]>
Commit | Line | Data |
---|---|---|
b4c9b3c0 JB |
1 | --- openssh-4.4p1/servconf.c.orig 2006-08-18 16:23:15.000000000 +0200 |
2 | +++ openssh-4.4p1/servconf.c 2006-10-05 10:11:17.065971000 +0200 | |
3 | @@ -56,7 +56,9 @@ | |
a42df7c9 | 4 | |
5 | /* Portable-specific options */ | |
6 | options->use_pam = -1; | |
7 | - | |
8 | + | |
9 | + options->use_chroot = -1; | |
10 | + | |
11 | /* Standard Options */ | |
12 | options->num_ports = 0; | |
13 | options->ports_from_cmdline = 0; | |
b4c9b3c0 | 14 | @@ -131,6 +133,9 @@ |
a42df7c9 | 15 | if (options->use_pam == -1) |
16 | options->use_pam = 0; | |
17 | ||
18 | + if (options->use_chroot == -1) | |
19 | + options->use_chroot = 0; | |
20 | + | |
21 | /* Standard Options */ | |
22 | if (options->protocol == SSH_PROTO_UNKNOWN) | |
23 | options->protocol = SSH_PROTO_1|SSH_PROTO_2; | |
b4c9b3c0 | 24 | @@ -270,6 +275,7 @@ |
a42df7c9 | 25 | sBadOption, /* == unknown option */ |
26 | /* Portable-specific options */ | |
27 | sUsePAM, | |
28 | + sUseChroot, | |
29 | /* Standard Options */ | |
30 | sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, | |
31 | sPermitRootLogin, sLogFacility, sLogLevel, | |
b4c9b3c0 | 32 | @@ -312,6 +318,11 @@ |
a42df7c9 | 33 | #else |
b4c9b3c0 | 34 | { "usepam", sUnsupported, SSHCFG_GLOBAL }, |
e5aad4e5 | 35 | #endif |
a42df7c9 | 36 | +#ifdef CHROOT |
b4c9b3c0 | 37 | + { "usechroot", sUseChroot, SSHCFG_GLOBAL }, |
a42df7c9 | 38 | +#else |
b4c9b3c0 | 39 | + { "usechroot", sUnsupported, SSHCFG_GLOBAL }, |
a42df7c9 | 40 | +#endif /* CHROOT */ |
b4c9b3c0 | 41 | { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, |
a42df7c9 | 42 | /* Standard Options */ |
b4c9b3c0 JB |
43 | { "port", sPort, SSHCFG_GLOBAL }, |
44 | @@ -662,6 +673,10 @@ | |
a42df7c9 | 45 | intptr = &options->use_pam; |
46 | goto parse_flag; | |
e5aad4e5 | 47 | |
a42df7c9 | 48 | + case sUseChroot: |
49 | + intptr = &options->use_chroot; | |
50 | + goto parse_flag; | |
e5aad4e5 | 51 | + |
a42df7c9 | 52 | /* Standard Options */ |
53 | case sBadOption: | |
54 | return -1; | |
55 | --- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200 | |
56 | +++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200 | |
57 | @@ -109,6 +109,7 @@ | |
58 | int max_startups_rate; | |
59 | int max_startups; | |
60 | char *banner; /* SSH-2 banner message */ | |
61 | + int use_chroot; /* Enable chrooted enviroment support */ | |
62 | int use_dns; | |
63 | int client_alive_interval; /* | |
64 | * poke the client this often to | |
9c944978 JB |
65 | --- openssh-4.0p1/session.c.orig 2005-03-06 12:38:52.000000000 +0100 |
66 | +++ openssh-4.0p1/session.c 2005-03-10 15:14:04.000000000 +0100 | |
67 | @@ -1258,6 +1258,10 @@ | |
e5aad4e5 | 68 | void |
69 | do_setusercontext(struct passwd *pw) | |
70 | { | |
e5aad4e5 | 71 | +#ifdef CHROOT |
72 | + char *user_dir; | |
73 | + char *new_root; | |
74 | +#endif /* CHROOT */ | |
e5aad4e5 | 75 | #ifndef HAVE_CYGWIN |
76 | if (getuid() == 0 || geteuid() == 0) | |
77 | #endif /* HAVE_CYGWIN */ | |
9c944978 JB |
78 | @@ -1315,6 +1319,26 @@ |
79 | restore_uid(); | |
e5aad4e5 | 80 | } |
9c944978 | 81 | #endif |
e5aad4e5 | 82 | +#ifdef CHROOT |
a42df7c9 | 83 | + if (options.use_chroot) { |
84 | + user_dir = xstrdup(pw->pw_dir); | |
85 | + new_root = user_dir + 1; | |
e5aad4e5 | 86 | + |
a42df7c9 | 87 | + while((new_root = strchr(new_root, '.')) != NULL) { |
88 | + new_root--; | |
89 | + if(strncmp(new_root, "/./", 3) == 0) { | |
90 | + *new_root = '\0'; | |
91 | + new_root += 2; | |
e5aad4e5 | 92 | + |
a42df7c9 | 93 | + if(chroot(user_dir) != 0) |
de36f22e | 94 | + fatal("Couldn't chroot to user directory %s", user_dir); |
a42df7c9 | 95 | + pw->pw_dir = new_root; |
96 | + break; | |
97 | + } | |
98 | + new_root += 2; | |
99 | + } | |
e5aad4e5 | 100 | + } |
101 | +#endif /* CHROOT */ | |
e5aad4e5 | 102 | # ifdef USE_PAM |
103 | /* | |
9c944978 | 104 | * PAM credentials may take the form of supplementary groups. |
a42df7c9 | 105 | --- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200 |
106 | +++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200 | |
107 | @@ -71,6 +71,10 @@ | |
108 | # bypass the setting of 'PasswordAuthentication' | |
109 | #UsePAM yes | |
110 | ||
111 | +# Set this to 'yes' to enable support for chrooted user environment. | |
112 | +# You must create such environment before you can use this feature. | |
113 | +#UseChroot yes | |
114 | + | |
115 | #AllowTcpForwarding yes | |
116 | #GatewayPorts no | |
117 | #X11Forwarding no | |
b4c9b3c0 JB |
118 | --- openssh-4.4p1/sshd_config.0.orig 2006-09-26 13:03:48.000000000 +0200 |
119 | +++ openssh-4.4p1/sshd_config.0 2006-10-05 10:11:41.615971000 +0200 | |
120 | @@ -451,6 +451,16 @@ | |
eb4d14bb AG |
121 | To disable TCP keepalive messages, the value should be set to |
122 | ``no''. | |
a42df7c9 | 123 | |
124 | + UseChroot | |
125 | + Specifies whether to use chroot-jail environment with ssh/sftp, | |
126 | + i.e. restrict users to a particular area in the filesystem. This | |
127 | + is done by setting user home directory to, for example, | |
128 | + /path/to/chroot/./home/username. sshd looks for a '.' in the | |
129 | + users home directory, then calls chroot(2) to whatever directory | |
130 | + was before the . and continues with the normal ssh functionality. | |
131 | + For this to work properly you have to create special chroot-jail | |
132 | + environment in a /path/to/chroot directory. | |
133 | + | |
b4c9b3c0 | 134 | UseDNS Specifies whether sshd(8) should look up the remote host name and |
a42df7c9 | 135 | check that the resolved host name for the remote IP address maps |
136 | back to the very same IP address. The default is ``yes''. | |
48238653 | 137 | --- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100 |
138 | +++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100 | |
139 | @@ -552,6 +552,16 @@ | |
a42df7c9 | 140 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, |
141 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. | |
142 | The default is AUTH. | |
143 | +.It Cm UseChroot | |
144 | +Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict | |
145 | +users to a particular area in the filesystem. This is done by setting user | |
146 | +home directory to, for example, /path/to/chroot/./home/username. | |
147 | +.Nm sshd | |
148 | +looks for a '.' in the users home directory, then calls | |
149 | +.Xr chroot 2 | |
150 | +to whatever directory was before the . and continues with the normal ssh | |
151 | +functionality. For this to work properly you have to create special chroot-jail | |
152 | +environment in a /path/to/chroot directory. | |
48238653 | 153 | .It Cm TCPKeepAlive |
154 | Specifies whether the system should send TCP keepalive messages to the | |
155 | other side. |