Bugzilla – Attachment 683 Details for
Bug 177
provide chroot option for sftp-server
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Chroot patch for openssh-3.8p1
sshd.chroot.patch (text/plain), 3.94 KB, created by
Bill Swartz
on 2004-07-11 23:50:18 AEST
(
hide
)
Description:
Chroot patch for openssh-3.8p1
Filename:
MIME Type:
Creator:
Bill Swartz
Created:
2004-07-11 23:50:18 AEST
Size:
3.94 KB
patch
obsolete
>*** servconf.c.old Sun Jul 11 08:18:35 2004 >--- servconf.c Fri Jul 9 00:26:00 2004 >*************** >*** 87,92 **** >--- 87,93 ---- > options->num_deny_users = 0; > options->num_allow_groups = 0; > options->num_deny_groups = 0; >+ options->num_chroot_users = 0; > options->ciphers = NULL; > options->macs = NULL; > options->protocol = SSH_PROTO_UNKNOWN; >*************** >*** 260,266 **** > sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, > sStrictModes, sEmptyPasswd, sTCPKeepAlive, > sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, >! sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, > sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, > sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, > sBanner, sUseDNS, sHostbasedAuthentication, >--- 261,267 ---- > sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, > sStrictModes, sEmptyPasswd, sTCPKeepAlive, > sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, >! sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sChRootUsers, > sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, > sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, > sBanner, sUseDNS, sHostbasedAuthentication, >*************** >*** 351,356 **** >--- 352,358 ---- > { "denyusers", sDenyUsers }, > { "allowgroups", sAllowGroups }, > { "denygroups", sDenyGroups }, >+ { "chrootusers", sChRootUsers }, > { "ciphers", sCiphers }, > { "macs", sMacs }, > { "protocol", sProtocol }, >*************** >*** 786,791 **** >--- 788,802 ---- > fatal("%s line %d: too many deny groups.", > filename, linenum); > options->deny_groups[options->num_deny_groups++] = xstrdup(arg); >+ } >+ break; >+ >+ case sChRootUsers: >+ while ((arg = strdelim(&cp)) && *arg != '\0') { >+ if (options->num_chroot_users >= MAX_CHROOT_USERS) >+ fatal("%s line %d: too many chroot users.", >+ filename, linenum); >+ options->chroot_users[options->num_chroot_users++] = xstrdup(arg); > } > break; > >*** servconf.h.old Sun Jul 11 08:19:15 2004 >--- servconf.h Fri Jul 9 00:20:31 2004 >*************** >*** 24,29 **** >--- 24,30 ---- > #define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */ > #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ > #define MAX_HOSTKEYS 256 /* Max # hostkeys. */ >+ #define MAX_CHROOT_USERS 256 /* Max # chroot users. */ > > /* permit_root_login */ > #define PERMIT_NOT_SET -1 >*************** >*** 102,107 **** >--- 103,110 ---- > char *allow_groups[MAX_ALLOW_GROUPS]; > u_int num_deny_groups; > char *deny_groups[MAX_DENY_GROUPS]; >+ u_int num_chroot_users; >+ char *chroot_users[MAX_CHROOT_USERS]; > > u_int num_subsystems; > char *subsystem_name[MAX_SUBSYSTEMS]; >*** session.c.old Sun Jul 11 08:19:38 2004 >--- session.c Sun Jul 11 01:14:43 2004 >*************** >*** 57,62 **** >--- 57,63 ---- > #include "canohost.h" > #include "session.h" > #include "monitor_wrap.h" >+ #include "match.h" > > #if defined(KRB5) && defined(USE_AFS) > #include <kafs.h> >*************** >*** 1270,1275 **** >--- 1271,1294 ---- > exit(1); > } > endgrent(); >+ >+ /* If desired, chroot the user\'s home directory. */ >+ if (options.num_chroot_users > 0) { >+ int i; >+ const char *hostname = NULL, *ipaddr = NULL; >+ hostname = get_canonical_hostname(options.use_dns); >+ ipaddr = get_remote_ipaddr(); >+ >+ for (i = 0; i < options.num_chroot_users; i++) >+ if (match_user(pw->pw_name, hostname, ipaddr, >+ options.chroot_users[i])){ >+ if (chroot(pw->pw_dir) != 0) >+ fatal("Couldn't chroot to user directory %s", >+ pw->pw_dir); >+ break; >+ } >+ } >+ > # ifdef USE_PAM > /* > * PAM credentials may take the form of supplementary groups. >*************** >*** 1478,1483 **** >--- 1497,1503 ---- > s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir); > } > #endif >+ > > /* Change current directory to the user\'s home directory. */ > if (chdir(pw->pw_dir) < 0) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=683">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 177
:
683
|
1018
|
1156
|
1206
|
1277
|
1346