X-Git-Url: https://git.pld-linux.org/?a=blobdiff_plain;f=openssh-chroot.patch;h=75a2f0731af594177123fe6a99335e53edb959e6;hb=ea055907b99ad523d37443d191be3003f5d5211e;hp=5dda773c02c44429a159adc01899ce1abf550be5;hpb=0fab2cabb21ce97f99ead369144d02cdf315decf;p=packages%2Fopenssh.git diff --git a/openssh-chroot.patch b/openssh-chroot.patch index 5dda773..75a2f07 100644 --- a/openssh-chroot.patch +++ b/openssh-chroot.patch @@ -1,6 +1,7 @@ ---- openssh-4.4p1/servconf.c.orig 2006-08-18 16:23:15.000000000 +0200 -+++ openssh-4.4p1/servconf.c 2006-10-05 10:11:17.065971000 +0200 -@@ -56,7 +56,9 @@ +diff -urNp -x '*.orig' openssh-8.8p1.org/servconf.c openssh-8.8p1/servconf.c +--- openssh-8.8p1.org/servconf.c 2021-09-26 16:03:19.000000000 +0200 ++++ openssh-8.8p1/servconf.c 2021-12-09 20:13:16.486586503 +0100 +@@ -92,7 +92,9 @@ initialize_server_options(ServerOptions /* Portable-specific options */ options->use_pam = -1; @@ -11,7 +12,7 @@ /* Standard Options */ options->num_ports = 0; options->ports_from_cmdline = 0; -@@ -131,6 +133,9 @@ +@@ -279,6 +281,9 @@ fill_default_server_options(ServerOption if (options->use_pam == -1) options->use_pam = 0; @@ -19,17 +20,17 @@ + options->use_chroot = 0; + /* Standard Options */ - if (options->protocol == SSH_PROTO_UNKNOWN) - options->protocol = SSH_PROTO_1|SSH_PROTO_2; -@@ -270,6 +275,7 @@ + if (options->num_host_key_files == 0) { + /* fill default hostkeys for protocols */ +@@ -486,6 +491,7 @@ typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ sUsePAM, + sUseChroot, /* Standard Options */ - sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, - sPermitRootLogin, sLogFacility, sLogLevel, -@@ -312,6 +318,11 @@ + sPort, sHostKeyFile, sLoginGraceTime, + sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, +@@ -538,6 +544,11 @@ static struct { #else { "usepam", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -41,7 +42,7 @@ { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ { "port", sPort, SSHCFG_GLOBAL }, -@@ -662,6 +673,10 @@ +@@ -1332,6 +1343,10 @@ process_server_config_line_depth(ServerO intptr = &options->use_pam; goto parse_flag; @@ -51,63 +52,67 @@ + /* Standard Options */ case sBadOption: - return -1; ---- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200 -+++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200 -@@ -109,6 +109,7 @@ - int max_startups_rate; - int max_startups; + goto out; +diff -urNp -x '*.orig' openssh-8.8p1.org/servconf.h openssh-8.8p1/servconf.h +--- openssh-8.8p1.org/servconf.h 2021-09-26 16:03:19.000000000 +0200 ++++ openssh-8.8p1/servconf.h 2021-12-09 20:13:16.486586503 +0100 +@@ -183,6 +183,7 @@ typedef struct { + int max_authtries; + int max_sessions; char *banner; /* SSH-2 banner message */ + int use_chroot; /* Enable chrooted enviroment support */ int use_dns; int client_alive_interval; /* * poke the client this often to ---- ./session.c.org 2008-05-05 16:22:11.935003283 +0200 -+++ ./session.c 2008-05-05 16:32:50.025507650 +0200 -@@ -1345,6 +1345,10 @@ void +diff -urNp -x '*.orig' openssh-8.8p1.org/session.c openssh-8.8p1/session.c +--- openssh-8.8p1.org/session.c 2021-09-26 16:03:19.000000000 +0200 ++++ openssh-8.8p1/session.c 2021-12-09 20:13:16.489919836 +0100 +@@ -1359,6 +1359,10 @@ void do_setusercontext(struct passwd *pw) { - char *chroot_path, *tmp; + char uidstr[32], *chroot_path, *tmp; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ - #ifdef WITH_SELINUX - /* Cache selinux status for later use */ -@@ -1425,8 +1429,28 @@ do_setusercontext(struct passwd *pw) - /* Make sure we don't attempt to chroot again */ + platform_setusercontext(pw); + +@@ -1401,6 +1405,29 @@ do_setusercontext(struct passwd *pw) free(options.chroot_directory); options.chroot_directory = NULL; + in_chroot = 1; +#ifdef CHROOT -+ } else if (options.use_chroot) { ++ } else if (!in_chroot && options.use_chroot) { + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + -+ while((new_root = strchr(new_root, '.')) != NULL) { ++ while ((new_root = strchr(new_root, '.')) != NULL) { + new_root--; -+ if(strncmp(new_root, "/./", 3) == 0) { ++ if (strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + -+ if(chroot(user_dir) != 0) ++ if (chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s", user_dir); -+ pw->pw_dir = new_root; ++ /* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */ ++ free(pw->pw_dir); ++ pw->pw_dir = xstrdup(new_root); ++ in_chroot = 1; + break; + } + new_root += 2; + } ++ free(user_dir); +#endif /* CHROOT */ } -+ #ifdef HAVE_LOGIN_CAP - if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { - perror("unable to set user context (setuser)"); ---- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200 -+++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200 -@@ -91,6 +91,10 @@ - # and ChallengeResponseAuthentication to 'no'. +diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config openssh-8.8p1/sshd_config +--- openssh-8.8p1.org/sshd_config 2021-12-09 20:13:16.326586503 +0100 ++++ openssh-8.8p1/sshd_config 2021-12-09 20:13:16.489919836 +0100 +@@ -85,6 +85,10 @@ GSSAPIAuthentication yes + # and KbdInteractiveAuthentication to 'no'. UsePAM yes +# Set this to 'yes' to enable support for chrooted user environment. @@ -115,13 +120,14 @@ +#UseChroot yes + #AllowAgentForwarding yes - # Security advisory: - # http://securitytracker.com/alerts/2004/Sep/1011143.html ---- openssh-4.4p1/sshd_config.0.orig 2006-09-26 13:03:48.000000000 +0200 -+++ openssh-4.4p1/sshd_config.0 2006-10-05 10:11:41.615971000 +0200 -@@ -451,6 +451,16 @@ - To disable TCP keepalive messages, the value should be set to - ``no''. + #AllowTcpForwarding yes + #GatewayPorts no +diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config.0 openssh-8.8p1/sshd_config.0 +--- openssh-8.8p1.org/sshd_config.0 2021-09-26 16:06:42.000000000 +0200 ++++ openssh-8.8p1/sshd_config.0 2021-12-09 20:13:16.489919836 +0100 +@@ -1053,6 +1053,16 @@ DESCRIPTION + TrustedUserCAKeys. For more details on certificates, see the + CERTIFICATES section in ssh-keygen(1). + UseChroot + Specifies whether to use chroot-jail environment with ssh/sftp, @@ -133,12 +139,13 @@ + For this to work properly you have to create special chroot-jail + environment in a /path/to/chroot directory. + - UseDNS Specifies whether sshd(8) should look up the remote host name and - check that the resolved host name for the remote IP address maps - back to the very same IP address. The default is ``yes''. ---- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100 -+++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100 -@@ -552,6 +552,16 @@ + UseDNS Specifies whether sshd(8) should look up the remote host name, + and to check that the resolved host name for the remote IP + address maps back to the very same IP address. +diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config.5 openssh-8.8p1/sshd_config.5 +--- openssh-8.8p1.org/sshd_config.5 2021-09-26 16:03:19.000000000 +0200 ++++ openssh-8.8p1/sshd_config.5 2021-12-09 20:13:16.489919836 +0100 +@@ -1697,6 +1697,16 @@ Gives the facility code that is used whe The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.