[packages/openssh.git] / openssh-chroot.patch

--- openssh-4.4p1/servconf.c.orig	2006-08-18 16:23:15.000000000 +0200
+++ openssh-4.4p1/servconf.c	2006-10-05 10:11:17.065971000 +0200
@@ -56,7 +56,9 @@
 
 	/* Portable-specific options */
 	options->use_pam = -1;
-
+	
+	options->use_chroot = -1;
+	
 	/* Standard Options */
 	options->num_ports = 0;
 	options->ports_from_cmdline = 0;
@@ -131,6 +133,9 @@
 	if (options->use_pam == -1)
 		options->use_pam = 0;
 
+	if (options->use_chroot == -1)
+		options->use_chroot = 0;
+	
 	/* Standard Options */
 	if (options->protocol == SSH_PROTO_UNKNOWN)
 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
@@ -270,6 +275,7 @@
 	sBadOption,		/* == unknown option */
 	/* Portable-specific options */
 	sUsePAM,
+	sUseChroot,
 	/* Standard Options */
 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
 	sPermitRootLogin, sLogFacility, sLogLevel,
@@ -312,6 +318,11 @@
 #else
 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
 #endif
+#ifdef CHROOT
+	{ "usechroot", sUseChroot, SSHCFG_GLOBAL },
+#else
+	{ "usechroot", sUnsupported, SSHCFG_GLOBAL },
+#endif /* CHROOT */
 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
 	/* Standard Options */
 	{ "port", sPort, SSHCFG_GLOBAL },
@@ -662,6 +673,10 @@
 		intptr = &options->use_pam;
 		goto parse_flag;
 
+	case sUseChroot:
+		intptr = &options->use_chroot;
+		goto parse_flag;
+
 	/* Standard Options */
 	case sBadOption:
 		return -1;
--- openssh-3.7.1p2/servconf.h	2003-09-02 14:58:22.000000000 +0200
+++ openssh-3.7.1p2.pius/servconf.h	2003-10-07 20:49:08.000000000 +0200
@@ -109,6 +109,7 @@
 	int	max_startups_rate;
 	int	max_startups;
 	char   *banner;			/* SSH-2 banner message */
+	int     use_chroot;		/* Enable chrooted enviroment support */
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
--- openssh-4.0p1/session.c.orig	2005-03-06 12:38:52.000000000 +0100
+++ openssh-4.0p1/session.c	2005-03-10 15:14:04.000000000 +0100
@@ -1258,6 +1258,10 @@
 void
 do_setusercontext(struct passwd *pw)
 {
+#ifdef CHROOT
+	char *user_dir;
+	char *new_root;
+#endif /* CHROOT */
 #ifndef HAVE_CYGWIN
 	if (getuid() == 0 || geteuid() == 0)
 #endif /* HAVE_CYGWIN */
@@ -1315,6 +1319,26 @@
 			restore_uid();
 		}
 #endif
+#ifdef CHROOT
+		if (options.use_chroot) {
+			user_dir = xstrdup(pw->pw_dir);
+			new_root = user_dir + 1;
+
+			while((new_root = strchr(new_root, '.')) != NULL) {
+				new_root--;
+				if(strncmp(new_root, "/./", 3) == 0) {
+					*new_root = '\0';
+					new_root += 2;
+
+					if(chroot(user_dir) != 0)
+						fatal("Couldn't chroot to user directory %s", user_dir);
+						pw->pw_dir = new_root;
+						break;
+					}
+					new_root += 2;
+			}
+		}
+#endif /* CHROOT */
 # ifdef USE_PAM
 		/*
 		 * PAM credentials may take the form of supplementary groups.
--- openssh-3.7.1p2/sshd_config	2003-09-02 14:51:18.000000000 +0200
+++ openssh-3.7.1p2.pius/sshd_config	2003-10-07 20:49:08.000000000 +0200
@@ -71,6 +71,10 @@
 # bypass the setting of 'PasswordAuthentication'
 #UsePAM yes
 
+# Set this to 'yes' to enable support for chrooted user environment.
+# You must create such environment before you can use this feature. 
+#UseChroot yes
+
 #AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
--- openssh-4.4p1/sshd_config.0.orig	2006-09-26 13:03:48.000000000 +0200
+++ openssh-4.4p1/sshd_config.0	2006-10-05 10:11:41.615971000 +0200
@@ -451,6 +451,16 @@
              To disable TCP keepalive messages, the value should be set to
              ``no''.
 
+     UseChroot
+             Specifies whether to use chroot-jail environment with ssh/sftp,
+             i.e. restrict users to a particular area in the filesystem. This
+             is done by setting user home directory to, for example,
+             /path/to/chroot/./home/username.  sshd looks for a '.' in the
+             users home directory, then calls chroot(2) to whatever directory
+             was before the . and continues with the normal ssh functionality.
+             For this to work properly you have to create special chroot-jail
+             environment in a /path/to/chroot directory.
+
      UseDNS  Specifies whether sshd(8) should look up the remote host name and
              check that the resolved host name for the remote IP address maps
              back to the very same IP address.  The default is ``yes''.
--- openssh-3.8p1/sshd_config.5.orig	2004-02-18 04:31:24.000000000 +0100
+++ openssh-3.8p1/sshd_config.5	2004-02-25 21:17:23.000000000 +0100
@@ -552,6 +552,16 @@
 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
+.It Cm UseChroot
+Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
+users to a particular area in the filesystem. This is done by setting user
+home directory to, for example, /path/to/chroot/./home/username.
+.Nm sshd
+looks for a '.' in the users home directory, then calls
+.Xr chroot 2
+to whatever directory was before the . and continues with the normal ssh
+functionality. For this to work properly you have to create special chroot-jail
+environment in a /path/to/chroot directory.
 .It Cm TCPKeepAlive
 Specifies whether the system should send TCP keepalive messages to the
 other side.
Commit	Line	Data
b4c9b3c0 JB	1	--- openssh-4.4p1/servconf.c.orig 2006-08-18 16:23:15.000000000 +0200
	2	+++ openssh-4.4p1/servconf.c 2006-10-05 10:11:17.065971000 +0200
	3	@@ -56,7 +56,9 @@
a42df7c9	4
	5	/* Portable-specific options */
	6	options->use_pam = -1;
	7	-
	8	+
	9	+ options->use_chroot = -1;
	10	+
	11	/* Standard Options */
	12	options->num_ports = 0;
	13	options->ports_from_cmdline = 0;
b4c9b3c0	14	@@ -131,6 +133,9 @@
a42df7c9	15	if (options->use_pam == -1)
	16	options->use_pam = 0;
	17
	18	+ if (options->use_chroot == -1)
	19	+ options->use_chroot = 0;
	20	+
	21	/* Standard Options */
	22	if (options->protocol == SSH_PROTO_UNKNOWN)
	23	options->protocol = SSH_PROTO_1\|SSH_PROTO_2;
b4c9b3c0	24	@@ -270,6 +275,7 @@
a42df7c9	25	sBadOption, /* == unknown option */
	26	/* Portable-specific options */
	27	sUsePAM,
	28	+ sUseChroot,
	29	/* Standard Options */
	30	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
	31	sPermitRootLogin, sLogFacility, sLogLevel,
b4c9b3c0	32	@@ -312,6 +318,11 @@
a42df7c9	33	#else
b4c9b3c0	34	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
e5aad4e5	35	#endif
a42df7c9	36	+#ifdef CHROOT
b4c9b3c0	37	+ { "usechroot", sUseChroot, SSHCFG_GLOBAL },
a42df7c9	38	+#else
b4c9b3c0	39	+ { "usechroot", sUnsupported, SSHCFG_GLOBAL },
a42df7c9	40	+#endif /* CHROOT */
b4c9b3c0	41	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
a42df7c9	42	/* Standard Options */
b4c9b3c0 JB	43	{ "port", sPort, SSHCFG_GLOBAL },
b4c9b3c0 JB	44	@@ -662,6 +673,10 @@
a42df7c9	45	intptr = &options->use_pam;
a42df7c9	46	goto parse_flag;
e5aad4e5	47
a42df7c9	48	+ case sUseChroot:
	49	+ intptr = &options->use_chroot;
	50	+ goto parse_flag;
e5aad4e5	51	+
a42df7c9	52	/* Standard Options */
	53	case sBadOption:
	54	return -1;
	55	--- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200
	56	+++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200
	57	@@ -109,6 +109,7 @@
	58	int max_startups_rate;
	59	int max_startups;
	60	char banner; / SSH-2 banner message */
	61	+ int use_chroot; /* Enable chrooted enviroment support */
	62	int use_dns;
	63	int client_alive_interval; /*
	64	* poke the client this often to
9c944978 JB	65	--- openssh-4.0p1/session.c.orig 2005-03-06 12:38:52.000000000 +0100
	66	+++ openssh-4.0p1/session.c 2005-03-10 15:14:04.000000000 +0100
	67	@@ -1258,6 +1258,10 @@
e5aad4e5	68	void
	69	do_setusercontext(struct passwd *pw)
	70	{
e5aad4e5	71	+#ifdef CHROOT
	72	+ char *user_dir;
	73	+ char *new_root;
	74	+#endif /* CHROOT */
e5aad4e5	75	#ifndef HAVE_CYGWIN
	76	if (getuid() == 0 \|\| geteuid() == 0)
	77	#endif /* HAVE_CYGWIN */
9c944978 JB	78	@@ -1315,6 +1319,26 @@
9c944978 JB	79	restore_uid();
e5aad4e5	80	}
9c944978	81	#endif
e5aad4e5	82	+#ifdef CHROOT
a42df7c9	83	+ if (options.use_chroot) {
	84	+ user_dir = xstrdup(pw->pw_dir);
	85	+ new_root = user_dir + 1;
e5aad4e5	86	+
a42df7c9	87	+ while((new_root = strchr(new_root, '.')) != NULL) {
	88	+ new_root--;
	89	+ if(strncmp(new_root, "/./", 3) == 0) {
	90	+ *new_root = '\0';
	91	+ new_root += 2;
e5aad4e5	92	+
a42df7c9	93	+ if(chroot(user_dir) != 0)
de36f22e	94	+ fatal("Couldn't chroot to user directory %s", user_dir);
a42df7c9	95	+ pw->pw_dir = new_root;
	96	+ break;
	97	+ }
	98	+ new_root += 2;
	99	+ }
e5aad4e5	100	+ }
e5aad4e5	101	+#endif /* CHROOT */
e5aad4e5	102	# ifdef USE_PAM
e5aad4e5	103	/*
9c944978	104	* PAM credentials may take the form of supplementary groups.
a42df7c9	105	--- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200
	106	+++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200
	107	@@ -71,6 +71,10 @@
	108	# bypass the setting of 'PasswordAuthentication'
	109	#UsePAM yes
	110
	111	+# Set this to 'yes' to enable support for chrooted user environment.
	112	+# You must create such environment before you can use this feature.
	113	+#UseChroot yes
	114	+
	115	#AllowTcpForwarding yes
	116	#GatewayPorts no
	117	#X11Forwarding no
b4c9b3c0 JB	118	--- openssh-4.4p1/sshd_config.0.orig 2006-09-26 13:03:48.000000000 +0200
	119	+++ openssh-4.4p1/sshd_config.0 2006-10-05 10:11:41.615971000 +0200
	120	@@ -451,6 +451,16 @@
eb4d14bb AG	121	To disable TCP keepalive messages, the value should be set to
eb4d14bb AG	122	``no''.
a42df7c9	123
	124	+ UseChroot
	125	+ Specifies whether to use chroot-jail environment with ssh/sftp,
	126	+ i.e. restrict users to a particular area in the filesystem. This
	127	+ is done by setting user home directory to, for example,
	128	+ /path/to/chroot/./home/username. sshd looks for a '.' in the
	129	+ users home directory, then calls chroot(2) to whatever directory
	130	+ was before the . and continues with the normal ssh functionality.
	131	+ For this to work properly you have to create special chroot-jail
	132	+ environment in a /path/to/chroot directory.
	133	+
b4c9b3c0	134	UseDNS Specifies whether sshd(8) should look up the remote host name and
a42df7c9	135	check that the resolved host name for the remote IP address maps
a42df7c9	136	back to the very same IP address. The default is ``yes''.
48238653	137	--- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100
	138	+++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100
	139	@@ -552,6 +552,16 @@
a42df7c9	140	The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
	141	LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
	142	The default is AUTH.
	143	+.It Cm UseChroot
	144	+Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
	145	+users to a particular area in the filesystem. This is done by setting user
	146	+home directory to, for example, /path/to/chroot/./home/username.
	147	+.Nm sshd
	148	+looks for a '.' in the users home directory, then calls
	149	+.Xr chroot 2
	150	+to whatever directory was before the . and continues with the normal ssh
	151	+functionality. For this to work properly you have to create special chroot-jail
	152	+environment in a /path/to/chroot directory.
48238653	153	.It Cm TCPKeepAlive
	154	Specifies whether the system should send TCP keepalive messages to the
	155	other side.