openssh-chroot.patch

   1 diff -urNp -x '*.orig' openssh-8.8p1.org/servconf.c openssh-8.8p1/servconf.c
   2 --- openssh-8.8p1.org/servconf.c        2021-09-26 16:03:19.000000000 +0200
   3 +++ openssh-8.8p1/servconf.c    2021-12-09 20:13:16.486586503 +0100
   4 @@ -92,7 +92,9 @@ initialize_server_options(ServerOptions
   5
   6         /* Portable-specific options */
   7         options->use_pam = -1;
   8 -
   9 +
  10 +       options->use_chroot = -1;
  11 +
  12         /* Standard Options */
  13         options->num_ports = 0;
  14         options->ports_from_cmdline = 0;
  15 @@ -279,6 +281,9 @@ fill_default_server_options(ServerOption
  16         if (options->use_pam == -1)
  17                 options->use_pam = 0;
  18
  19 +       if (options->use_chroot == -1)
  20 +               options->use_chroot = 0;
  21 +
  22         /* Standard Options */
  23         if (options->num_host_key_files == 0) {
  24                 /* fill default hostkeys for protocols */
  25 @@ -486,6 +491,7 @@ typedef enum {
  26         sBadOption,             /* == unknown option */
  27         /* Portable-specific options */
  28         sUsePAM,
  29 +       sUseChroot,
  30         /* Standard Options */
  31         sPort, sHostKeyFile, sLoginGraceTime,
  32         sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
  33 @@ -538,6 +544,11 @@ static struct {
  34  #else
  35         { "usepam", sUnsupported, SSHCFG_GLOBAL },
  36  #endif
  37 +#ifdef CHROOT
  38 +       { "usechroot", sUseChroot, SSHCFG_GLOBAL },
  39 +#else
  40 +       { "usechroot", sUnsupported, SSHCFG_GLOBAL },
  41 +#endif /* CHROOT */
  42         { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
  43         /* Standard Options */
  44         { "port", sPort, SSHCFG_GLOBAL },
  45 @@ -1332,6 +1343,10 @@ process_server_config_line_depth(ServerO
  46                 intptr = &options->use_pam;
  47                 goto parse_flag;
  48
  49 +       case sUseChroot:
  50 +               intptr = &options->use_chroot;
  51 +               goto parse_flag;
  52 +
  53         /* Standard Options */
  54         case sBadOption:
  55                 goto out;
  56 diff -urNp -x '*.orig' openssh-8.8p1.org/servconf.h openssh-8.8p1/servconf.h
  57 --- openssh-8.8p1.org/servconf.h        2021-09-26 16:03:19.000000000 +0200
  58 +++ openssh-8.8p1/servconf.h    2021-12-09 20:13:16.486586503 +0100
  59 @@ -183,6 +183,7 @@ typedef struct {
  60         int     max_authtries;
  61         int     max_sessions;
  62         char   *banner;                 /* SSH-2 banner message */
  63 +       int     use_chroot;             /* Enable chrooted enviroment support */
  64         int     use_dns;
  65         int     client_alive_interval;  /*
  66                                          * poke the client this often to
  67 diff -urNp -x '*.orig' openssh-8.8p1.org/session.c openssh-8.8p1/session.c
  68 --- openssh-8.8p1.org/session.c 2021-09-26 16:03:19.000000000 +0200
  69 +++ openssh-8.8p1/session.c     2021-12-09 20:13:16.489919836 +0100
  70 @@ -1359,6 +1359,10 @@ void
  71  do_setusercontext(struct passwd *pw)
  72  {
  73         char uidstr[32], *chroot_path, *tmp;
  74 +#ifdef CHROOT
  75 +       char *user_dir;
  76 +       char *new_root;
  77 +#endif /* CHROOT */
  78
  79         platform_setusercontext(pw);
  80
  81 @@ -1401,6 +1405,29 @@ do_setusercontext(struct passwd *pw)
  82                         free(options.chroot_directory);
  83                         options.chroot_directory = NULL;
  84                         in_chroot = 1;
  85 +#ifdef CHROOT
  86 +               } else if (!in_chroot && options.use_chroot) {
  87 +                       user_dir = xstrdup(pw->pw_dir);
  88 +                       new_root = user_dir + 1;
  89 +
  90 +                       while ((new_root = strchr(new_root, '.')) != NULL) {
  91 +                               new_root--;
  92 +                               if (strncmp(new_root, "/./", 3) == 0) {
  93 +                                       *new_root = '\0';
  94 +                                       new_root += 2;
  95 +
  96 +                                       if (chroot(user_dir) != 0)
  97 +                                               fatal("Couldn't chroot to user directory %s", user_dir);
  98 +                                       /* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */
  99 +                                       free(pw->pw_dir);
 100 +                                       pw->pw_dir = xstrdup(new_root);
 101 +                                       in_chroot = 1;
 102 +                                       break;
 103 +                               }
 104 +                               new_root += 2;
 105 +                       }
 106 +                       free(user_dir);
 107 +#endif /* CHROOT */
 108                 }
 109
 110  #ifdef HAVE_LOGIN_CAP
 111 diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config openssh-8.8p1/sshd_config
 112 --- openssh-8.8p1.org/sshd_config       2021-12-09 20:13:16.326586503 +0100
 113 +++ openssh-8.8p1/sshd_config   2021-12-09 20:13:16.489919836 +0100
 114 @@ -85,6 +85,10 @@ GSSAPIAuthentication yes
 115  # and KbdInteractiveAuthentication to 'no'.
 116  #UsePAM no
 117
 118 +# Set this to 'yes' to enable support for chrooted user environment.
 119 +# You must create such environment before you can use this feature.
 120 +#UseChroot yes
 121 +
 122  #AllowAgentForwarding yes
 123  #AllowTcpForwarding yes
 124  #GatewayPorts no
 125 diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config.0 openssh-8.8p1/sshd_config.0
 126 --- openssh-8.8p1.org/sshd_config.0     2021-09-26 16:06:42.000000000 +0200
 127 +++ openssh-8.8p1/sshd_config.0 2021-12-09 20:13:16.489919836 +0100
 128 @@ -1053,6 +1053,16 @@ DESCRIPTION
 129               open channels.  This option may be useful in conjunction with
 130               ChannelTimeout.
 131
 132 +     UseChroot
 133 +             Specifies whether to use chroot-jail environment with ssh/sftp,
 134 +             i.e. restrict users to a particular area in the filesystem. This
 135 +             is done by setting user home directory to, for example,
 136 +             /path/to/chroot/./home/username.  sshd looks for a '.' in the
 137 +             users home directory, then calls chroot(2) to whatever directory
 138 +             was before the . and continues with the normal ssh functionality.
 139 +             For this to work properly you have to create special chroot-jail
 140 +             environment in a /path/to/chroot directory.
 141 +
 142       UseDNS  Specifies whether sshd(8) should look up the remote host name,
 143               and to check that the resolved host name for the remote IP
 144               address maps back to the very same IP address.
 145 diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config.5 openssh-8.8p1/sshd_config.5
 146 --- openssh-8.8p1.org/sshd_config.5     2021-09-26 16:03:19.000000000 +0200
 147 +++ openssh-8.8p1/sshd_config.5 2021-12-09 20:13:16.489919836 +0100
 148 @@ -1697,6 +1697,16 @@ Gives the facility code that is used whe
 149  The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 150  LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 151  The default is AUTH.
 152 +.It Cm UseChroot
 153 +Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
 154 +users to a particular area in the filesystem. This is done by setting user
 155 +home directory to, for example, /path/to/chroot/./home/username.
 156 +.Nm sshd
 157 +looks for a '.' in the users home directory, then calls
 158 +.Xr chroot 2
 159 +to whatever directory was before the . and continues with the normal ssh
 160 +functionality. For this to work properly you have to create special chroot-jail
 161 +environment in a /path/to/chroot directory.
 162  .It Cm TCPKeepAlive
 163  Specifies whether the system should send TCP keepalive messages to the
 164  other side.