X-Git-Url: https://git.pld-linux.org/?a=blobdiff_plain;f=openssh-chroot.patch;h=30e3339e692714ed2c4acd6ba955d2372b853c47;hb=7ae7664a768d1e154c0287494bb89cde3e48cf15;hp=881f87c26e627d80cb6aebafcf0880e5e2237808;hpb=eb4d14bb493108056951718900140f0bd007a867;p=packages%2Fopenssh.git diff --git a/openssh-chroot.patch b/openssh-chroot.patch index 881f87c..30e3339 100644 --- a/openssh-chroot.patch +++ b/openssh-chroot.patch @@ -1,6 +1,7 @@ ---- openssh-3.7.1p2/servconf.c 2003-09-23 11:24:21.000000000 +0200 -+++ openssh-3.7.1p2.pius/servconf.c 2003-10-07 20:49:08.000000000 +0200 -@@ -41,7 +41,9 @@ +diff -urNp -x '*.orig' openssh-8.4p1.org/servconf.c openssh-8.4p1/servconf.c +--- openssh-8.4p1.org/servconf.c 2020-09-27 09:25:01.000000000 +0200 ++++ openssh-8.4p1/servconf.c 2021-03-01 11:30:33.634174889 +0100 +@@ -92,7 +92,9 @@ initialize_server_options(ServerOptions /* Portable-specific options */ options->use_pam = -1; @@ -11,7 +12,7 @@ /* Standard Options */ options->num_ports = 0; options->ports_from_cmdline = 0; -@@ -112,6 +114,9 @@ +@@ -301,6 +303,9 @@ fill_default_server_options(ServerOption if (options->use_pam == -1) options->use_pam = 0; @@ -19,29 +20,29 @@ + options->use_chroot = 0; + /* Standard Options */ - if (options->protocol == SSH_PROTO_UNKNOWN) - options->protocol = SSH_PROTO_1|SSH_PROTO_2; -@@ -245,6 +250,7 @@ + if (options->num_host_key_files == 0) { + /* fill default hostkeys for protocols */ +@@ -502,6 +507,7 @@ typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ sUsePAM, + sUseChroot, /* Standard Options */ - sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, + sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, -@@ -278,6 +284,11 @@ +@@ -556,6 +562,11 @@ static struct { #else - { "usepam", sUnsupported }, + { "usepam", sUnsupported, SSHCFG_GLOBAL }, #endif +#ifdef CHROOT -+ { "usechroot", sUseChroot }, ++ { "usechroot", sUseChroot, SSHCFG_GLOBAL }, +#else -+ { "usechroot", sUnsupported }, ++ { "usechroot", sUnsupported, SSHCFG_GLOBAL }, +#endif /* CHROOT */ - { "pamauthenticationviakbdint", sDeprecated }, + { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ - { "port", sPort }, -@@ -437,6 +448,10 @@ + { "port", sPort, SSHCFG_GLOBAL }, +@@ -1319,6 +1330,10 @@ process_server_config_line_depth(ServerO intptr = &options->use_pam; goto parse_flag; @@ -52,74 +53,81 @@ /* Standard Options */ case sBadOption: return -1; ---- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200 -+++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200 -@@ -109,6 +109,7 @@ - int max_startups_rate; - int max_startups; +diff -urNp -x '*.orig' openssh-8.4p1.org/servconf.h openssh-8.4p1/servconf.h +--- openssh-8.4p1.org/servconf.h 2020-09-27 09:25:01.000000000 +0200 ++++ openssh-8.4p1/servconf.h 2021-03-01 11:30:33.637508395 +0100 +@@ -178,6 +178,7 @@ typedef struct { + int max_authtries; + int max_sessions; char *banner; /* SSH-2 banner message */ + int use_chroot; /* Enable chrooted enviroment support */ int use_dns; int client_alive_interval; /* * poke the client this often to ---- openssh-4.0p1/session.c.orig 2005-03-06 12:38:52.000000000 +0100 -+++ openssh-4.0p1/session.c 2005-03-10 15:14:04.000000000 +0100 -@@ -1258,6 +1258,10 @@ - void +diff -urNp -x '*.orig' openssh-8.4p1.org/session.c openssh-8.4p1/session.c +--- openssh-8.4p1.org/session.c 2020-09-27 09:25:01.000000000 +0200 ++++ openssh-8.4p1/session.c 2021-03-01 11:30:33.637508395 +0100 +@@ -1367,6 +1367,10 @@ void do_setusercontext(struct passwd *pw) { + char uidstr[32], *chroot_path, *tmp; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ - #ifndef HAVE_CYGWIN - if (getuid() == 0 || geteuid() == 0) - #endif /* HAVE_CYGWIN */ -@@ -1315,6 +1319,26 @@ - restore_uid(); - } - #endif + + platform_setusercontext(pw); + +@@ -1409,6 +1413,29 @@ do_setusercontext(struct passwd *pw) + free(options.chroot_directory); + options.chroot_directory = NULL; + in_chroot = 1; +#ifdef CHROOT -+ if (options.use_chroot) { ++ } else if (!in_chroot && options.use_chroot) { + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + -+ while((new_root = strchr(new_root, '.')) != NULL) { ++ while ((new_root = strchr(new_root, '.')) != NULL) { + new_root--; -+ if(strncmp(new_root, "/./", 3) == 0) { ++ if (strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + -+ if(chroot(user_dir) != 0) ++ if (chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s", user_dir); -+ pw->pw_dir = new_root; -+ break; -+ } -+ new_root += 2; ++ /* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */ ++ free(pw->pw_dir); ++ pw->pw_dir = xstrdup(new_root); ++ in_chroot = 1; ++ break; ++ } ++ new_root += 2; + } -+ } ++ free(user_dir); +#endif /* CHROOT */ - # ifdef USE_PAM - /* - * PAM credentials may take the form of supplementary groups. ---- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200 -+++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200 -@@ -71,6 +71,10 @@ - # bypass the setting of 'PasswordAuthentication' - #UsePAM yes + } + + #ifdef HAVE_LOGIN_CAP +diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config openssh-8.4p1/sshd_config +--- openssh-8.4p1.org/sshd_config 2021-03-01 11:30:33.370827964 +0100 ++++ openssh-8.4p1/sshd_config 2021-03-01 11:30:33.637508395 +0100 +@@ -85,6 +85,10 @@ GSSAPIAuthentication yes + # and ChallengeResponseAuthentication to 'no'. + UsePAM yes +# Set this to 'yes' to enable support for chrooted user environment. -+# You must create such environment before you can use this feature. ++# You must create such environment before you can use this feature. +#UseChroot yes + - #AllowTcpForwarding yes - #GatewayPorts no - #X11Forwarding no ---- openssh-3.7.1p2/sshd_config.0 2003-09-23 11:55:19.000000000 +0200 -+++ openssh-3.7.1p2.pius/sshd_config.0 2003-10-07 20:49:08.000000000 +0200 -@@ -349,6 +349,16 @@ - To disable TCP keepalive messages, the value should be set to - ``no''. + #AllowAgentForwarding yes + # Security advisory: + # http://securitytracker.com/alerts/2004/Sep/1011143.html +diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config.0 openssh-8.4p1/sshd_config.0 +--- openssh-8.4p1.org/sshd_config.0 2020-09-27 09:42:11.000000000 +0200 ++++ openssh-8.4p1/sshd_config.0 2021-03-01 11:30:33.637508395 +0100 +@@ -1011,6 +1011,16 @@ DESCRIPTION + TrustedUserCAKeys. For more details on certificates, see the + CERTIFICATES section in ssh-keygen(1). + UseChroot + Specifies whether to use chroot-jail environment with ssh/sftp, @@ -131,12 +139,13 @@ + For this to work properly you have to create special chroot-jail + environment in a /path/to/chroot directory. + - UseDNS Specifies whether sshd should look up the remote host name and - check that the resolved host name for the remote IP address maps - back to the very same IP address. The default is ``yes''. ---- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100 -+++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100 -@@ -552,6 +552,16 @@ + UseDNS Specifies whether sshd(8) should look up the remote host name, + and to check that the resolved host name for the remote IP + address maps back to the very same IP address. +diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config.5 openssh-8.4p1/sshd_config.5 +--- openssh-8.4p1.org/sshd_config.5 2020-09-27 09:25:01.000000000 +0200 ++++ openssh-8.4p1/sshd_config.5 2021-03-01 11:30:33.637508395 +0100 +@@ -1640,6 +1640,16 @@ Gives the facility code that is used whe The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.