|
Lines 160-165
login_cap_t *lc;
Link Here
|
| 160 |
#endif |
160 |
#endif |
| 161 |
|
161 |
|
| 162 |
static int is_child = 0; |
162 |
static int is_child = 0; |
|
|
163 |
static int in_chroot = 0; |
| 163 |
|
164 |
|
| 164 |
/* Name and directory of socket for authentication agent forwarding. */ |
165 |
/* Name and directory of socket for authentication agent forwarding. */ |
| 165 |
static char *auth_sock_name = NULL; |
166 |
static char *auth_sock_name = NULL; |
|
Lines 1490-1498
void
Link Here
|
| 1490 |
do_setusercontext(struct passwd *pw) |
1491 |
do_setusercontext(struct passwd *pw) |
| 1491 |
{ |
1492 |
{ |
| 1492 |
char *chroot_path, *tmp; |
1493 |
char *chroot_path, *tmp; |
| 1493 |
#ifdef USE_LIBIAF |
|
|
| 1494 |
int doing_chroot = 0; |
| 1495 |
#endif |
| 1496 |
|
1494 |
|
| 1497 |
platform_setusercontext(pw); |
1495 |
platform_setusercontext(pw); |
| 1498 |
|
1496 |
|
|
Lines 1520-1526
do_setusercontext(struct passwd *pw)
Link Here
|
| 1520 |
|
1518 |
|
| 1521 |
platform_setusercontext_post_groups(pw); |
1519 |
platform_setusercontext_post_groups(pw); |
| 1522 |
|
1520 |
|
| 1523 |
if (options.chroot_directory != NULL && |
1521 |
if (!in_chroot && options.chroot_directory != NULL && |
| 1524 |
strcasecmp(options.chroot_directory, "none") != 0) { |
1522 |
strcasecmp(options.chroot_directory, "none") != 0) { |
| 1525 |
tmp = tilde_expand_filename(options.chroot_directory, |
1523 |
tmp = tilde_expand_filename(options.chroot_directory, |
| 1526 |
pw->pw_uid); |
1524 |
pw->pw_uid); |
|
Lines 1532-1540
do_setusercontext(struct passwd *pw)
Link Here
|
| 1532 |
/* Make sure we don't attempt to chroot again */ |
1530 |
/* Make sure we don't attempt to chroot again */ |
| 1533 |
free(options.chroot_directory); |
1531 |
free(options.chroot_directory); |
| 1534 |
options.chroot_directory = NULL; |
1532 |
options.chroot_directory = NULL; |
| 1535 |
#ifdef USE_LIBIAF |
1533 |
in_chroot = 1; |
| 1536 |
doing_chroot = 1; |
|
|
| 1537 |
#endif |
| 1538 |
} |
1534 |
} |
| 1539 |
|
1535 |
|
| 1540 |
#ifdef HAVE_LOGIN_CAP |
1536 |
#ifdef HAVE_LOGIN_CAP |
|
Lines 1549-1564
do_setusercontext(struct passwd *pw)
Link Here
|
| 1549 |
(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); |
1545 |
(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); |
| 1550 |
#else |
1546 |
#else |
| 1551 |
# ifdef USE_LIBIAF |
1547 |
# ifdef USE_LIBIAF |
| 1552 |
/* In a chroot environment, the set_id() will always fail; typically |
1548 |
/* |
| 1553 |
* because of the lack of necessary authentication services and runtime |
1549 |
* In a chroot environment, the set_id() will always fail; |
| 1554 |
* such as ./usr/lib/libiaf.so, ./usr/lib/libpam.so.1, and ./etc/passwd |
1550 |
* typically because of the lack of necessary authentication |
| 1555 |
* We skip it in the internal sftp chroot case. |
1551 |
* services and runtime such as ./usr/lib/libiaf.so, |
| 1556 |
* We'll lose auditing and ACLs but permanently_set_uid will |
1552 |
* ./usr/lib/libpam.so.1, and ./etc/passwd We skip it in the |
| 1557 |
* take care of the rest. |
1553 |
* internal sftp chroot case. We'll lose auditing and ACLs but |
| 1558 |
*/ |
1554 |
* permanently_set_uid will take care of the rest. |
| 1559 |
if ((doing_chroot == 0) && set_id(pw->pw_name) != 0) { |
1555 |
*/ |
| 1560 |
fatal("set_id(%s) Failed", pw->pw_name); |
1556 |
if (!in_chroot && set_id(pw->pw_name) != 0) |
| 1561 |
} |
1557 |
fatal("set_id(%s) Failed", pw->pw_name); |
| 1562 |
# endif /* USE_LIBIAF */ |
1558 |
# endif /* USE_LIBIAF */ |
| 1563 |
/* Permanently switch to the desired uid. */ |
1559 |
/* Permanently switch to the desired uid. */ |
| 1564 |
permanently_set_uid(pw); |
1560 |
permanently_set_uid(pw); |
|
Lines 1790-1800
do_child(Session *s, const char *command)
Link Here
|
| 1790 |
#ifdef HAVE_LOGIN_CAP |
1786 |
#ifdef HAVE_LOGIN_CAP |
| 1791 |
r = login_getcapbool(lc, "requirehome", 0); |
1787 |
r = login_getcapbool(lc, "requirehome", 0); |
| 1792 |
#endif |
1788 |
#endif |
| 1793 |
if (r || options.chroot_directory == NULL || |
1789 |
if (r || !in_chroot) { |
| 1794 |
strcasecmp(options.chroot_directory, "none") == 0) |
|
|
| 1795 |
fprintf(stderr, "Could not chdir to home " |
1790 |
fprintf(stderr, "Could not chdir to home " |
| 1796 |
"directory %s: %s\n", pw->pw_dir, |
1791 |
"directory %s: %s\n", pw->pw_dir, |
| 1797 |
strerror(errno)); |
1792 |
strerror(errno)); |
|
|
1793 |
} |
| 1798 |
if (r) |
1794 |
if (r) |
| 1799 |
exit(1); |
1795 |
exit(1); |
| 1800 |
} |
1796 |
} |