]>
Commit | Line | Data |
---|---|---|
7ae7664a AM |
1 | diff -urNp -x '*.orig' openssh-8.4p1.org/servconf.c openssh-8.4p1/servconf.c |
2 | --- openssh-8.4p1.org/servconf.c 2020-09-27 09:25:01.000000000 +0200 | |
3 | +++ openssh-8.4p1/servconf.c 2021-03-01 11:30:33.634174889 +0100 | |
4 | @@ -92,7 +92,9 @@ initialize_server_options(ServerOptions | |
f11993b4 PG |
5 | |
6 | /* Portable-specific options */ | |
7 | options->use_pam = -1; | |
8 | - | |
9 | + | |
10 | + options->use_chroot = -1; | |
11 | + | |
12 | /* Standard Options */ | |
13 | options->num_ports = 0; | |
14 | options->ports_from_cmdline = 0; | |
7ae7664a | 15 | @@ -301,6 +303,9 @@ fill_default_server_options(ServerOption |
f11993b4 PG |
16 | if (options->use_pam == -1) |
17 | options->use_pam = 0; | |
18 | ||
19 | + if (options->use_chroot == -1) | |
20 | + options->use_chroot = 0; | |
21 | + | |
22 | /* Standard Options */ | |
7ae7664a AM |
23 | if (options->num_host_key_files == 0) { |
24 | /* fill default hostkeys for protocols */ | |
25 | @@ -502,6 +507,7 @@ typedef enum { | |
f11993b4 PG |
26 | sBadOption, /* == unknown option */ |
27 | /* Portable-specific options */ | |
28 | sUsePAM, | |
29 | + sUseChroot, | |
30 | /* Standard Options */ | |
7ae7664a | 31 | sPort, sHostKeyFile, sLoginGraceTime, |
f11993b4 | 32 | sPermitRootLogin, sLogFacility, sLogLevel, |
7ae7664a | 33 | @@ -556,6 +562,11 @@ static struct { |
f11993b4 PG |
34 | #else |
35 | { "usepam", sUnsupported, SSHCFG_GLOBAL }, | |
36 | #endif | |
37 | +#ifdef CHROOT | |
38 | + { "usechroot", sUseChroot, SSHCFG_GLOBAL }, | |
39 | +#else | |
40 | + { "usechroot", sUnsupported, SSHCFG_GLOBAL }, | |
41 | +#endif /* CHROOT */ | |
42 | { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, | |
43 | /* Standard Options */ | |
44 | { "port", sPort, SSHCFG_GLOBAL }, | |
7ae7664a | 45 | @@ -1319,6 +1330,10 @@ process_server_config_line_depth(ServerO |
f11993b4 PG |
46 | intptr = &options->use_pam; |
47 | goto parse_flag; | |
48 | ||
49 | + case sUseChroot: | |
50 | + intptr = &options->use_chroot; | |
51 | + goto parse_flag; | |
52 | + | |
53 | /* Standard Options */ | |
54 | case sBadOption: | |
55 | return -1; | |
7ae7664a AM |
56 | diff -urNp -x '*.orig' openssh-8.4p1.org/servconf.h openssh-8.4p1/servconf.h |
57 | --- openssh-8.4p1.org/servconf.h 2020-09-27 09:25:01.000000000 +0200 | |
58 | +++ openssh-8.4p1/servconf.h 2021-03-01 11:30:33.637508395 +0100 | |
59 | @@ -178,6 +178,7 @@ typedef struct { | |
60 | int max_authtries; | |
61 | int max_sessions; | |
f11993b4 PG |
62 | char *banner; /* SSH-2 banner message */ |
63 | + int use_chroot; /* Enable chrooted enviroment support */ | |
64 | int use_dns; | |
65 | int client_alive_interval; /* | |
66 | * poke the client this often to | |
7ae7664a AM |
67 | diff -urNp -x '*.orig' openssh-8.4p1.org/session.c openssh-8.4p1/session.c |
68 | --- openssh-8.4p1.org/session.c 2020-09-27 09:25:01.000000000 +0200 | |
69 | +++ openssh-8.4p1/session.c 2021-03-01 11:30:33.637508395 +0100 | |
70 | @@ -1367,6 +1367,10 @@ void | |
f685d17f JB |
71 | do_setusercontext(struct passwd *pw) |
72 | { | |
c4f5c632 | 73 | char uidstr[32], *chroot_path, *tmp; |
f11993b4 PG |
74 | +#ifdef CHROOT |
75 | + char *user_dir; | |
76 | + char *new_root; | |
77 | +#endif /* CHROOT */ | |
78 | ||
f6a10c37 AM |
79 | platform_setusercontext(pw); |
80 | ||
7ae7664a | 81 | @@ -1409,6 +1413,29 @@ do_setusercontext(struct passwd *pw) |
f685d17f JB |
82 | free(options.chroot_directory); |
83 | options.chroot_directory = NULL; | |
84 | in_chroot = 1; | |
f11993b4 | 85 | +#ifdef CHROOT |
f685d17f | 86 | + } else if (!in_chroot && options.use_chroot) { |
f11993b4 PG |
87 | + user_dir = xstrdup(pw->pw_dir); |
88 | + new_root = user_dir + 1; | |
89 | + | |
f685d17f | 90 | + while ((new_root = strchr(new_root, '.')) != NULL) { |
f11993b4 | 91 | + new_root--; |
f685d17f | 92 | + if (strncmp(new_root, "/./", 3) == 0) { |
f11993b4 PG |
93 | + *new_root = '\0'; |
94 | + new_root += 2; | |
95 | + | |
f685d17f | 96 | + if (chroot(user_dir) != 0) |
f11993b4 | 97 | + fatal("Couldn't chroot to user directory %s", user_dir); |
f685d17f JB |
98 | + /* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */ |
99 | + free(pw->pw_dir); | |
100 | + pw->pw_dir = xstrdup(new_root); | |
101 | + in_chroot = 1; | |
f11993b4 PG |
102 | + break; |
103 | + } | |
104 | + new_root += 2; | |
105 | + } | |
f685d17f | 106 | + free(user_dir); |
f11993b4 PG |
107 | +#endif /* CHROOT */ |
108 | } | |
109 | ||
08811ee8 | 110 | #ifdef HAVE_LOGIN_CAP |
7ae7664a AM |
111 | diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config openssh-8.4p1/sshd_config |
112 | --- openssh-8.4p1.org/sshd_config 2021-03-01 11:30:33.370827964 +0100 | |
113 | +++ openssh-8.4p1/sshd_config 2021-03-01 11:30:33.637508395 +0100 | |
114 | @@ -85,6 +85,10 @@ GSSAPIAuthentication yes | |
fc8529e5 AM |
115 | # and ChallengeResponseAuthentication to 'no'. |
116 | UsePAM yes | |
f11993b4 PG |
117 | |
118 | +# Set this to 'yes' to enable support for chrooted user environment. | |
fc8529e5 | 119 | +# You must create such environment before you can use this feature. |
f11993b4 PG |
120 | +#UseChroot yes |
121 | + | |
fc8529e5 AM |
122 | #AllowAgentForwarding yes |
123 | # Security advisory: | |
124 | # http://securitytracker.com/alerts/2004/Sep/1011143.html | |
7ae7664a AM |
125 | diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config.0 openssh-8.4p1/sshd_config.0 |
126 | --- openssh-8.4p1.org/sshd_config.0 2020-09-27 09:42:11.000000000 +0200 | |
127 | +++ openssh-8.4p1/sshd_config.0 2021-03-01 11:30:33.637508395 +0100 | |
128 | @@ -1011,6 +1011,16 @@ DESCRIPTION | |
f9d8b6a7 AM |
129 | TrustedUserCAKeys. For more details on certificates, see the |
130 | CERTIFICATES section in ssh-keygen(1). | |
f11993b4 PG |
131 | |
132 | + UseChroot | |
133 | + Specifies whether to use chroot-jail environment with ssh/sftp, | |
134 | + i.e. restrict users to a particular area in the filesystem. This | |
135 | + is done by setting user home directory to, for example, | |
136 | + /path/to/chroot/./home/username. sshd looks for a '.' in the | |
137 | + users home directory, then calls chroot(2) to whatever directory | |
138 | + was before the . and continues with the normal ssh functionality. | |
139 | + For this to work properly you have to create special chroot-jail | |
140 | + environment in a /path/to/chroot directory. | |
141 | + | |
f9d8b6a7 AM |
142 | UseDNS Specifies whether sshd(8) should look up the remote host name, |
143 | and to check that the resolved host name for the remote IP | |
144 | address maps back to the very same IP address. | |
7ae7664a AM |
145 | diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config.5 openssh-8.4p1/sshd_config.5 |
146 | --- openssh-8.4p1.org/sshd_config.5 2020-09-27 09:25:01.000000000 +0200 | |
147 | +++ openssh-8.4p1/sshd_config.5 2021-03-01 11:30:33.637508395 +0100 | |
148 | @@ -1640,6 +1640,16 @@ Gives the facility code that is used whe | |
f11993b4 PG |
149 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, |
150 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. | |
151 | The default is AUTH. | |
152 | +.It Cm UseChroot | |
153 | +Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict | |
154 | +users to a particular area in the filesystem. This is done by setting user | |
155 | +home directory to, for example, /path/to/chroot/./home/username. | |
156 | +.Nm sshd | |
157 | +looks for a '.' in the users home directory, then calls | |
158 | +.Xr chroot 2 | |
159 | +to whatever directory was before the . and continues with the normal ssh | |
160 | +functionality. For this to work properly you have to create special chroot-jail | |
161 | +environment in a /path/to/chroot directory. | |
162 | .It Cm TCPKeepAlive | |
163 | Specifies whether the system should send TCP keepalive messages to the | |
164 | other side. |