Attachment #2129 for bug #1979

Lines 131-136 Link Here

(-)openssh-5.9-orig/ssh/servconf.c (+11 lines)
131	options->authorized_principals_file = NULL;	131	options->authorized_principals_file = NULL;
132	options->ip_qos_interactive = -1;	132	options->ip_qos_interactive = -1;
133	options->ip_qos_bulk = -1;	133	options->ip_qos_bulk = -1;
		134	options->restrict_sftp_sys_to_basics = -1;
134	}	135	}
135		136
136	void	137	void
Lines 263-268 Link Here
263	options->ip_qos_interactive = IPTOS_LOWDELAY;	264	options->ip_qos_interactive = IPTOS_LOWDELAY;
264	if (options->ip_qos_bulk == -1)	265	if (options->ip_qos_bulk == -1)
265	options->ip_qos_bulk = IPTOS_THROUGHPUT;	266	options->ip_qos_bulk = IPTOS_THROUGHPUT;
		267	if (options->restrict_sftp_sys_to_basics == -1)
		268	options->restrict_sftp_sys_to_basics = 0;
266		269
267	/* Turn privilege separation on by default */	270	/* Turn privilege separation on by default */
268	if (use_privsep == -1)	271	if (use_privsep == -1)
Lines 297-302 Link Here
297	sZeroKnowledgePasswordAuthentication, sHostCertificate,	300	sZeroKnowledgePasswordAuthentication, sHostCertificate,
298	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	301	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
299	sKexAlgorithms, sIPQoS,	302	sKexAlgorithms, sIPQoS,
		303	sRestrictSftpSysToBasics,
300	sDeprecated, sUnsupported	304	sDeprecated, sUnsupported
301	} ServerOpCodes;	305	} ServerOpCodes;
302		306
Lines 409-414 Link Here
409	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },	413	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
410	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },	414	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
411	{ "ipqos", sIPQoS, SSHCFG_ALL },	415	{ "ipqos", sIPQoS, SSHCFG_ALL },
		416	{ "restrictsftpsystobasics", sRestrictSftpSysToBasics, SSHCFG_ALL },
412	{ NULL, sBadOption, 0 }	417	{ NULL, sBadOption, 0 }
413	};	418	};
414		419
Lines 1350-1355 Link Here
1350	}	1355	}
1351	break;	1356	break;
1352		1357
		1358	case sRestrictSftpSysToBasics:
		1359	intptr = &options->restrict_sftp_sys_to_basics;
		1360	goto parse_flag;
		1361
1353	case sDeprecated:	1362	case sDeprecated:
1354	logit("%s line %d: Deprecated option %s",	1363	logit("%s line %d: Deprecated option %s",
1355	filename, linenum, arg);	1364	filename, linenum, arg);
Lines 1468-1473 Link Here
1468	M_CP_INTOPT(max_authtries);	1477	M_CP_INTOPT(max_authtries);
1469	M_CP_INTOPT(ip_qos_interactive);	1478	M_CP_INTOPT(ip_qos_interactive);
1470	M_CP_INTOPT(ip_qos_bulk);	1479	M_CP_INTOPT(ip_qos_bulk);
		1480	M_CP_INTOPT(restrict_sftp_sys_to_basics);
1471		1481
1472	/* See comment in servconf.h */	1482	/* See comment in servconf.h */
1473	COPY_MATCH_STRING_OPTS();	1483	COPY_MATCH_STRING_OPTS();
Lines 1695-1700 Link Here
1695	dump_cfg_fmtint(sUseDNS, o->use_dns);	1705	dump_cfg_fmtint(sUseDNS, o->use_dns);
1696	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);	1706	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1697	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);	1707	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
		1708	dump_cfg_fmtint(sRestrictSftpSysToBasics, o->restrict_sftp_sys_to_basics);
1698		1709
1699	/* string arguments */	1710	/* string arguments */
1700	dump_cfg_string(sPidFile, o->pid_file);	1711	dump_cfg_string(sPidFile, o->pid_file);

Lines 164-169 Link Here

(-)openssh-5.9-orig/ssh/servconf.h (+7 lines)
164	char *revoked_keys_file;	164	char *revoked_keys_file;
165	char *trusted_user_ca_keys;	165	char *trusted_user_ca_keys;
166	char *authorized_principals_file;	166	char *authorized_principals_file;
		167	int restrict_sftp_sys_to_basics; /*
		168	* Internal sftp subsystem:
		169	* Allow basic commands only
		170	* (prohibit mkdir, rmdir, rename,
		171	* symlink, hardlink, setstat, statvfs,
		172	* and their variants)
		173	*/
167	} ServerOptions;	174	} ServerOptions;
168		175
169	/*	176	/*

Lines 1417-1423 Link Here

(-)openssh-5.9-orig/ssh/session.c (-1 / +1 lines)
1417	argv[i] = NULL;	1417	argv[i] = NULL;
1418	optind = optreset = 1;	1418	optind = optreset = 1;
1419	__progname = argv[0];	1419	__progname = argv[0];
1420	exit(sftp_server_main(i, argv, s->pw));	1420	exit(sftp_server_main(i, argv, s->pw, options.restrict_sftp_sys_to_basics));
1421	}	1421	}
1422		1422
1423	fflush(NULL);	1423	fflush(NULL);

Lines 45-49 Link Here

(-)openssh-5.9-orig/ssh/sftp-server-main.c (-1 / +1 lines)
45	return 1;	45	return 1;
46	}	46	}
47		47
48	return (sftp_server_main(argc, argv, user_pw));	48	return (sftp_server_main(argc, argv, user_pw, 0));
49	}	49	}

Lines 54-59 Link Here

(-)openssh-5.9-orig/ssh/sftp-server.c (-11 / +19 lines)
54	struct passwd *pw = NULL;	54	struct passwd *pw = NULL;
55	char *client_addr = NULL;	55	char *client_addr = NULL;
56		56
		57	/* Only basic operations allowed for client; RestrictSFtpSysToBasics in config */
		58	int restrict_to_basics;
		59
57	/* input and output queue */	60	/* input and output queue */
58	Buffer iqueue;	61	Buffer iqueue;
59	Buffer oqueue;	62	Buffer oqueue;
Lines 762-768 Link Here
762	name = get_string(NULL);	765	name = get_string(NULL);
763	a = get_attrib();	766	a = get_attrib();
764	debug("request %u: setstat name \"%s\"", id, name);	767	debug("request %u: setstat name \"%s\"", id, name);
765	if (readonly) {	768	if (readonly \|\| restrict_to_basics) {
766	status = SSH2_FX_PERMISSION_DENIED;	769	status = SSH2_FX_PERMISSION_DENIED;
767	a->flags = 0;	770	a->flags = 0;
768	}	771	}
Lines 816-822 Link Here
816	fd = handle_to_fd(handle);	819	fd = handle_to_fd(handle);
817	if (fd < 0)	820	if (fd < 0)
818	status = SSH2_FX_FAILURE;	821	status = SSH2_FX_FAILURE;
819	else if (readonly)	822	else if (readonly \|\| restrict_to_basics)
820	status = SSH2_FX_PERMISSION_DENIED;	823	status = SSH2_FX_PERMISSION_DENIED;
821	else {	824	else {
822	char *name = handle_to_name(handle);	825	char *name = handle_to_name(handle);
Lines 979-985 Link Here
979	a->perm & 07777 : 0777;	982	a->perm & 07777 : 0777;
980	debug3("request %u: mkdir", id);	983	debug3("request %u: mkdir", id);
981	logit("mkdir name \"%s\" mode 0%o", name, mode);	984	logit("mkdir name \"%s\" mode 0%o", name, mode);
982	if (readonly)	985	if (readonly \|\| restrict_to_basics)
983	status = SSH2_FX_PERMISSION_DENIED;	986	status = SSH2_FX_PERMISSION_DENIED;
984	else {	987	else {
985	ret = mkdir(name, mode);	988	ret = mkdir(name, mode);
Lines 1000-1006 Link Here
1000	name = get_string(NULL);	1003	name = get_string(NULL);
1001	debug3("request %u: rmdir", id);	1004	debug3("request %u: rmdir", id);
1002	logit("rmdir name \"%s\"", name);	1005	logit("rmdir name \"%s\"", name);
1003	if (readonly)	1006	if (readonly \|\| restrict_to_basics)
1004	status = SSH2_FX_PERMISSION_DENIED;	1007	status = SSH2_FX_PERMISSION_DENIED;
1005	else {	1008	else {
1006	ret = rmdir(name);	1009	ret = rmdir(name);
Lines 1050-1056 Link Here
1050	debug3("request %u: rename", id);	1053	debug3("request %u: rename", id);
1051	logit("rename old \"%s\" new \"%s\"", oldpath, newpath);	1054	logit("rename old \"%s\" new \"%s\"", oldpath, newpath);
1052	status = SSH2_FX_FAILURE;	1055	status = SSH2_FX_FAILURE;
1053	if (readonly)	1056	if (readonly \|\| restrict_to_basics)
1054	status = SSH2_FX_PERMISSION_DENIED;	1057	status = SSH2_FX_PERMISSION_DENIED;
1055	else if (lstat(oldpath, &sb) == -1)	1058	else if (lstat(oldpath, &sb) == -1)
1056	status = errno_to_portable(errno);	1059	status = errno_to_portable(errno);
Lines 1129-1135 Link Here
1129	debug3("request %u: symlink", id);	1132	debug3("request %u: symlink", id);
1130	logit("symlink old \"%s\" new \"%s\"", oldpath, newpath);	1133	logit("symlink old \"%s\" new \"%s\"", oldpath, newpath);
1131	/* this will fail if 'newpath' exists */	1134	/* this will fail if 'newpath' exists */
1132	if (readonly)	1135	if (readonly \|\| restrict_to_basics)
1133	status = SSH2_FX_PERMISSION_DENIED;	1136	status = SSH2_FX_PERMISSION_DENIED;
1134	else {	1137	else {
1135	ret = symlink(oldpath, newpath);	1138	ret = symlink(oldpath, newpath);
Lines 1150-1156 Link Here
1150	newpath = get_string(NULL);	1153	newpath = get_string(NULL);
1151	debug3("request %u: posix-rename", id);	1154	debug3("request %u: posix-rename", id);
1152	logit("posix-rename old \"%s\" new \"%s\"", oldpath, newpath);	1155	logit("posix-rename old \"%s\" new \"%s\"", oldpath, newpath);
1153	if (readonly)	1156	if (readonly \|\| restrict_to_basics)
1154	status = SSH2_FX_PERMISSION_DENIED;	1157	status = SSH2_FX_PERMISSION_DENIED;
1155	else {	1158	else {
1156	ret = rename(oldpath, newpath);	1159	ret = rename(oldpath, newpath);
Lines 1171-1177 Link Here
1171	debug3("request %u: statfs", id);	1174	debug3("request %u: statfs", id);
1172	logit("statfs \"%s\"", path);	1175	logit("statfs \"%s\"", path);
1173		1176
1174	if (statvfs(path, &st) != 0)	1177	if (restrict_to_basics)
		1178	send_status(id, SSH2_FX_PERMISSION_DENIED);
		1179	else if (statvfs(path, &st) != 0)
1175	send_status(id, errno_to_portable(errno));	1180	send_status(id, errno_to_portable(errno));
1176	else	1181	else
1177	send_statvfs(id, &st);	1182	send_statvfs(id, &st);
Lines 1191-1197 Link Here
1191	send_status(id, SSH2_FX_FAILURE);	1196	send_status(id, SSH2_FX_FAILURE);
1192	return;	1197	return;
1193	}	1198	}
1194	if (fstatvfs(fd, &st) != 0)	1199	if (restrict_to_basics)
		1200	send_status(id, SSH2_FX_PERMISSION_DENIED);
		1201	else if (fstatvfs(fd, &st) != 0)
1195	send_status(id, errno_to_portable(errno));	1202	send_status(id, errno_to_portable(errno));
1196	else	1203	else
1197	send_statvfs(id, &st);	1204	send_statvfs(id, &st);
Lines 1207-1213 Link Here
1207	newpath = get_string(NULL);	1214	newpath = get_string(NULL);
1208	debug3("request %u: hardlink", id);	1215	debug3("request %u: hardlink", id);
1209	logit("hardlink old \"%s\" new \"%s\"", oldpath, newpath);	1216	logit("hardlink old \"%s\" new \"%s\"", oldpath, newpath);
1210	if (readonly)	1217	if (readonly \|\| restrict_to_basics)
1211	status = SSH2_FX_PERMISSION_DENIED;	1218	status = SSH2_FX_PERMISSION_DENIED;
1212	else {	1219	else {
1213	ret = link(oldpath, newpath);	1220	ret = link(oldpath, newpath);
Lines 1368-1374 Link Here
1368	}	1375	}
1369		1376
1370	int	1377	int
1371	sftp_server_main(int argc, char *argv, struct passwd user_pw)	1378	sftp_server_main(int argc, char *argv, struct passwd user_pw, int restrict_client_to_basics)
1372	{	1379	{
1373	fd_set rset, wset;	1380	fd_set rset, wset;
1374	int in, out, max, ch, skipargs = 0, log_stderr = 0;	1381	int in, out, max, ch, skipargs = 0, log_stderr = 0;
Lines 1435-1440 Link Here
1435	client_addr = xstrdup("UNKNOWN");	1442	client_addr = xstrdup("UNKNOWN");
1436		1443
1437	pw = pwcopy(user_pw);	1444	pw = pwcopy(user_pw);
		1445	restrict_to_basics = restrict_client_to_basics;
1438		1446
1439	logit("session opened for local user %s from [%s]",	1447	logit("session opened for local user %s from [%s]",
1440	pw->pw_name, client_addr);	1448	pw->pw_name, client_addr);

Lines 97-101 Link Here

(-)openssh-5.9-orig/ssh/sftp.h (-1 / +1 lines)
97		97
98	struct passwd;	98	struct passwd;
99		99
100	int sftp_server_main(int, char *, struct passwd );	100	int sftp_server_main(int, char *, struct passwd , int);
101	void sftp_server_cleanup_exit(int) __attribute__((noreturn));	101	void sftp_server_cleanup_exit(int) __attribute__((noreturn));

Lines 725-730 Link Here

(-)openssh-5.9-orig/ssh/sshd_config.5 (+7 lines)
725	.Cm PermitRootLogin ,	725	.Cm PermitRootLogin ,
726	.Cm PermitTunnel ,	726	.Cm PermitTunnel ,
727	.Cm PubkeyAuthentication ,	727	.Cm PubkeyAuthentication ,
		728	.Cm RestrictSFtpSysToBasics ,
728	.Cm RhostsRSAAuthentication ,	729	.Cm RhostsRSAAuthentication ,
729	.Cm RSAAuthentication ,	730	.Cm RSAAuthentication ,
730	.Cm X11DisplayOffset ,	731	.Cm X11DisplayOffset ,
Lines 916-921 Link Here
916	The default is	917	The default is
917	.Dq yes .	918	.Dq yes .
918	Note that this option applies to protocol version 2 only.	919	Note that this option applies to protocol version 2 only.
		920	.It Cm RestrictSFtpSysToBasics
		921	Specifies that the internal SFTP subsystem should permit only
		922	basic commands like get, put, readdir, and readlink, and prohibit
		923	mkdir, rmdir, rename, symlink and setstat.
		924	The default is
		925	.Dq no .
919	.It Cm RevokedKeys	926	.It Cm RevokedKeys
920	Specifies a list of revoked public keys.	927	Specifies a list of revoked public keys.
921	Keys listed in this file will be refused for public key authentication.	928	Keys listed in this file will be refused for public key authentication.

Return to bug 1979