Bugzilla – Attachment 1337 Details for
Bug 1352
Chroot support for sshd
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
ChrootDirectory for portable OpenSSH
sshd-chroot-portable.diff (text/plain), 4.77 KB, created by
Damien Miller
on 2007-08-10 13:31:45 AEST
(
hide
)
Description:
ChrootDirectory for portable OpenSSH
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2007-08-10 13:31:45 AEST
Size:
4.77 KB
patch
obsolete
>Index: servconf.c >=================================================================== >RCS file: /var/cvs/openssh/servconf.c,v >retrieving revision 1.163 >diff -u -p -r1.163 servconf.c >--- servconf.c 20 May 2007 05:03:16 -0000 1.163 >+++ servconf.c 10 Aug 2007 02:01:19 -0000 >@@ -122,6 +122,7 @@ initialize_server_options(ServerOptions > options->permit_tun = -1; > options->num_permitted_opens = -1; > options->adm_forced_command = NULL; >+ options->chroot_directory = NULL; > } > > void >@@ -291,7 +292,7 @@ typedef enum { > sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, > sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, > sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, >- sMatch, sPermitOpen, sForceCommand, >+ sMatch, sPermitOpen, sForceCommand, sChrootDirectory, > sUsePrivilegeSeparation, > sDeprecated, sUnsupported > } ServerOpCodes; >@@ -403,6 +404,7 @@ static struct { > { "match", sMatch, SSHCFG_ALL }, > { "permitopen", sPermitOpen, SSHCFG_ALL }, > { "forcecommand", sForceCommand, SSHCFG_ALL }, >+ { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, > { NULL, sBadOption, 0 } > }; > >@@ -1253,6 +1255,10 @@ parse_flag: > options->adm_forced_command = xstrdup(cp + len); > return 0; > >+ case sChrootDirectory: >+ charptr = &options->chroot_directory; >+ goto parse_filename; >+ > case sDeprecated: > logit("%s line %d: Deprecated option %s", > filename, linenum, arg); >@@ -1360,6 +1366,7 @@ copy_set_server_options(ServerOptions *d > if (preauth) > return; > M_CP_STROPT(adm_forced_command); >+ M_CP_STROPT(chroot_directory); > } > > #undef M_CP_INTOPT >Index: servconf.h >=================================================================== >RCS file: /var/cvs/openssh/servconf.h,v >retrieving revision 1.72 >diff -u -p -r1.72 servconf.h >--- servconf.h 19 Feb 2007 11:25:38 -0000 1.72 >+++ servconf.h 10 Aug 2007 02:01:19 -0000 >@@ -141,6 +141,8 @@ typedef struct { > int permit_tun; > > int num_permitted_opens; >+ >+ char *chroot_directory; > } ServerOptions; > > void initialize_server_options(ServerOptions *); >Index: session.c >=================================================================== >RCS file: /var/cvs/openssh/session.c,v >retrieving revision 1.351 >diff -u -p -r1.351 session.c >--- session.c 26 Mar 2007 16:35:28 -0000 1.351 >+++ session.c 10 Aug 2007 03:20:44 -0000 >@@ -84,6 +84,7 @@ > #include "sshlogin.h" > #include "serverloop.h" > #include "canohost.h" >+#include "misc.h" > #include "session.h" > #include "kex.h" > #include "monitor_wrap.h" >@@ -129,7 +130,7 @@ extern Buffer loginmsg; > const char *original_command = NULL; > > /* data */ >-#define MAX_SESSIONS 10 >+#define MAX_SESSIONS 20 > Session sessions[MAX_SESSIONS]; > > #ifdef HAVE_LOGIN_CAP >@@ -701,7 +702,6 @@ do_exec(Session *s, const char *command) > PRIVSEP(audit_run_command(shell)); > } > #endif >- > if (s->ttyfd != -1) > do_exec_pty(s, command); > else >@@ -1314,7 +1314,7 @@ do_setusercontext(struct passwd *pw) > } > # endif /* USE_PAM */ > if (setusercontext(lc, pw, pw->pw_uid, >- (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { >+ (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { > perror("unable to set user context"); > exit(1); > } >@@ -1337,13 +1337,13 @@ do_setusercontext(struct passwd *pw) > exit(1); > } > endgrent(); >-#ifdef GSSAPI >+# ifdef GSSAPI > if (options.gss_authentication) { > temporarily_use_uid(pw); > ssh_gssapi_storecreds(); > restore_uid(); > } >-#endif >+# endif > # ifdef USE_PAM > /* > * PAM credentials may take the form of supplementary groups. >@@ -1357,15 +1357,38 @@ do_setusercontext(struct passwd *pw) > # endif /* USE_PAM */ > # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) > irix_setusercontext(pw); >-# endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ >+# endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ > # ifdef _AIX > aix_usrinfo(pw); > # endif /* _AIX */ >-#ifdef USE_LIBIAF >+# ifdef USE_LIBIAF > if (set_id(pw->pw_name) != 0) { > exit(1); > } >-#endif /* USE_LIBIAF */ >+# endif /* USE_LIBIAF */ >+#endif >+ >+ if (options.chroot_directory != NULL) { >+ char *chroot_path; >+ >+ chroot_path = percent_expand(options.chroot_directory, >+ "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL); >+ if (chdir(chroot_path) == -1) >+ fatal("Unable to chdir to chroot path \"%s\": " >+ "%s", chroot_path, strerror(errno)); >+ if (chroot(chroot_path) == -1) >+ fatal("chroot(\"%s\"): %s", chroot_path, >+ strerror(errno)); >+ verbose("Changed root to \"%s\"", chroot_path); >+ free(chroot_path); >+ } >+ >+#ifdef HAVE_LOGIN_CAP >+ if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { >+ perror("unable to set user context (setuser)"); >+ exit(1); >+ } >+#else > /* Permanently switch to the desired uid. */ > permanently_set_uid(pw); > #endif
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1337">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1352
:
1336
| 1337