Bugzilla – Attachment 2129 Details for
Bug 1979
Enhancement patch: Restrict sftp-server to basic commands, by user or group
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch versus 5.9
restrict-sftp-commands-59.patch (text/plain), 8.34 KB, created by
Jeremy Monin
on 2012-02-13 06:40:01 AEDT
(
hide
)
Description:
Patch versus 5.9
Filename:
MIME Type:
Creator:
Jeremy Monin
Created:
2012-02-13 06:40:01 AEDT
Size:
8.34 KB
patch
obsolete
>diff -ur openssh-5.9-orig/ssh/servconf.c openssh-5.9-jm/ssh/servconf.c >--- openssh-5.9-orig/ssh/servconf.c 2011-06-22 17:57:01.000000000 -0400 >+++ openssh-5.9-jm/ssh/servconf.c 2012-02-12 13:59:42.000000000 -0500 >@@ -131,6 +131,7 @@ > options->authorized_principals_file = NULL; > options->ip_qos_interactive = -1; > options->ip_qos_bulk = -1; >+ options->restrict_sftp_sys_to_basics = -1; > } > > void >@@ -263,6 +264,8 @@ > options->ip_qos_interactive = IPTOS_LOWDELAY; > if (options->ip_qos_bulk == -1) > options->ip_qos_bulk = IPTOS_THROUGHPUT; >+ if (options->restrict_sftp_sys_to_basics == -1) >+ options->restrict_sftp_sys_to_basics = 0; > > /* Turn privilege separation on by default */ > if (use_privsep == -1) >@@ -297,6 +300,7 @@ > sZeroKnowledgePasswordAuthentication, sHostCertificate, > sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, > sKexAlgorithms, sIPQoS, >+ sRestrictSftpSysToBasics, > sDeprecated, sUnsupported > } ServerOpCodes; > >@@ -409,6 +413,7 @@ > { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, > { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, > { "ipqos", sIPQoS, SSHCFG_ALL }, >+ { "restrictsftpsystobasics", sRestrictSftpSysToBasics, SSHCFG_ALL }, > { NULL, sBadOption, 0 } > }; > >@@ -1350,6 +1355,10 @@ > } > break; > >+ case sRestrictSftpSysToBasics: >+ intptr = &options->restrict_sftp_sys_to_basics; >+ goto parse_flag; >+ > case sDeprecated: > logit("%s line %d: Deprecated option %s", > filename, linenum, arg); >@@ -1468,6 +1477,7 @@ > M_CP_INTOPT(max_authtries); > M_CP_INTOPT(ip_qos_interactive); > M_CP_INTOPT(ip_qos_bulk); >+ M_CP_INTOPT(restrict_sftp_sys_to_basics); > > /* See comment in servconf.h */ > COPY_MATCH_STRING_OPTS(); >@@ -1695,6 +1705,7 @@ > dump_cfg_fmtint(sUseDNS, o->use_dns); > dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); > dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); >+ dump_cfg_fmtint(sRestrictSftpSysToBasics, o->restrict_sftp_sys_to_basics); > > /* string arguments */ > dump_cfg_string(sPidFile, o->pid_file); >diff -ur openssh-5.9-orig/ssh/servconf.h openssh-5.9-jm/ssh/servconf.h >--- openssh-5.9-orig/ssh/servconf.h 2011-06-22 17:57:01.000000000 -0400 >+++ openssh-5.9-jm/ssh/servconf.h 2012-02-12 13:59:42.000000000 -0500 >@@ -164,6 +164,13 @@ > char *revoked_keys_file; > char *trusted_user_ca_keys; > char *authorized_principals_file; >+ int restrict_sftp_sys_to_basics; /* >+ * Internal sftp subsystem: >+ * Allow basic commands only >+ * (prohibit mkdir, rmdir, rename, >+ * symlink, hardlink, setstat, statvfs, >+ * and their variants) >+ */ > } ServerOptions; > > /* >diff -ur openssh-5.9-orig/ssh/session.c openssh-5.9-jm/ssh/session.c >--- openssh-5.9-orig/ssh/session.c 2010-11-24 23:10:09.000000000 -0500 >+++ openssh-5.9-jm/ssh/session.c 2012-02-12 14:02:12.000000000 -0500 >@@ -1417,7 +1417,7 @@ > argv[i] = NULL; > optind = optreset = 1; > __progname = argv[0]; >- exit(sftp_server_main(i, argv, s->pw)); >+ exit(sftp_server_main(i, argv, s->pw, options.restrict_sftp_sys_to_basics)); > } > > fflush(NULL); >diff -ur openssh-5.9-orig/ssh/sftp-server-main.c openssh-5.9-jm/ssh/sftp-server-main.c >--- openssh-5.9-orig/ssh/sftp-server-main.c 2009-02-21 14:32:04.000000000 -0500 >+++ openssh-5.9-jm/ssh/sftp-server-main.c 2012-02-12 13:59:42.000000000 -0500 >@@ -45,5 +45,5 @@ > return 1; > } > >- return (sftp_server_main(argc, argv, user_pw)); >+ return (sftp_server_main(argc, argv, user_pw, 0)); > } >diff -ur openssh-5.9-orig/ssh/sftp-server.c openssh-5.9-jm/ssh/sftp-server.c >--- openssh-5.9-orig/ssh/sftp-server.c 2011-06-17 17:46:16.000000000 -0400 >+++ openssh-5.9-jm/ssh/sftp-server.c 2012-02-12 13:59:42.000000000 -0500 >@@ -54,6 +54,9 @@ > struct passwd *pw = NULL; > char *client_addr = NULL; > >+/* Only basic operations allowed for client; RestrictSFtpSysToBasics in config */ >+int restrict_to_basics; >+ > /* input and output queue */ > Buffer iqueue; > Buffer oqueue; >@@ -762,7 +765,7 @@ > name = get_string(NULL); > a = get_attrib(); > debug("request %u: setstat name \"%s\"", id, name); >- if (readonly) { >+ if (readonly || restrict_to_basics) { > status = SSH2_FX_PERMISSION_DENIED; > a->flags = 0; > } >@@ -816,7 +819,7 @@ > fd = handle_to_fd(handle); > if (fd < 0) > status = SSH2_FX_FAILURE; >- else if (readonly) >+ else if (readonly || restrict_to_basics) > status = SSH2_FX_PERMISSION_DENIED; > else { > char *name = handle_to_name(handle); >@@ -979,7 +982,7 @@ > a->perm & 07777 : 0777; > debug3("request %u: mkdir", id); > logit("mkdir name \"%s\" mode 0%o", name, mode); >- if (readonly) >+ if (readonly || restrict_to_basics) > status = SSH2_FX_PERMISSION_DENIED; > else { > ret = mkdir(name, mode); >@@ -1000,7 +1003,7 @@ > name = get_string(NULL); > debug3("request %u: rmdir", id); > logit("rmdir name \"%s\"", name); >- if (readonly) >+ if (readonly || restrict_to_basics) > status = SSH2_FX_PERMISSION_DENIED; > else { > ret = rmdir(name); >@@ -1050,7 +1053,7 @@ > debug3("request %u: rename", id); > logit("rename old \"%s\" new \"%s\"", oldpath, newpath); > status = SSH2_FX_FAILURE; >- if (readonly) >+ if (readonly || restrict_to_basics) > status = SSH2_FX_PERMISSION_DENIED; > else if (lstat(oldpath, &sb) == -1) > status = errno_to_portable(errno); >@@ -1129,7 +1132,7 @@ > debug3("request %u: symlink", id); > logit("symlink old \"%s\" new \"%s\"", oldpath, newpath); > /* this will fail if 'newpath' exists */ >- if (readonly) >+ if (readonly || restrict_to_basics) > status = SSH2_FX_PERMISSION_DENIED; > else { > ret = symlink(oldpath, newpath); >@@ -1150,7 +1153,7 @@ > newpath = get_string(NULL); > debug3("request %u: posix-rename", id); > logit("posix-rename old \"%s\" new \"%s\"", oldpath, newpath); >- if (readonly) >+ if (readonly || restrict_to_basics) > status = SSH2_FX_PERMISSION_DENIED; > else { > ret = rename(oldpath, newpath); >@@ -1171,7 +1174,9 @@ > debug3("request %u: statfs", id); > logit("statfs \"%s\"", path); > >- if (statvfs(path, &st) != 0) >+ if (restrict_to_basics) >+ send_status(id, SSH2_FX_PERMISSION_DENIED); >+ else if (statvfs(path, &st) != 0) > send_status(id, errno_to_portable(errno)); > else > send_statvfs(id, &st); >@@ -1191,7 +1196,9 @@ > send_status(id, SSH2_FX_FAILURE); > return; > } >- if (fstatvfs(fd, &st) != 0) >+ if (restrict_to_basics) >+ send_status(id, SSH2_FX_PERMISSION_DENIED); >+ else if (fstatvfs(fd, &st) != 0) > send_status(id, errno_to_portable(errno)); > else > send_statvfs(id, &st); >@@ -1207,7 +1214,7 @@ > newpath = get_string(NULL); > debug3("request %u: hardlink", id); > logit("hardlink old \"%s\" new \"%s\"", oldpath, newpath); >- if (readonly) >+ if (readonly || restrict_to_basics) > status = SSH2_FX_PERMISSION_DENIED; > else { > ret = link(oldpath, newpath); >@@ -1368,7 +1375,7 @@ > } > > int >-sftp_server_main(int argc, char **argv, struct passwd *user_pw) >+sftp_server_main(int argc, char **argv, struct passwd *user_pw, int restrict_client_to_basics) > { > fd_set *rset, *wset; > int in, out, max, ch, skipargs = 0, log_stderr = 0; >@@ -1435,6 +1442,7 @@ > client_addr = xstrdup("UNKNOWN"); > > pw = pwcopy(user_pw); >+ restrict_to_basics = restrict_client_to_basics; > > logit("session opened for local user %s from [%s]", > pw->pw_name, client_addr); >diff -ur openssh-5.9-orig/ssh/sftp.h openssh-5.9-jm/ssh/sftp.h >--- openssh-5.9-orig/ssh/sftp.h 2008-06-12 20:12:02.000000000 -0400 >+++ openssh-5.9-jm/ssh/sftp.h 2012-02-12 13:59:42.000000000 -0500 >@@ -97,5 +97,5 @@ > > struct passwd; > >-int sftp_server_main(int, char **, struct passwd *); >+int sftp_server_main(int, char **, struct passwd *, int); > void sftp_server_cleanup_exit(int) __attribute__((noreturn)); >diff -ur openssh-5.9-orig/ssh/sshd_config.5 openssh-5.9-jm/ssh/sshd_config.5 >--- openssh-5.9-orig/ssh/sshd_config.5 2011-08-01 21:22:11.000000000 -0400 >+++ openssh-5.9-jm/ssh/sshd_config.5 2012-02-12 14:00:52.000000000 -0500 >@@ -725,6 +725,7 @@ > .Cm PermitRootLogin , > .Cm PermitTunnel , > .Cm PubkeyAuthentication , >+.Cm RestrictSFtpSysToBasics , > .Cm RhostsRSAAuthentication , > .Cm RSAAuthentication , > .Cm X11DisplayOffset , >@@ -916,6 +917,12 @@ > The default is > .Dq yes . > Note that this option applies to protocol version 2 only. >+.It Cm RestrictSFtpSysToBasics >+Specifies that the internal SFTP subsystem should permit only >+basic commands like get, put, readdir, and readlink, and prohibit >+mkdir, rmdir, rename, symlink and setstat. >+The default is >+.Dq no . > .It Cm RevokedKeys > Specifies a list of revoked public keys. > Keys listed in this file will be refused for public key authentication.
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1979
:
2128
| 2129