Bugzilla – Attachment 1206 Details for
Bug 177
provide chroot option for sftp-server
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Updated patch
sftp-chroot-20061108.diff (text/plain), 3.71 KB, created by
Damien Miller
on 2006-11-10 02:52:28 AEDT
(
hide
)
Description:
Updated patch
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2006-11-10 02:52:28 AEDT
Size:
3.71 KB
patch
obsolete
>Index: sftp-server.8 >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/sftp-server.8,v >retrieving revision 1.11 >diff -u -p -r1.11 sftp-server.8 >--- sftp-server.8 6 Jul 2006 10:47:57 -0000 1.11 >+++ sftp-server.8 9 Nov 2006 15:35:13 -0000 >@@ -30,6 +30,7 @@ > .Nd SFTP server subsystem > .Sh SYNOPSIS > .Nm sftp-server >+.Op Fl C Ar chroot_path > .Op Fl f Ar log_facility > .Op Fl l Ar log_level > .Sh DESCRIPTION >@@ -54,6 +55,25 @@ for more information. > .Pp > Valid options are: > .Bl -tag -width Ds >+.It Fl C Ar chroot_path >+Requests that >+.Nm >+.Xr chroot 2 >+itself to the specified path prior to processing requests from the user. >+The >+.Ar chroot_path >+use the tilde syntax to refer to a user's home directory or one of the >+following >+escape characters: >+.Ql %d >+(local user's home directory) or >+.Ql %g >+(local user's primary group name). >+Note that >+.Xr chroot 2 >+support requires >+.Nm >+to be installed setuid root. > .It Fl f Ar log_facility > Specifies the facility code that is used when logging messages from > .Nm . >Index: sftp-server.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/sftp-server.c,v >retrieving revision 1.70 >diff -u -p -r1.70 sftp-server.c >--- sftp-server.c 3 Aug 2006 03:34:42 -0000 1.70 >+++ sftp-server.c 9 Nov 2006 15:35:13 -0000 >@@ -27,6 +27,7 @@ > #include <stdio.h> > #include <string.h> > #include <pwd.h> >+#include <grp.h> > #include <time.h> > #include <unistd.h> > #include <stdarg.h> >@@ -1161,6 +1162,35 @@ process(void) > buffer_consume(&iqueue, msg_len - consumed); > } > >+static void >+do_chroot(const char *chroot_path_template) >+{ >+ char *cp, *chroot_path; >+ struct group *gr; >+ >+ if ((gr = getgrgid(pw->pw_gid)) == NULL) >+ fatal("No group found for gid %lu", (u_long)pw->pw_gid); >+ >+ cp = percent_expand(chroot_path_template, "d", pw->pw_dir, >+ "u", pw->pw_name, "g", gr->gr_name, (char *)NULL); >+ chroot_path = tilde_expand_filename(cp, getuid()); >+ xfree(cp); >+ >+ logit("chroot to %s", chroot_path); >+ >+ /* Ensure the user has rights to access the chroot path first */ >+ temporarily_use_uid(pw); >+ if (chdir(chroot_path) == -1) >+ fatal("chdir(\"%s\"): %s", chroot_path, strerror(errno)); >+ restore_uid(); >+ >+ if (chroot(chroot_path) == -1) >+ fatal("chroot(\"%s\"): %s", chroot_path, strerror(errno)); >+ if (chdir("/") == -1) >+ fatal("chdir(\"/\"): %s", strerror(errno)); >+ xfree(chroot_path); >+} >+ > /* Cleanup handler that logs active handles upon normal exit */ > void > cleanup_exit(int i) >@@ -1190,7 +1220,7 @@ main(int argc, char **argv) > int in, out, max, ch, skipargs = 0, log_stderr = 0; > ssize_t len, olen, set_size; > SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; >- char *cp; >+ char *cp, *chroot_path = NULL; > > extern char *optarg; > extern char *__progname; >@@ -1202,6 +1232,9 @@ main(int argc, char **argv) > > while (!skipargs && (ch = getopt(argc, argv, "C:f:l:che")) != -1) { > switch (ch) { >+ case 'C': >+ chroot_path = optarg; >+ break; > case 'c': > /* > * Ignore all arguments if we are invoked as a >@@ -1246,6 +1279,11 @@ main(int argc, char **argv) > logit("session opened for local user %s from [%s]", > pw->pw_name, client_addr); > >+ if (chroot_path != NULL) >+ do_chroot(chroot_path); >+ if (getuid() != geteuid()) >+ permanently_set_uid(pw); >+ > handle_init(); > > in = dup(STDIN_FILENO); >Index: sftp-server/Makefile >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/sftp-server/Makefile,v >retrieving revision 1.6 >diff -u -p -r1.6 Makefile >--- sftp-server/Makefile 18 Apr 2006 10:44:28 -0000 1.6 >+++ sftp-server/Makefile 9 Nov 2006 15:35:13 -0000 >@@ -5,7 +5,7 @@ > PROG= sftp-server > BINOWN= root > >-BINMODE?=555 >+BINMODE?=4555 > > BINDIR= /usr/libexec > MAN= sftp-server.8
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1206">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 177
:
683
|
1018
|
1156
|
1206
|
1277
|
1346