 0;
	20	+
	21	/* Standard Options */
	22	if (options->protocol == SSH_PROTO_UNKNOWN)
	23	options->protocol = SSH_PROTO_1\|SSH_PROTO_2;
	24	@@ -245,6 +250,7 @@
	25	sBadOption, /* == unknown option */
	26	/* Portable-specific options */
	27	sUsePAM,
	28	+ sUseChroot,
	29	/* Standard Options */
	30	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
	31	sPermitRootLogin, sLogFacility, sLogLevel,
	32	@@ -278,6 +284,11 @@
	33	#else
	34	{ "usepam", sUnsupported },
	35	#endif
	36	+#ifdef CHROOT
	37	+ { "usechroot", sUseChroot },
	38	+#else
	39	+ { "usechroot", sUnsupported },
	40	+#endif /* CHROOT */
	41	{ "pamauthenticationviakbdint", sDeprecated },
	42	/* Standard Options */
	43	{ "port", sPort },
	44	@@ -437,6 +448,10 @@
	45	intptr = &options->use_pam;
	46	goto parse_flag;
	47
	48	+ case sUseChroot:
	49	+ intptr = &options->use_chroot;
	50	+ goto parse_flag;
	51	+
	52	/* Standard Options */
	53	case sBadOption:
	54	return -1;
	55	--- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200
	56	+++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200
	57	@@ -109,6 +109,7 @@
	58	int max_startups_rate;
	59	int max_startups;
	60	char banner; / SSH-2 banner message */
	61	+ int use_chroot; /* Enable chrooted enviroment support */
	62	int use_dns;
	63	int client_alive_interval; /*
	64	* poke the client this often to
65	--- openssh-4.0p1/session.c.orig 2005-03-06 12:38:52.000000000 +0100
66	+++ openssh-4.0p1/session.c 2005-03-10 15:14:04.000000000 +0100
67	@@ -1258,6 +1258,10 @@
68	void
69	do_setusercontext(struct passwd *pw)
70	{
71	+#ifdef CHROOT
72	+ char *user_dir;
73	+ char *new_root;
74	+#endif /* CHROOT */
75	#ifndef HAVE_CYGWIN
76	if (getuid() == 0 \|\| geteuid() == 0)
77	#endif /* HAVE_CYGWIN */
78	@@ -1315,6 +1319,26 @@
79	restore_uid();
80	}
81	#endif
82	+#ifdef CHROOT
83	+ if (options.use_chroot) {
84	+ user_dir = xstrdup(pw->pw_dir);
85	+ new_root = user_dir + 1;
86	+
87	+ while((new_root = strchr(new_root, '.')) != NULL) {
88	+ new_root--;
89	+ if(strncmp(new_root, "/./", 3) == 0) {
90	+ *new_root = '\0';
91	+ new_root += 2;
92	+
93	+ if(chroot(user_dir) != 0)
94	+ fatal("Couldn't chroot to user directory %s", user_dir);
95	+ pw->pw_dir = new_root;
96	+ break;
97	+ }
98	+ new_root += 2;
99	+ }
100	+ }
101	+#endif /* CHROOT */
102	# ifdef USE_PAM
103	/*
104	* PAM credentials may take the form of supplementary groups.
105	--- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200
106	+++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200
107	@@ -71,6 +71,10 @@
108	# bypass the setting of 'PasswordAuthentication'
109	#UsePAM yes
110
111	+# Set this to 'yes' to enable support for chrooted user environment.
112	+# You must create such environment before you can use this feature.
113	+#UseChroot yes
114	+
115	#AllowTcpForwarding yes
116	#GatewayPorts no
117	#X11Forwarding no
118	--- openssh-3.7.1p2/sshd_config.0 2003-09-23 11:55:19.000000000 +0200
119	+++ openssh-3.7.1p2.pius/sshd_config.0 2003-10-07 20:49:08.000000000 +0200
120	@@ -349,6 +349,16 @@
121	To disable TCP keepalive messages, the value should be set to
122	``no''.
123
124	+ UseChroot
125	+ Specifies whether to use chroot-jail environment with ssh/sftp,
126	+ i.e. restrict users to a particular area in the filesystem. This
127	+ is done by setting user home directory to, for example,
128	+ /path/to/chroot/./home/username. sshd looks for a '.' in the
129	+ users home directory, then calls chroot(2) to whatever directory
130	+ was before the . and continues with the normal ssh functionality.
131	+ For this to work properly you have to create special chroot-jail
132	+ environment in a /path/to/chroot directory.
133	+
134	UseDNS Specifies whether sshd should look up the remote host name and
135	check that the resolved host name for the remote IP address maps
136	back to the very same IP address. The default is ``yes''.
137	--- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100
138	+++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100
139	@@ -552,6 +552,16 @@
140	The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
141	LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
142	The default is AUTH.
143	+.It Cm UseChroot
144	+Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
145	+users to a particular area in the filesystem. This is done by setting user
146	+home directory to, for example, /path/to/chroot/./home/username.
147	+.Nm sshd
148	+looks for a '.' in the users home directory, then calls
149	+.Xr chroot 2
150	+to whatever directory was before the . and continues with the normal ssh
151	+functionality. For this to work properly you have to create special chroot-jail
152	+environment in a /path/to/chroot directory.
153	.It Cm TCPKeepAlive
154	Specifies whether the system should send TCP keepalive messages to the
155	other side.