Attachment #2128 for bug #1979

Lines 138-143 Link Here

(-)orig/openssh-5.9p1/servconf.c (+11 lines)
138	options->authorized_principals_file = NULL;	138	options->authorized_principals_file = NULL;
139	options->ip_qos_interactive = -1;	139	options->ip_qos_interactive = -1;
140	options->ip_qos_bulk = -1;	140	options->ip_qos_bulk = -1;
		141	options->restrict_sftp_sys_to_basics = -1;
141	}	142	}
142		143
143	void	144	void
Lines 277-282 Link Here
277	options->ip_qos_interactive = IPTOS_LOWDELAY;	278	options->ip_qos_interactive = IPTOS_LOWDELAY;
278	if (options->ip_qos_bulk == -1)	279	if (options->ip_qos_bulk == -1)
279	options->ip_qos_bulk = IPTOS_THROUGHPUT;	280	options->ip_qos_bulk = IPTOS_THROUGHPUT;
		281	if (options->restrict_sftp_sys_to_basics == -1)
		282	options->restrict_sftp_sys_to_basics = 0;
280		283
281	/* Turn privilege separation on by default */	284	/* Turn privilege separation on by default */
282	if (use_privsep == -1)	285	if (use_privsep == -1)
Lines 324-329 Link Here
324	sZeroKnowledgePasswordAuthentication, sHostCertificate,	327	sZeroKnowledgePasswordAuthentication, sHostCertificate,
325	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	328	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
326	sKexAlgorithms, sIPQoS,	329	sKexAlgorithms, sIPQoS,
		330	sRestrictSftpSysToBasics,
327	sDeprecated, sUnsupported	331	sDeprecated, sUnsupported
328	} ServerOpCodes;	332	} ServerOpCodes;
329		333
Lines 448-453 Link Here
448	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },	452	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
449	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },	453	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
450	{ "ipqos", sIPQoS, SSHCFG_ALL },	454	{ "ipqos", sIPQoS, SSHCFG_ALL },
		455	{ "restrictsftpsystobasics", sRestrictSftpSysToBasics, SSHCFG_ALL },
451	{ NULL, sBadOption, 0 }	456	{ NULL, sBadOption, 0 }
452	};	457	};
453		458
Lines 1395-1400 Link Here
1395	}	1400	}
1396	break;	1401	break;
1397		1402
		1403	case sRestrictSftpSysToBasics:
		1404	intptr = &options->restrict_sftp_sys_to_basics;
		1405	goto parse_flag;
		1406
1398	case sDeprecated:	1407	case sDeprecated:
1399	logit("%s line %d: Deprecated option %s",	1408	logit("%s line %d: Deprecated option %s",
1400	filename, linenum, arg);	1409	filename, linenum, arg);
Lines 1513-1518 Link Here
1513	M_CP_INTOPT(max_authtries);	1522	M_CP_INTOPT(max_authtries);
1514	M_CP_INTOPT(ip_qos_interactive);	1523	M_CP_INTOPT(ip_qos_interactive);
1515	M_CP_INTOPT(ip_qos_bulk);	1524	M_CP_INTOPT(ip_qos_bulk);
		1525	M_CP_INTOPT(restrict_sftp_sys_to_basics);
1516		1526
1517	/* See comment in servconf.h */	1527	/* See comment in servconf.h */
1518	COPY_MATCH_STRING_OPTS();	1528	COPY_MATCH_STRING_OPTS();
Lines 1745-1750 Link Here
1745	dump_cfg_fmtint(sUseDNS, o->use_dns);	1755	dump_cfg_fmtint(sUseDNS, o->use_dns);
1746	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);	1756	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1747	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);	1757	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
		1758	dump_cfg_fmtint(sRestrictSftpSysToBasics, o->restrict_sftp_sys_to_basics);
1748		1759
1749	/* string arguments */	1760	/* string arguments */
1750	dump_cfg_string(sPidFile, o->pid_file);	1761	dump_cfg_string(sPidFile, o->pid_file);

Lines 166-171 Link Here

(-)orig/openssh-5.9p1/servconf.h (+7 lines)
166	char *revoked_keys_file;	166	char *revoked_keys_file;
167	char *trusted_user_ca_keys;	167	char *trusted_user_ca_keys;
168	char *authorized_principals_file;	168	char *authorized_principals_file;
		169	int restrict_sftp_sys_to_basics; /*
		170	* Internal sftp subsystem:
		171	* Allow basic commands only
		172	* (prohibit mkdir, rmdir, rename,
		173	* symlink, hardlink, setstat, statvfs,
		174	* and their variants)
		175	*/
169	} ServerOptions;	176	} ServerOptions;
170		177
171	/*	178	/*

Lines 1775-1781 Link Here

(-)orig/openssh-5.9p1/session.c (-1 / +1 lines)
1775	#ifdef WITH_SELINUX	1775	#ifdef WITH_SELINUX
1776	ssh_selinux_change_context("sftpd_t");	1776	ssh_selinux_change_context("sftpd_t");
1777	#endif	1777	#endif
1778	exit(sftp_server_main(i, argv, s->pw));	1778	exit(sftp_server_main(i, argv, s->pw, options.restrict_sftp_sys_to_basics));
1779	}	1779	}
1780		1780
1781	fflush(NULL);	1781	fflush(NULL);

Lines 47-51 Link Here

(-)orig/openssh-5.9p1/sftp-server-main.c (-1 / +1 lines)
47	return 1;	47	return 1;
48	}	48	}
49		49
50	return (sftp_server_main(argc, argv, user_pw));	50	return (sftp_server_main(argc, argv, user_pw, 0));
51	}	51	}

Lines 63-68 Link Here

(-)orig/openssh-5.9p1/sftp-server.c (-11 / +19 lines)
63	struct passwd *pw = NULL;	63	struct passwd *pw = NULL;
64	char *client_addr = NULL;	64	char *client_addr = NULL;
65		65
		66	/* Only basic operations allowed for client; RestrictSFtpSysToBasics in config */
		67	int restrict_to_basics;
		68
66	/* input and output queue */	69	/* input and output queue */
67	Buffer iqueue;	70	Buffer iqueue;
68	Buffer oqueue;	71	Buffer oqueue;
Lines 771-777 Link Here
771	name = get_string(NULL);	774	name = get_string(NULL);
772	a = get_attrib();	775	a = get_attrib();
773	debug("request %u: setstat name \"%s\"", id, name);	776	debug("request %u: setstat name \"%s\"", id, name);
774	if (readonly) {	777	if (readonly \|\| restrict_to_basics) {
775	status = SSH2_FX_PERMISSION_DENIED;	778	status = SSH2_FX_PERMISSION_DENIED;
776	a->flags = 0;	779	a->flags = 0;
777	}	780	}
Lines 825-831 Link Here
825	fd = handle_to_fd(handle);	828	fd = handle_to_fd(handle);
826	if (fd < 0)	829	if (fd < 0)
827	status = SSH2_FX_FAILURE;	830	status = SSH2_FX_FAILURE;
828	else if (readonly)	831	else if (readonly \|\| restrict_to_basics)
829	status = SSH2_FX_PERMISSION_DENIED;	832	status = SSH2_FX_PERMISSION_DENIED;
830	else {	833	else {
831	char *name = handle_to_name(handle);	834	char *name = handle_to_name(handle);
Lines 1000-1006 Link Here
1000	a->perm & 07777 : 0777;	1003	a->perm & 07777 : 0777;
1001	debug3("request %u: mkdir", id);	1004	debug3("request %u: mkdir", id);
1002	logit("mkdir name \"%s\" mode 0%o", name, mode);	1005	logit("mkdir name \"%s\" mode 0%o", name, mode);
1003	if (readonly)	1006	if (readonly \|\| restrict_to_basics)
1004	status = SSH2_FX_PERMISSION_DENIED;	1007	status = SSH2_FX_PERMISSION_DENIED;
1005	else {	1008	else {
1006	ret = mkdir(name, mode);	1009	ret = mkdir(name, mode);
Lines 1021-1027 Link Here
1021	name = get_string(NULL);	1024	name = get_string(NULL);
1022	debug3("request %u: rmdir", id);	1025	debug3("request %u: rmdir", id);
1023	logit("rmdir name \"%s\"", name);	1026	logit("rmdir name \"%s\"", name);
1024	if (readonly)	1027	if (readonly \|\| restrict_to_basics)
1025	status = SSH2_FX_PERMISSION_DENIED;	1028	status = SSH2_FX_PERMISSION_DENIED;
1026	else {	1029	else {
1027	ret = rmdir(name);	1030	ret = rmdir(name);
Lines 1071-1077 Link Here
1071	debug3("request %u: rename", id);	1074	debug3("request %u: rename", id);
1072	logit("rename old \"%s\" new \"%s\"", oldpath, newpath);	1075	logit("rename old \"%s\" new \"%s\"", oldpath, newpath);
1073	status = SSH2_FX_FAILURE;	1076	status = SSH2_FX_FAILURE;
1074	if (readonly)	1077	if (readonly \|\| restrict_to_basics)
1075	status = SSH2_FX_PERMISSION_DENIED;	1078	status = SSH2_FX_PERMISSION_DENIED;
1076	else if (lstat(oldpath, &sb) == -1)	1079	else if (lstat(oldpath, &sb) == -1)
1077	status = errno_to_portable(errno);	1080	status = errno_to_portable(errno);
Lines 1157-1163 Link Here
1157	debug3("request %u: symlink", id);	1160	debug3("request %u: symlink", id);
1158	logit("symlink old \"%s\" new \"%s\"", oldpath, newpath);	1161	logit("symlink old \"%s\" new \"%s\"", oldpath, newpath);
1159	/* this will fail if 'newpath' exists */	1162	/* this will fail if 'newpath' exists */
1160	if (readonly)	1163	if (readonly \|\| restrict_to_basics)
1161	status = SSH2_FX_PERMISSION_DENIED;	1164	status = SSH2_FX_PERMISSION_DENIED;
1162	else {	1165	else {
1163	ret = symlink(oldpath, newpath);	1166	ret = symlink(oldpath, newpath);
Lines 1178-1184 Link Here
1178	newpath = get_string(NULL);	1181	newpath = get_string(NULL);
1179	debug3("request %u: posix-rename", id);	1182	debug3("request %u: posix-rename", id);
1180	logit("posix-rename old \"%s\" new \"%s\"", oldpath, newpath);	1183	logit("posix-rename old \"%s\" new \"%s\"", oldpath, newpath);
1181	if (readonly)	1184	if (readonly \|\| restrict_to_basics)
1182	status = SSH2_FX_PERMISSION_DENIED;	1185	status = SSH2_FX_PERMISSION_DENIED;
1183	else {	1186	else {
1184	ret = rename(oldpath, newpath);	1187	ret = rename(oldpath, newpath);
Lines 1199-1205 Link Here
1199	debug3("request %u: statfs", id);	1202	debug3("request %u: statfs", id);
1200	logit("statfs \"%s\"", path);	1203	logit("statfs \"%s\"", path);
1201		1204
1202	if (statvfs(path, &st) != 0)	1205	if (restrict_to_basics)
		1206	send_status(id, SSH2_FX_PERMISSION_DENIED);
		1207	else if (statvfs(path, &st) != 0)
1203	send_status(id, errno_to_portable(errno));	1208	send_status(id, errno_to_portable(errno));
1204	else	1209	else
1205	send_statvfs(id, &st);	1210	send_statvfs(id, &st);
Lines 1219-1225 Link Here
1219	send_status(id, SSH2_FX_FAILURE);	1224	send_status(id, SSH2_FX_FAILURE);
1220	return;	1225	return;
1221	}	1226	}
1222	if (fstatvfs(fd, &st) != 0)	1227	if (restrict_to_basics)
		1228	send_status(id, SSH2_FX_PERMISSION_DENIED);
		1229	else if (fstatvfs(fd, &st) != 0)
1223	send_status(id, errno_to_portable(errno));	1230	send_status(id, errno_to_portable(errno));
1224	else	1231	else
1225	send_statvfs(id, &st);	1232	send_statvfs(id, &st);
Lines 1235-1241 Link Here
1235	newpath = get_string(NULL);	1242	newpath = get_string(NULL);
1236	debug3("request %u: hardlink", id);	1243	debug3("request %u: hardlink", id);
1237	logit("hardlink old \"%s\" new \"%s\"", oldpath, newpath);	1244	logit("hardlink old \"%s\" new \"%s\"", oldpath, newpath);
1238	if (readonly)	1245	if (readonly \|\| restrict_to_basics)
1239	status = SSH2_FX_PERMISSION_DENIED;	1246	status = SSH2_FX_PERMISSION_DENIED;
1240	else {	1247	else {
1241	ret = link(oldpath, newpath);	1248	ret = link(oldpath, newpath);
Lines 1396-1402 Link Here
1396	}	1403	}
1397		1404
1398	int	1405	int
1399	sftp_server_main(int argc, char *argv, struct passwd user_pw)	1406	sftp_server_main(int argc, char *argv, struct passwd user_pw, int restrict_client_to_basics)
1400	{	1407	{
1401	fd_set rset, wset;	1408	fd_set rset, wset;
1402	int in, out, max, ch, skipargs = 0, log_stderr = 0;	1409	int in, out, max, ch, skipargs = 0, log_stderr = 0;
Lines 1464-1469 Link Here
1464	client_addr = xstrdup("UNKNOWN");	1471	client_addr = xstrdup("UNKNOWN");
1465		1472
1466	pw = pwcopy(user_pw);	1473	pw = pwcopy(user_pw);
		1474	restrict_to_basics = restrict_client_to_basics;
1467		1475
1468	logit("session opened for local user %s from [%s]",	1476	logit("session opened for local user %s from [%s]",
1469	pw->pw_name, client_addr);	1477	pw->pw_name, client_addr);

Lines 97-101 Link Here

(-)orig/openssh-5.9p1/sftp.h (-1 / +1 lines)
97		97
98	struct passwd;	98	struct passwd;
99		99
100	int sftp_server_main(int, char *, struct passwd );	100	int sftp_server_main(int, char *, struct passwd , int);
101	void sftp_server_cleanup_exit(int) __attribute__((noreturn));	101	void sftp_server_cleanup_exit(int) __attribute__((noreturn));

Lines 408-415 Link Here

(-)orig/openssh-5.9p1/sshd_config.0 (-2 / +7 lines)
408	KerberosAuthentication, MaxAuthTries, MaxSessions,	408	KerberosAuthentication, MaxAuthTries, MaxSessions,
409	PasswordAuthentication, PermitEmptyPasswords, PermitOpen,	409	PasswordAuthentication, PermitEmptyPasswords, PermitOpen,
410	PermitRootLogin, PermitTunnel, PubkeyAuthentication,	410	PermitRootLogin, PermitTunnel, PubkeyAuthentication,
411	RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,	411	RestrictSFtpSysToBasics, RhostsRSAAuthentication, RSAAuthentication,
412	X11Forwarding and X11UseLocalHost.	412	X11DisplayOffset, X11Forwarding and X11UseLocalHost.
413		413
414	MaxAuthTries	414	MaxAuthTries
415	Specifies the maximum number of authentication attempts permitted	415	Specifies the maximum number of authentication attempts permitted
Lines 517-522 Link Here
517	default is ``yes''. Note that this option applies to protocol	517	default is ``yes''. Note that this option applies to protocol
518	version 2 only.	518	version 2 only.
519		519
		520	RestrictSFtpSysToBasics
		521	Specifies that the internal SFTP subsystem should permit only
		522	basic commands like get, put, readdir, and readlink, and prohibit
		523	mkdir, rmdir, rename, symlink and setstat. The default is ``no''.
		524
520	RevokedKeys	525	RevokedKeys
521	Specifies a list of revoked public keys. Keys listed in this	526	Specifies a list of revoked public keys. Keys listed in this
522	file will be refused for public key authentication. Note that if	527	file will be refused for public key authentication. Note that if

Lines 724-729 Link Here

(-)orig/openssh-5.9p1/sshd_config.5 (+7 lines)
724	.Cm PermitRootLogin ,	724	.Cm PermitRootLogin ,
725	.Cm PermitTunnel ,	725	.Cm PermitTunnel ,
726	.Cm PubkeyAuthentication ,	726	.Cm PubkeyAuthentication ,
		727	.Cm RestrictSFtpSysToBasics ,
727	.Cm RhostsRSAAuthentication ,	728	.Cm RhostsRSAAuthentication ,
728	.Cm RSAAuthentication ,	729	.Cm RSAAuthentication ,
729	.Cm X11DisplayOffset ,	730	.Cm X11DisplayOffset ,
Lines 915-920 Link Here
915	The default is	916	The default is
916	.Dq yes .	917	.Dq yes .
917	Note that this option applies to protocol version 2 only.	918	Note that this option applies to protocol version 2 only.
		919	.It Cm RestrictSFtpSysToBasics
		920	Specifies that the internal SFTP subsystem should permit only
		921	basic commands like get, put, readdir, and readlink, and prohibit
		922	mkdir, rmdir, rename, symlink and setstat.
		923	The default is
		924	.Dq no .
918	.It Cm RevokedKeys	925	.It Cm RevokedKeys
919	Specifies a list of revoked public keys.	926	Specifies a list of revoked public keys.
920	Keys listed in this file will be refused for public key authentication.	927	Keys listed in this file will be refused for public key authentication.

Return to bug 1979