Bugzilla – Attachment 1336 Details for
Bug 1352
Chroot support for sshd
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
ChrootDirectory for core OpenSSH
sshd-chroot.diff (text/plain), 4.01 KB, created by
Damien Miller
on 2007-08-10 13:30:57 AEST
(
hide
)
Description:
ChrootDirectory for core OpenSSH
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2007-08-10 13:30:57 AEST
Size:
4.01 KB
patch
obsolete
>Index: servconf.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/servconf.c,v >retrieving revision 1.172 >diff -u -p -r1.172 servconf.c >--- servconf.c 23 Apr 2007 10:15:39 -0000 1.172 >+++ servconf.c 10 Aug 2007 02:00:36 -0000 >@@ -115,6 +115,7 @@ initialize_server_options(ServerOptions > options->permit_tun = -1; > options->num_permitted_opens = -1; > options->adm_forced_command = NULL; >+ options->chroot_directory = NULL; > } > > void >@@ -266,7 +267,7 @@ typedef enum { > sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, > sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, > sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, >- sMatch, sPermitOpen, sForceCommand, >+ sMatch, sPermitOpen, sForceCommand, sChrootDirectory, > sUsePrivilegeSeparation, > sDeprecated, sUnsupported > } ServerOpCodes; >@@ -366,6 +367,7 @@ static struct { > { "match", sMatch, SSHCFG_ALL }, > { "permitopen", sPermitOpen, SSHCFG_ALL }, > { "forcecommand", sForceCommand, SSHCFG_ALL }, >+ { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, > { NULL, sBadOption, 0 } > }; > >@@ -1210,6 +1212,10 @@ parse_flag: > options->adm_forced_command = xstrdup(cp + len); > return 0; > >+ case sChrootDirectory: >+ charptr = &options->chroot_directory; >+ goto parse_filename; >+ > case sDeprecated: > logit("%s line %d: Deprecated option %s", > filename, linenum, arg); >@@ -1317,6 +1323,7 @@ copy_set_server_options(ServerOptions *d > if (preauth) > return; > M_CP_STROPT(adm_forced_command); >+ M_CP_STROPT(chroot_directory); > } > > #undef M_CP_INTOPT >Index: servconf.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/servconf.h,v >retrieving revision 1.80 >diff -u -p -r1.80 servconf.h >--- servconf.h 19 Feb 2007 10:45:58 -0000 1.80 >+++ servconf.h 10 Aug 2007 02:00:36 -0000 >@@ -139,6 +139,8 @@ typedef struct { > int permit_tun; > > int num_permitted_opens; >+ >+ char *chroot_directory; > } ServerOptions; > > void initialize_server_options(ServerOptions *); >Index: session.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/session.c,v >retrieving revision 1.221 >diff -u -p -r1.221 session.c >--- session.c 21 Jan 2007 01:41:54 -0000 1.221 >+++ session.c 10 Aug 2007 02:00:37 -0000 >@@ -73,6 +73,7 @@ > #include "sshlogin.h" > #include "serverloop.h" > #include "canohost.h" >+#include "misc.h" > #include "session.h" > #ifdef GSSAPI > #include "ssh-gss.h" >@@ -117,7 +118,7 @@ extern Buffer loginmsg; > const char *original_command = NULL; > > /* data */ >-#define MAX_SESSIONS 10 >+#define MAX_SESSIONS 20 > Session sessions[MAX_SESSIONS]; > > #ifdef HAVE_LOGIN_CAP >@@ -560,7 +561,6 @@ do_exec(Session *s, const char *command) > restore_uid(); > } > #endif >- > if (s->ttyfd != -1) > do_exec_pty(s, command); > else >@@ -964,9 +964,10 @@ void > do_setusercontext(struct passwd *pw) > { > if (getuid() == 0 || geteuid() == 0) { >+ /* Prepare groups */ > #ifdef HAVE_LOGIN_CAP > if (setusercontext(lc, pw, pw->pw_uid, >- (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { >+ (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { > perror("unable to set user context"); > exit(1); > } >@@ -983,7 +984,30 @@ do_setusercontext(struct passwd *pw) > exit(1); > } > endgrent(); >+#endif >+ >+ if (options.chroot_directory != NULL) { >+ char *chroot_path; >+ >+ chroot_path = percent_expand(options.chroot_directory, >+ "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL); >+ if (chdir(chroot_path) == -1) >+ fatal("Unable to chdir to chroot path \"%s\": " >+ "%s", chroot_path, strerror(errno)); >+ if (chroot(chroot_path) == -1) >+ fatal("chroot(\"%s\"): %s", chroot_path, >+ strerror(errno)); >+ verbose("Changed root to \"%s\"", chroot_path); >+ free(chroot_path); >+ } > >+ /* Set UID */ >+#ifdef HAVE_LOGIN_CAP >+ if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { >+ perror("unable to set user context (setuser)"); >+ exit(1); >+ } >+#else > /* Permanently switch to the desired uid. */ > permanently_set_uid(pw); > #endif
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1336">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1352
: 1336 |
1337