X-Git-Url: https://git.pld-linux.org/?a=blobdiff_plain;f=openssh-chroot.patch;h=da45bb85684f02da04f10ab2a5071d75fcf7180c;hb=HEAD;hp=48ab8c81660d6da90eee63c4a534f46b40dc5d69;hpb=48238653492f05824cc8b331c727033077707332;p=packages%2Fopenssh.git diff --git a/openssh-chroot.patch b/openssh-chroot.patch index 48ab8c8..da45bb8 100644 --- a/openssh-chroot.patch +++ b/openssh-chroot.patch @@ -1,6 +1,7 @@ ---- openssh-3.7.1p2/servconf.c 2003-09-23 11:24:21.000000000 +0200 -+++ openssh-3.7.1p2.pius/servconf.c 2003-10-07 20:49:08.000000000 +0200 -@@ -41,7 +41,9 @@ +diff -urNp -x '*.orig' openssh-8.8p1.org/servconf.c openssh-8.8p1/servconf.c +--- openssh-8.8p1.org/servconf.c 2021-09-26 16:03:19.000000000 +0200 ++++ openssh-8.8p1/servconf.c 2021-12-09 20:13:16.486586503 +0100 +@@ -92,7 +92,9 @@ initialize_server_options(ServerOptions /* Portable-specific options */ options->use_pam = -1; @@ -11,7 +12,7 @@ /* Standard Options */ options->num_ports = 0; options->ports_from_cmdline = 0; -@@ -112,6 +114,9 @@ +@@ -279,6 +281,9 @@ fill_default_server_options(ServerOption if (options->use_pam == -1) options->use_pam = 0; @@ -19,29 +20,29 @@ + options->use_chroot = 0; + /* Standard Options */ - if (options->protocol == SSH_PROTO_UNKNOWN) - options->protocol = SSH_PROTO_1|SSH_PROTO_2; -@@ -245,6 +250,7 @@ + if (options->num_host_key_files == 0) { + /* fill default hostkeys for protocols */ +@@ -486,6 +491,7 @@ typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ sUsePAM, + sUseChroot, /* Standard Options */ - sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, - sPermitRootLogin, sLogFacility, sLogLevel, -@@ -278,6 +284,11 @@ + sPort, sHostKeyFile, sLoginGraceTime, + sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, +@@ -538,6 +544,11 @@ static struct { #else - { "usepam", sUnsupported }, + { "usepam", sUnsupported, SSHCFG_GLOBAL }, #endif +#ifdef CHROOT -+ { "usechroot", sUseChroot }, ++ { "usechroot", sUseChroot, SSHCFG_GLOBAL }, +#else -+ { "usechroot", sUnsupported }, ++ { "usechroot", sUnsupported, SSHCFG_GLOBAL }, +#endif /* CHROOT */ - { "pamauthenticationviakbdint", sDeprecated }, + { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ - { "port", sPort }, -@@ -437,6 +448,10 @@ + { "port", sPort, SSHCFG_GLOBAL }, +@@ -1332,6 +1343,10 @@ process_server_config_line_depth(ServerO intptr = &options->use_pam; goto parse_flag; @@ -51,77 +52,82 @@ + /* Standard Options */ case sBadOption: - return -1; ---- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200 -+++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200 -@@ -109,6 +109,7 @@ - int max_startups_rate; - int max_startups; + goto out; +diff -urNp -x '*.orig' openssh-8.8p1.org/servconf.h openssh-8.8p1/servconf.h +--- openssh-8.8p1.org/servconf.h 2021-09-26 16:03:19.000000000 +0200 ++++ openssh-8.8p1/servconf.h 2021-12-09 20:13:16.486586503 +0100 +@@ -183,6 +183,7 @@ typedef struct { + int max_authtries; + int max_sessions; char *banner; /* SSH-2 banner message */ + int use_chroot; /* Enable chrooted enviroment support */ int use_dns; int client_alive_interval; /* * poke the client this often to ---- openssh-3.7.1p2/session.c 2003-09-23 10:59:08.000000000 +0200 -+++ openssh-3.7.1p2.pius/session.c 2003-10-07 20:49:08.000000000 +0200 -@@ -1231,6 +1231,10 @@ - void +diff -urNp -x '*.orig' openssh-8.8p1.org/session.c openssh-8.8p1/session.c +--- openssh-8.8p1.org/session.c 2021-09-26 16:03:19.000000000 +0200 ++++ openssh-8.8p1/session.c 2021-12-09 20:13:16.489919836 +0100 +@@ -1359,6 +1359,10 @@ void do_setusercontext(struct passwd *pw) { + char uidstr[32], *chroot_path, *tmp; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ - #ifndef HAVE_CYGWIN - if (getuid() == 0 || geteuid() == 0) - #endif /* HAVE_CYGWIN */ -@@ -1268,6 +1272,28 @@ - exit(1); - } - endgrent(); -+ + + platform_setusercontext(pw); + +@@ -1401,6 +1405,29 @@ do_setusercontext(struct passwd *pw) + free(options.chroot_directory); + options.chroot_directory = NULL; + in_chroot = 1; +#ifdef CHROOT -+ if (options.use_chroot) { ++ } else if (!in_chroot && options.use_chroot) { + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + -+ while((new_root = strchr(new_root, '.')) != NULL) { ++ while ((new_root = strchr(new_root, '.')) != NULL) { + new_root--; -+ if(strncmp(new_root, "/./", 3) == 0) { ++ if (strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + -+ if(chroot(user_dir) != 0) -+ fatal("Couldn't chroot to user directory % s", user_dir); -+ pw->pw_dir = new_root; -+ break; -+ } -+ new_root += 2; ++ if (chroot(user_dir) != 0) ++ fatal("Couldn't chroot to user directory %s", user_dir); ++ /* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */ ++ free(pw->pw_dir); ++ pw->pw_dir = xstrdup(new_root); ++ in_chroot = 1; ++ break; ++ } ++ new_root += 2; + } -+ } ++ free(user_dir); +#endif /* CHROOT */ -+ - # ifdef USE_PAM - /* - * PAM credentials may take the form of supplementary groups. ---- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200 -+++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200 -@@ -71,6 +71,10 @@ - # bypass the setting of 'PasswordAuthentication' - #UsePAM yes + } + + #ifdef HAVE_LOGIN_CAP +diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config openssh-8.8p1/sshd_config +--- openssh-8.8p1.org/sshd_config 2021-12-09 20:13:16.326586503 +0100 ++++ openssh-8.8p1/sshd_config 2021-12-09 20:13:16.489919836 +0100 +@@ -85,6 +85,10 @@ GSSAPIAuthentication yes + # and KbdInteractiveAuthentication to 'no'. + #UsePAM no +# Set this to 'yes' to enable support for chrooted user environment. -+# You must create such environment before you can use this feature. ++# You must create such environment before you can use this feature. +#UseChroot yes + + #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no - #X11Forwarding no ---- openssh-3.7.1p2/sshd_config.0 2003-09-23 11:55:19.000000000 +0200 -+++ openssh-3.7.1p2.pius/sshd_config.0 2003-10-07 20:49:08.000000000 +0200 -@@ -349,6 +349,16 @@ - CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- - fault is AUTH. +diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config.0 openssh-8.8p1/sshd_config.0 +--- openssh-8.8p1.org/sshd_config.0 2021-09-26 16:06:42.000000000 +0200 ++++ openssh-8.8p1/sshd_config.0 2021-12-09 20:13:16.489919836 +0100 +@@ -1053,6 +1053,16 @@ DESCRIPTION + open channels. This option may be useful in conjunction with + ChannelTimeout. + UseChroot + Specifies whether to use chroot-jail environment with ssh/sftp, @@ -133,12 +139,13 @@ + For this to work properly you have to create special chroot-jail + environment in a /path/to/chroot directory. + - UseDNS Specifies whether sshd should lookup the remote host name and - check that the resolved host name for the remote IP address maps - back to the very same IP address. The default is ``yes''. ---- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100 -+++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100 -@@ -552,6 +552,16 @@ + UseDNS Specifies whether sshd(8) should look up the remote host name, + and to check that the resolved host name for the remote IP + address maps back to the very same IP address. +diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config.5 openssh-8.8p1/sshd_config.5 +--- openssh-8.8p1.org/sshd_config.5 2021-09-26 16:03:19.000000000 +0200 ++++ openssh-8.8p1/sshd_config.5 2021-12-09 20:13:16.489919836 +0100 +@@ -1697,6 +1697,16 @@ Gives the facility code that is used whe The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.