X-Git-Url: https://git.pld-linux.org/?a=blobdiff_plain;f=openssh-chroot.patch;h=30e3339e692714ed2c4acd6ba955d2372b853c47;hb=7ae7664a768d1e154c0287494bb89cde3e48cf15;hp=92af31d037f6ef9b9a17ea55ec2f53e3a6ad20ee;hpb=fc8529e572a1fbf154ba686cb23e5c82932fbcab;p=packages%2Fopenssh.git

diff --git a/openssh-chroot.patch b/openssh-chroot.patch
index 92af31d..30e3339 100644
--- a/openssh-chroot.patch
+++ b/openssh-chroot.patch
@@ -1,6 +1,7 @@
---- openssh-4.4p1/servconf.c.orig	2006-08-18 16:23:15.000000000 +0200
-+++ openssh-4.4p1/servconf.c	2006-10-05 10:11:17.065971000 +0200
-@@ -56,7 +56,9 @@
+diff -urNp -x '*.orig' openssh-8.4p1.org/servconf.c openssh-8.4p1/servconf.c
+--- openssh-8.4p1.org/servconf.c	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/servconf.c	2021-03-01 11:30:33.634174889 +0100
+@@ -92,7 +92,9 @@ initialize_server_options(ServerOptions
  
  	/* Portable-specific options */
  	options->use_pam = -1;
@@ -11,7 +12,7 @@
  	/* Standard Options */
  	options->num_ports = 0;
  	options->ports_from_cmdline = 0;
-@@ -131,6 +133,9 @@
+@@ -301,6 +303,9 @@ fill_default_server_options(ServerOption
  	if (options->use_pam == -1)
  		options->use_pam = 0;
  
@@ -19,17 +20,17 @@
 +		options->use_chroot = 0;
 +	
  	/* Standard Options */
- 	if (options->protocol == SSH_PROTO_UNKNOWN)
- 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
-@@ -270,6 +275,7 @@
+ 	if (options->num_host_key_files == 0) {
+ 		/* fill default hostkeys for protocols */
+@@ -502,6 +507,7 @@ typedef enum {
  	sBadOption,		/* == unknown option */
  	/* Portable-specific options */
  	sUsePAM,
 +	sUseChroot,
  	/* Standard Options */
- 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
+ 	sPort, sHostKeyFile, sLoginGraceTime,
  	sPermitRootLogin, sLogFacility, sLogLevel,
-@@ -312,6 +318,11 @@
+@@ -556,6 +562,11 @@ static struct {
  #else
  	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
  #endif
@@ -41,7 +42,7 @@
  	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
  	/* Standard Options */
  	{ "port", sPort, SSHCFG_GLOBAL },
-@@ -662,6 +673,10 @@
+@@ -1319,6 +1330,10 @@ process_server_config_line_depth(ServerO
  		intptr = &options->use_pam;
  		goto parse_flag;
  
@@ -52,61 +53,65 @@
  	/* Standard Options */
  	case sBadOption:
  		return -1;
---- openssh-3.7.1p2/servconf.h	2003-09-02 14:58:22.000000000 +0200
-+++ openssh-3.7.1p2.pius/servconf.h	2003-10-07 20:49:08.000000000 +0200
-@@ -109,6 +109,7 @@
- 	int	max_startups_rate;
- 	int	max_startups;
+diff -urNp -x '*.orig' openssh-8.4p1.org/servconf.h openssh-8.4p1/servconf.h
+--- openssh-8.4p1.org/servconf.h	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/servconf.h	2021-03-01 11:30:33.637508395 +0100
+@@ -178,6 +178,7 @@ typedef struct {
+ 	int	max_authtries;
+ 	int	max_sessions;
  	char   *banner;			/* SSH-2 banner message */
 +	int     use_chroot;		/* Enable chrooted enviroment support */
  	int	use_dns;
  	int	client_alive_interval;	/*
  					 * poke the client this often to
---- ./session.c.org	2008-05-05 16:22:11.935003283 +0200
-+++ ./session.c	2008-05-05 16:32:50.025507650 +0200
-@@ -1345,6 +1345,10 @@ void
+diff -urNp -x '*.orig' openssh-8.4p1.org/session.c openssh-8.4p1/session.c
+--- openssh-8.4p1.org/session.c	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/session.c	2021-03-01 11:30:33.637508395 +0100
+@@ -1367,6 +1367,10 @@ void
  do_setusercontext(struct passwd *pw)
  {
- 	char *chroot_path, *tmp;
+ 	char uidstr[32], *chroot_path, *tmp;
 +#ifdef CHROOT
 +	char *user_dir;
 +	char *new_root;
 +#endif /* CHROOT */
  
- #ifdef WITH_SELINUX
- 	/* Cache selinux status for later use */
-@@ -1425,8 +1429,28 @@ do_setusercontext(struct passwd *pw)
- 			safely_chroot(chroot_path, pw->pw_uid);
- 			free(tmp);
- 			free(chroot_path);
+ 	platform_setusercontext(pw);
+ 
+@@ -1409,6 +1413,29 @@ do_setusercontext(struct passwd *pw)
+ 			free(options.chroot_directory);
+ 			options.chroot_directory = NULL;
+ 			in_chroot = 1;
 +#ifdef CHROOT
-+		} else if (options.use_chroot) {
++		} else if (!in_chroot && options.use_chroot) {
 +			user_dir = xstrdup(pw->pw_dir);
 +			new_root = user_dir + 1;
 +
-+			while((new_root = strchr(new_root, '.')) != NULL) {
++			while ((new_root = strchr(new_root, '.')) != NULL) {
 +				new_root--;
-+				if(strncmp(new_root, "/./", 3) == 0) {
++				if (strncmp(new_root, "/./", 3) == 0) {
 +					*new_root = '\0';
 +					new_root += 2;
 +
-+					if(chroot(user_dir) != 0)
++					if (chroot(user_dir) != 0)
 +						fatal("Couldn't chroot to user directory %s", user_dir);
-+					pw->pw_dir = new_root;
++					/* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */
++					free(pw->pw_dir);
++					pw->pw_dir = xstrdup(new_root);
++					in_chroot = 1;
 +					break;
 +				}
 +				new_root += 2;
 +			}
++			free(user_dir);
 +#endif /* CHROOT */
  		}
  
-+
  #ifdef HAVE_LOGIN_CAP
- 		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
- 			perror("unable to set user context (setuser)");
---- openssh-3.7.1p2/sshd_config	2003-09-02 14:51:18.000000000 +0200
-+++ openssh-3.7.1p2.pius/sshd_config	2003-10-07 20:49:08.000000000 +0200
-@@ -91,6 +91,10 @@
+diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config openssh-8.4p1/sshd_config
+--- openssh-8.4p1.org/sshd_config	2021-03-01 11:30:33.370827964 +0100
++++ openssh-8.4p1/sshd_config	2021-03-01 11:30:33.637508395 +0100
+@@ -85,6 +85,10 @@ GSSAPIAuthentication yes
  # and ChallengeResponseAuthentication to 'no'.
  UsePAM yes
  
@@ -117,11 +122,12 @@
  #AllowAgentForwarding yes
  # Security advisory:
  # http://securitytracker.com/alerts/2004/Sep/1011143.html
---- openssh-4.4p1/sshd_config.0.orig	2006-09-26 13:03:48.000000000 +0200
-+++ openssh-4.4p1/sshd_config.0	2006-10-05 10:11:41.615971000 +0200
-@@ -451,6 +451,16 @@
-              To disable TCP keepalive messages, the value should be set to
-              ``no''.
+diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config.0 openssh-8.4p1/sshd_config.0
+--- openssh-8.4p1.org/sshd_config.0	2020-09-27 09:42:11.000000000 +0200
++++ openssh-8.4p1/sshd_config.0	2021-03-01 11:30:33.637508395 +0100
+@@ -1011,6 +1011,16 @@ DESCRIPTION
+              TrustedUserCAKeys.  For more details on certificates, see the
+              CERTIFICATES section in ssh-keygen(1).
  
 +     UseChroot
 +             Specifies whether to use chroot-jail environment with ssh/sftp,
@@ -133,12 +139,13 @@
 +             For this to work properly you have to create special chroot-jail
 +             environment in a /path/to/chroot directory.
 +
-      UseDNS  Specifies whether sshd(8) should look up the remote host name and
-              check that the resolved host name for the remote IP address maps
-              back to the very same IP address.  The default is ``yes''.
---- openssh-3.8p1/sshd_config.5.orig	2004-02-18 04:31:24.000000000 +0100
-+++ openssh-3.8p1/sshd_config.5	2004-02-25 21:17:23.000000000 +0100
-@@ -552,6 +552,16 @@
+      UseDNS  Specifies whether sshd(8) should look up the remote host name,
+              and to check that the resolved host name for the remote IP
+              address maps back to the very same IP address.
+diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config.5 openssh-8.4p1/sshd_config.5
+--- openssh-8.4p1.org/sshd_config.5	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/sshd_config.5	2021-03-01 11:30:33.637508395 +0100
+@@ -1640,6 +1640,16 @@ Gives the facility code that is used whe
  The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
  LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
  The default is AUTH.