Bugzilla – Attachment 2129 Details for
Bug 1979
Enhancement patch: Restrict sftp-server to basic commands, by user or group
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch versus 5.9
restrict-sftp-commands-59.patch (text/plain), 8.34 KB, created by
Jeremy Monin
on 2012-02-13 06:40:01 AEDT
(
hide
)
Description:
Patch versus 5.9
Filename:
MIME Type:
Creator:
Jeremy Monin
Created:
2012-02-13 06:40:01 AEDT
Size:
8.34 KB
patch
obsolete
>diff -ur openssh-5.9-orig/ssh/servconf.c openssh-5.9-jm/ssh/servconf.c >--- openssh-5.9-orig/ssh/servconf.c 2011-06-22 17:57:01.000000000 -0400 >+++ openssh-5.9-jm/ssh/servconf.c 2012-02-12 13:59:42.000000000 -0500 >@@ -131,6 +131,7 @@ > options->authorized_principals_file = NULL; > options->ip_qos_interactive = -1; > options->ip_qos_bulk = -1; >+ options->restrict_sftp_sys_to_basics = -1; > } > > void >@@ -263,6 +264,8 @@ > options->ip_qos_interactive = IPTOS_LOWDELAY; > if (options->ip_qos_bulk == -1) > options->ip_qos_bulk = IPTOS_THROUGHPUT; >+ if (options->restrict_sftp_sys_to_basics == -1) >+ options->restrict_sftp_sys_to_basics = 0; > > /* Turn privilege separation on by default */ > if (use_privsep == -1) >@@ -297,6 +300,7 @@ > sZeroKnowledgePasswordAuthentication, sHostCertificate, > sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, > sKexAlgorithms, sIPQoS, >+ sRestrictSftpSysToBasics, > sDeprecated, sUnsupported > } ServerOpCodes; > >@@ -409,6 +413,7 @@ > { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, > { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, > { "ipqos", sIPQoS, SSHCFG_ALL }, >+ { "restrictsftpsystobasics", sRestrictSftpSysToBasics, SSHCFG_ALL }, > { NULL, sBadOption, 0 } > }; > >@@ -1350,6 +1355,10 @@ > } > break; > >+ case sRestrictSftpSysToBasics: >+ intptr = &options->restrict_sftp_sys_to_basics; >+ goto parse_flag; >+ > case sDeprecated: > logit("%s line %d: Deprecated option %s", > filename, linenum, arg); >@@ -1468,6 +1477,7 @@ > M_CP_INTOPT(max_authtries); > M_CP_INTOPT(ip_qos_interactive); > M_CP_INTOPT(ip_qos_bulk); >+ M_CP_INTOPT(restrict_sftp_sys_to_basics); > > /* See comment in servconf.h */ > COPY_MATCH_STRING_OPTS(); >@@ -1695,6 +1705,7 @@ > dump_cfg_fmtint(sUseDNS, o->use_dns); > dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); > dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); >+ dump_cfg_fmtint(sRestrictSftpSysToBasics, o->restrict_sftp_sys_to_basics); > > /* string arguments */ > dump_cfg_string(sPidFile, o->pid_file); >diff -ur openssh-5.9-orig/ssh/servconf.h openssh-5.9-jm/ssh/servconf.h >--- openssh-5.9-orig/ssh/servconf.h 2011-06-22 17:57:01.000000000 -0400 >+++ openssh-5.9-jm/ssh/servconf.h 2012-02-12 13:59:42.000000000 -0500 >@@ -164,6 +164,13 @@ > char *revoked_keys_file; > char *trusted_user_ca_keys; > char *authorized_principals_file; >+ int restrict_sftp_sys_to_basics; /* >+ * Internal sftp subsystem: >+ * Allow basic commands only >+ * (prohibit mkdir, rmdir, rename, >+ * symlink, hardlink, setstat, statvfs, >+ * and their variants) >+ */ > } ServerOptions; > > /* >diff -ur openssh-5.9-orig/ssh/session.c openssh-5.9-jm/ssh/session.c >--- openssh-5.9-orig/ssh/session.c 2010-11-24 23:10:09.000000000 -0500 >+++ openssh-5.9-jm/ssh/session.c 2012-02-12 14:02:12.000000000 -0500 >@@ -1417,7 +1417,7 @@ > argv[i] = NULL; > optind = optreset = 1; > __progname = argv[0]; >- exit(sftp_server_main(i, argv, s->pw)); >+ exit(sftp_server_main(i, argv, s->pw, options.restrict_sftp_sys_to_basics)); > } > > fflush(NULL); >diff -ur openssh-5.9-orig/ssh/sftp-server-main.c openssh-5.9-jm/ssh/sftp-server-main.c >--- openssh-5.9-orig/ssh/sftp-server-main.c 2009-02-21 14:32:04.000000000 -0500 >+++ openssh-5.9-jm/ssh/sftp-server-main.c 2012-02-12 13:59:42.000000000 -0500 >@@ -45,5 +45,5 @@ > return 1; > } > >- return (sftp_server_main(argc, argv, user_pw)); >+ return (sftp_server_main(argc, argv, user_pw, 0)); > } >diff -ur openssh-5.9-orig/ssh/sftp-server.c openssh-5.9-jm/ssh/sftp-server.c >--- openssh-5.9-orig/ssh/sftp-server.c 2011-06-17 17:46:16.000000000 -0400 >+++ openssh-5.9-jm/ssh/sftp-server.c 2012-02-12 13:59:42.000000000 -0500 >@@ -54,6 +54,9 @@ > struct passwd *pw = NULL; > char *client_addr = NULL; > >+/* Only basic operations allowed for client; RestrictSFtpSysToBasics in config */ >+int restrict_to_basics; >+ > /* input and output queue */ > Buffer iqueue; > Buffer oqueue; >@@ -762,7 +765,7 @@ > name = get_string(NULL); > a = get_attrib(); > debug("request %u: setstat name \"%s\"", id, name); >- if (readonly) { >+ if (readonly || restrict_to_basics) { > status = SSH2_FX_PERMISSION_DENIED; > a->flags = 0; > } >@@ -816,7 +819,7 @@ > fd = handle_to_fd(handle); > if (fd < 0) > status = SSH2_FX_FAILURE; >- else if (readonly) >+ else if (readonly || restrict_to_basics) > status = SSH2_FX_PERMISSION_DENIED; > else { > char *name = handle_to_name(handle); >@@ -979,7 +982,7 @@ > a->perm & 07777 : 0777; > debug3("request %u: mkdir", id); > logit("mkdir name \"%s\" mode 0%o", name, mode); >- if (readonly) >+ if (readonly || restrict_to_basics) > status = SSH2_FX_PERMISSION_DENIED; > else { > ret = mkdir(name, mode); >@@ -1000,7 +1003,7 @@ > name = get_string(NULL); > debug3("request %u: rmdir", id); > logit("rmdir name \"%s\"", name); >- if (readonly) >+ if (readonly || restrict_to_basics) > status = SSH2_FX_PERMISSION_DENIED; > else { > ret = rmdir(name); >@@ -1050,7 +1053,7 @@ > debug3("request %u: rename", id); > logit("rename old \"%s\" new \"%s\"", oldpath, newpath); > status = SSH2_FX_FAILURE; >- if (readonly) >+ if (readonly || restrict_to_basics) > status = SSH2_FX_PERMISSION_DENIED; > else if (lstat(oldpath, &sb) == -1) > status = errno_to_portable(errno); >@@ -1129,7 +1132,7 @@ > debug3("request %u: symlink", id); > logit("symlink old \"%s\" new \"%s\"", oldpath, newpath); > /* this will fail if 'newpath' exists */ >- if (readonly) >+ if (readonly || restrict_to_basics) > status = SSH2_FX_PERMISSION_DENIED; > else { > ret = symlink(oldpath, newpath); >@@ -1150,7 +1153,7 @@ > newpath = get_string(NULL); > debug3("request %u: posix-rename", id); > logit("posix-rename old \"%s\" new \"%s\"", oldpath, newpath); >- if (readonly) >+ if (readonly || restrict_to_basics) > status = SSH2_FX_PERMISSION_DENIED; > else { > ret = rename(oldpath, newpath); >@@ -1171,7 +1174,9 @@ > debug3("request %u: statfs", id); > logit("statfs \"%s\"", path); > >- if (statvfs(path, &st) != 0) >+ if (restrict_to_basics) >+ send_status(id, SSH2_FX_PERMISSION_DENIED); >+ else if (statvfs(path, &st) != 0) > send_status(id, errno_to_portable(errno)); > else > send_statvfs(id, &st); >@@ -1191,7 +1196,9 @@ > send_status(id, SSH2_FX_FAILURE); > return; > } >- if (fstatvfs(fd, &st) != 0) >+ if (restrict_to_basics) >+ send_status(id, SSH2_FX_PERMISSION_DENIED); >+ else if (fstatvfs(fd, &st) != 0) > send_status(id, errno_to_portable(errno)); > else > send_statvfs(id, &st); >@@ -1207,7 +1214,7 @@ > newpath = get_string(NULL); > debug3("request %u: hardlink", id); > logit("hardlink old \"%s\" new \"%s\"", oldpath, newpath); >- if (readonly) >+ if (readonly || restrict_to_basics) > status = SSH2_FX_PERMISSION_DENIED; > else { > ret = link(oldpath, newpath); >@@ -1368,7 +1375,7 @@ > } > > int >-sftp_server_main(int argc, char **argv, struct passwd *user_pw) >+sftp_server_main(int argc, char **argv, struct passwd *user_pw, int restrict_client_to_basics) > { > fd_set *rset, *wset; > int in, out, max, ch, skipargs = 0, log_stderr = 0; >@@ -1435,6 +1442,7 @@ > client_addr = xstrdup("UNKNOWN"); > > pw = pwcopy(user_pw); >+ restrict_to_basics = restrict_client_to_basics; > > logit("session opened for local user %s from [%s]", > pw->pw_name, client_addr); >diff -ur openssh-5.9-orig/ssh/sftp.h openssh-5.9-jm/ssh/sftp.h >--- openssh-5.9-orig/ssh/sftp.h 2008-06-12 20:12:02.000000000 -0400 >+++ openssh-5.9-jm/ssh/sftp.h 2012-02-12 13:59:42.000000000 -0500 >@@ -97,5 +97,5 @@ > > struct passwd; > >-int sftp_server_main(int, char **, struct passwd *); >+int sftp_server_main(int, char **, struct passwd *, int); > void sftp_server_cleanup_exit(int) __attribute__((noreturn)); >diff -ur openssh-5.9-orig/ssh/sshd_config.5 openssh-5.9-jm/ssh/sshd_config.5 >--- openssh-5.9-orig/ssh/sshd_config.5 2011-08-01 21:22:11.000000000 -0400 >+++ openssh-5.9-jm/ssh/sshd_config.5 2012-02-12 14:00:52.000000000 -0500 >@@ -725,6 +725,7 @@ > .Cm PermitRootLogin , > .Cm PermitTunnel , > .Cm PubkeyAuthentication , >+.Cm RestrictSFtpSysToBasics , > .Cm RhostsRSAAuthentication , > .Cm RSAAuthentication , > .Cm X11DisplayOffset , >@@ -916,6 +917,12 @@ > The default is > .Dq yes . > Note that this option applies to protocol version 2 only. >+.It Cm RestrictSFtpSysToBasics >+Specifies that the internal SFTP subsystem should permit only >+basic commands like get, put, readdir, and readlink, and prohibit >+mkdir, rmdir, rename, symlink and setstat. >+The default is >+.Dq no . > .It Cm RevokedKeys > Specifies a list of revoked public keys. > Keys listed in this file will be refused for public key authentication.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2129">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1979
:
2128
| 2129