Bugzilla – Attachment 1678 Details for
Bug 1593
Configuration ChrootDirectory=%h is unuseful (users cannot access their homes)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
last version of the patch 08/28/09
homechroot.patch (text/plain), 5.75 KB, created by
jchadima
on 2009-08-28 15:25:25 AEST
(
hide
)
Description:
last version of the patch 08/28/09
Filename:
MIME Type:
Creator:
jchadima
Created:
2009-08-28 15:25:25 AEST
Size:
5.75 KB
patch
obsolete
>diff -up /dev/null openssh-5.2p1/chrootenv.h >--- /dev/null 2009-08-07 01:35:10.766767959 +0200 >+++ openssh-5.2p1/chrootenv.h 2009-08-08 13:02:10.650120469 +0200 >@@ -0,0 +1,32 @@ >+/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */ >+ >+/* >+ * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. >+ * >+ * Redistribution and use in source and binary forms, with or without >+ * modification, are permitted provided that the following conditions >+ * are met: >+ * 1. Redistributions of source code must retain the above copyright >+ * notice, this list of conditions and the following disclaimer. >+ * 2. Redistributions in binary form must reproduce the above copyright >+ * notice, this list of conditions and the following disclaimer in the >+ * documentation and/or other materials provided with the distribution. >+ * >+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR >+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES >+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. >+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, >+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT >+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF >+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >+ */ >+#ifndef CHROOTENV_H >+#define CHROOTENV_H >+ >+extern int chroot_no_tree; >+ >+#endif >+ >diff -up openssh-5.2p1/session.c.homechroot openssh-5.2p1/session.c >--- openssh-5.2p1/session.c.homechroot 2009-01-28 06:29:49.000000000 +0100 >+++ openssh-5.2p1/session.c 2009-08-08 13:02:10.652154360 +0200 >@@ -119,6 +119,8 @@ void do_child(Session *, const char *); > void do_motd(void); > int check_quietlogin(Session *, const char *); > >+int chroot_no_tree = 0; >+ > static void do_authenticated1(Authctxt *); > static void do_authenticated2(Authctxt *); > >@@ -802,6 +804,11 @@ do_exec(Session *s, const char *command) > debug("Forced command (key option) '%.900s'", command); > } > >+ if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) { >+ logit("You aren't welcomed, go away!"); >+ exit (1); >+ } >+ > #ifdef SSH_AUDIT_EVENTS > if (command != NULL) > PRIVSEP(audit_run_command(command)); >@@ -1408,6 +1415,7 @@ safely_chroot(const char *path, uid_t ui > const char *cp; > char component[MAXPATHLEN]; > struct stat st; >+ int last; > > if (*path != '/') > fatal("chroot path does not begin at root"); >@@ -1419,7 +1427,7 @@ safely_chroot(const char *path, uid_t ui > * root-owned directory with strict permissions. > */ > for (cp = path; cp != NULL;) { >- if ((cp = strchr(cp, '/')) == NULL) >+ if (((last = ((cp = strchr(cp, '/')) == NULL)))) > strlcpy(component, path, sizeof(component)); > else { > cp++; >@@ -1432,15 +1440,19 @@ safely_chroot(const char *path, uid_t ui > if (stat(component, &st) != 0) > fatal("%s: stat(\"%s\"): %s", __func__, > component, strerror(errno)); >- if (st.st_uid != 0 || (st.st_mode & 022) != 0) >+ if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid)) > fatal("bad ownership or modes for chroot " > "directory %s\"%s\"", > cp == NULL ? "" : "component ", component); > if (!S_ISDIR(st.st_mode)) > fatal("chroot path %s\"%s\" is not a directory", > cp == NULL ? "" : "component ", component); >- > } >+ setenv ("TZ", "/etc/localtime", 0); >+ tzset (); >+ >+ if (st.st_uid != uid) >+ ++chroot_no_tree; > > if (chdir(path) == -1) > fatal("Unable to chdir to chroot path \"%s\": " >@@ -1450,6 +1462,10 @@ safely_chroot(const char *path, uid_t ui > if (chdir("/") == -1) > fatal("%s: chdir(/) after chroot: %s", > __func__, strerror(errno)); >+ >+ if (access ("/etc/localtime", R_OK) < 0) >+ ++chroot_no_tree; >+ > verbose("Changed root directory to \"%s\"", path); > } > >diff -up openssh-5.2p1/sftp.c.homechroot openssh-5.2p1/sftp.c >--- openssh-5.2p1/sftp.c.homechroot 2009-02-14 06:26:19.000000000 +0100 >+++ openssh-5.2p1/sftp.c 2009-08-08 13:02:10.656021480 +0200 >@@ -94,6 +94,8 @@ int remote_glob(struct sftp_conn *, cons > > extern char *__progname; > >+int chroot_no_tree = 0; >+ > /* Separators for interactive commands */ > #define WHITESPACE " \t\r\n" > >diff -up openssh-5.2p1/sftp-common.c.homechroot openssh-5.2p1/sftp-common.c >--- openssh-5.2p1/sftp-common.c.homechroot 2006-08-05 04:39:40.000000000 +0200 >+++ openssh-5.2p1/sftp-common.c 2009-08-08 13:02:10.657490438 +0200 >@@ -40,6 +40,7 @@ > #include "xmalloc.h" > #include "buffer.h" > #include "log.h" >+#include "chrootenv.h" > > #include "sftp.h" > #include "sftp-common.h" >@@ -194,13 +195,13 @@ ls_file(const char *name, const struct s > char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1]; > > strmode(st->st_mode, mode); >- if (!remote && (pw = getpwuid(st->st_uid)) != NULL) { >+ if (!remote && !chroot_no_tree && (pw = getpwuid(st->st_uid)) != NULL) { > user = pw->pw_name; > } else { > snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid); > user = ubuf; > } >- if (!remote && (gr = getgrgid(st->st_gid)) != NULL) { >+ if (!remote && !chroot_no_tree && (gr = getgrgid(st->st_gid)) != NULL) { > group = gr->gr_name; > } else { > snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid); >diff -up openssh-5.2p1/sftp-server-main.c.homechroot openssh-5.2p1/sftp-server-main.c >--- openssh-5.2p1/sftp-server-main.c.homechroot 2009-02-21 22:47:02.000000000 +0100 >+++ openssh-5.2p1/sftp-server-main.c 2009-08-08 13:02:10.659450179 +0200 >@@ -22,11 +22,14 @@ > #include <stdarg.h> > #include <stdio.h> > #include <unistd.h> >+#include <time.h> > > #include "log.h" > #include "sftp.h" > #include "misc.h" > >+int chroot_no_tree = 0; >+ > void > cleanup_exit(int i) > {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1678">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1593
:
1629
| 1678