openssh-chroot.patch

   1 --- openssh-3.7.1p2/servconf.c  2003-09-23 11:24:21.000000000 +0200
   2 +++ openssh-3.7.1p2.pius/servconf.c     2003-10-07 20:49:08.000000000 +0200
   3 @@ -41,7 +41,9 @@
   4
   5         /* Portable-specific options */
   6         options->use_pam = -1;
   7 -
   8 +
   9 +       options->use_chroot = -1;
  10 +
  11         /* Standard Options */
  12         options->num_ports = 0;
  13         options->ports_from_cmdline = 0;
  14 @@ -112,6 +114,9 @@
  15         if (options->use_pam == -1)
  16                 options->use_pam = 0;
  17
  18 +       if (options->use_chroot == -1)
  19 +               options->use_chroot = 0;
  20 +
  21         /* Standard Options */
  22         if (options->protocol == SSH_PROTO_UNKNOWN)
  23                 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
  24 @@ -245,6 +250,7 @@
  25         sBadOption,             /* == unknown option */
  26         /* Portable-specific options */
  27         sUsePAM,
  28 +       sUseChroot,
  29         /* Standard Options */
  30         sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
  31         sPermitRootLogin, sLogFacility, sLogLevel,
  32 @@ -278,6 +284,11 @@
  33  #else
  34         { "usepam", sUnsupported },
  35  #endif
  36 +#ifdef CHROOT
  37 +       { "usechroot", sUseChroot },
  38 +#else
  39 +       { "usechroot", sUnsupported },
  40 +#endif /* CHROOT */
  41         { "pamauthenticationviakbdint", sDeprecated },
  42         /* Standard Options */
  43         { "port", sPort },
  44 @@ -437,6 +448,10 @@
  45                 intptr = &options->use_pam;
  46                 goto parse_flag;
  47
  48 +       case sUseChroot:
  49 +               intptr = &options->use_chroot;
  50 +               goto parse_flag;
  51 +
  52         /* Standard Options */
  53         case sBadOption:
  54                 return -1;
  55 --- openssh-3.7.1p2/servconf.h  2003-09-02 14:58:22.000000000 +0200
  56 +++ openssh-3.7.1p2.pius/servconf.h     2003-10-07 20:49:08.000000000 +0200
  57 @@ -109,6 +109,7 @@
  58         int     max_startups_rate;
  59         int     max_startups;
  60         char   *banner;                 /* SSH-2 banner message */
  61 +       int     use_chroot;             /* Enable chrooted enviroment support */
  62         int     use_dns;
  63         int     client_alive_interval;  /*
  64                                          * poke the client this often to
  65 --- openssh-4.0p1/session.c.orig        2005-03-06 12:38:52.000000000 +0100
  66 +++ openssh-4.0p1/session.c     2005-03-10 15:14:04.000000000 +0100
  67 @@ -1258,6 +1258,10 @@
  68  void
  69  do_setusercontext(struct passwd *pw)
  70  {
  71 +#ifdef CHROOT
  72 +       char *user_dir;
  73 +       char *new_root;
  74 +#endif /* CHROOT */
  75  #ifndef HAVE_CYGWIN
  76         if (getuid() == 0 || geteuid() == 0)
  77  #endif /* HAVE_CYGWIN */
  78 @@ -1315,6 +1319,26 @@
  79                         restore_uid();
  80                 }
  81  #endif
  82 +#ifdef CHROOT
  83 +               if (options.use_chroot) {
  84 +                       user_dir = xstrdup(pw->pw_dir);
  85 +                       new_root = user_dir + 1;
  86 +
  87 +                       while((new_root = strchr(new_root, '.')) != NULL) {
  88 +                               new_root--;
  89 +                               if(strncmp(new_root, "/./", 3) == 0) {
  90 +                                       *new_root = '\0';
  91 +                                       new_root += 2;
  92 +
  93 +                                       if(chroot(user_dir) != 0)
  94 +                                               fatal("Couldn't chroot to user directory %s", user_dir);
  95 +                                               pw->pw_dir = new_root;
  96 +                                               break;
  97 +                                       }
  98 +                                       new_root += 2;
  99 +                       }
 100 +               }
 101 +#endif /* CHROOT */
 102  # ifdef USE_PAM
 103                 /*
 104                  * PAM credentials may take the form of supplementary groups.
 105 --- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200
 106 +++ openssh-3.7.1p2.pius/sshd_config    2003-10-07 20:49:08.000000000 +0200
 107 @@ -71,6 +71,10 @@
 108  # bypass the setting of 'PasswordAuthentication'
 109  #UsePAM yes
 110
 111 +# Set this to 'yes' to enable support for chrooted user environment.
 112 +# You must create such environment before you can use this feature.
 113 +#UseChroot yes
 114 +
 115  #AllowTcpForwarding yes
 116  #GatewayPorts no
 117  #X11Forwarding no
 118 --- openssh-3.7.1p2/sshd_config.0       2003-09-23 11:55:19.000000000 +0200
 119 +++ openssh-3.7.1p2.pius/sshd_config.0  2003-10-07 20:49:08.000000000 +0200
 120 @@ -349,6 +349,16 @@
 121               To disable TCP keepalive messages, the value should be set to
 122               ``no''.
 123
 124 +     UseChroot
 125 +             Specifies whether to use chroot-jail environment with ssh/sftp,
 126 +             i.e. restrict users to a particular area in the filesystem. This
 127 +             is done by setting user home directory to, for example,
 128 +             /path/to/chroot/./home/username.  sshd looks for a '.' in the
 129 +             users home directory, then calls chroot(2) to whatever directory
 130 +             was before the . and continues with the normal ssh functionality.
 131 +             For this to work properly you have to create special chroot-jail
 132 +             environment in a /path/to/chroot directory.
 133 +
 134       UseDNS  Specifies whether sshd should look up the remote host name and
 135               check that the resolved host name for the remote IP address maps
 136               back to the very same IP address.  The default is ``yes''.
 137 --- openssh-3.8p1/sshd_config.5.orig    2004-02-18 04:31:24.000000000 +0100
 138 +++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100
 139 @@ -552,6 +552,16 @@
 140  The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 141  LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 142  The default is AUTH.
 143 +.It Cm UseChroot
 144 +Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
 145 +users to a particular area in the filesystem. This is done by setting user
 146 +home directory to, for example, /path/to/chroot/./home/username.
 147 +.Nm sshd
 148 +looks for a '.' in the users home directory, then calls
 149 +.Xr chroot 2
 150 +to whatever directory was before the . and continues with the normal ssh
 151 +functionality. For this to work properly you have to create special chroot-jail
 152 +environment in a /path/to/chroot directory.
 153  .It Cm TCPKeepAlive
 154  Specifies whether the system should send TCP keepalive messages to the
 155  other side.