Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 23366 Details for
Bug 26615
OpenSSH Chroot Patch
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Another chroot patch for openssh 3.7.1p2
openssh-3.7-chroot.patch (text/plain), 11.21 KB, created by
Amir Guindehi (RETIRED)
on 2004-01-08 00:41:33 UTC
(
hide
)
Description:
Another chroot patch for openssh 3.7.1p2
Filename:
MIME Type:
Creator:
Amir Guindehi (RETIRED)
Created:
2004-01-08 00:41:33 UTC
Size:
11.21 KB
patch
obsolete
>--- openssh-3.7.1p2/auth.c.orig 2003-09-02 23:32:46.000000000 +0200 >+++ openssh-3.7.1p2/auth.c 2004-01-05 19:25:58.000000000 +0100 >@@ -397,6 +397,13 @@ > return expand_filename(options.authorized_keys_file2, pw); > } > >+char * >+chroot_dir(struct passwd *pw) >+{ >+ return expand_filename(options.chroot_dir, pw); >+} >+ >+ > /* return ok if key exists in sysfile or userfile */ > HostStatus > check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, >--- openssh-3.7.1p2/auth.h.orig 2003-09-03 04:11:30.000000000 +0200 >+++ openssh-3.7.1p2/auth.h 2004-01-05 19:25:58.000000000 +0100 >@@ -154,6 +154,7 @@ > char *expand_filename(const char *, struct passwd *); > char *authorized_keys_file(struct passwd *); > char *authorized_keys_file2(struct passwd *); >+char *chroot_dir(struct passwd *); > > int > secure_filename(FILE *, const char *, struct passwd *, char *, size_t); >--- openssh-3.7.1p2/configure.ac.orig 2003-09-23 11:24:21.000000000 +0200 >+++ openssh-3.7.1p2/configure.ac 2004-01-05 19:27:47.000000000 +0100 >@@ -882,6 +882,19 @@ > > AC_FUNC_GETPGRP > >+ >+CHROOT_MSG="no" >+AC_ARG_WITH(chroot, >+ [ --with-chroot Enable Chroot Support], >+ [ >+ CHROOT_MSG="yes" >+ ] >+) >+ >+if test "x$CHROOT_MSG" = "xyes"; then >+ AC_DEFINE(CHROOT,1, Define if you want to enable CHROOT support) >+fi >+ > # Check for PAM libs > PAM_MSG="no" > AC_ARG_WITH(pam, >@@ -2699,6 +2712,7 @@ > echo " Manpage format: $MANTYPE" > echo " DNS support: $DNS_MSG" > echo " PAM support: $PAM_MSG" >+echo " Chroot support: $CHROOT_MSG" > echo " KerberosV support: $KRB5_MSG" > echo " Smartcard support: $SCARD_MSG" > echo " S/KEY support: $SKEY_MSG" >--- openssh-3.7.1p2/loginrec.c.orig 2003-07-06 07:20:46.000000000 +0200 >+++ openssh-3.7.1p2/loginrec.c 2004-01-05 19:25:59.000000000 +0100 >@@ -1348,6 +1348,7 @@ > static int > syslogin_perform_logout(struct logininfo *li) > { >+# ifndef CHROOT > # ifdef HAVE_LOGOUT > char line[8]; > >@@ -1365,6 +1366,7 @@ > * routines are in libutil so they should all be there, > * but... */ > # endif >+# endif > return 1; > } > >--- openssh-3.7.1p2/servconf.h.orig 2003-09-02 14:58:22.000000000 +0200 >+++ openssh-3.7.1p2/servconf.h 2004-01-05 19:30:19.000000000 +0100 >@@ -20,6 +20,7 @@ > > #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ > #define MAX_DENY_USERS 256 /* Max # users on deny list. */ >+#define MAX_CHROOT_USERS 256 /* Max # of Chroot Users, fairly useless, no? */ > #define MAX_ALLOW_GROUPS 256 /* Max # groups on allow list. */ > #define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */ > #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ >@@ -96,6 +97,10 @@ > char *allow_users[MAX_ALLOW_USERS]; > u_int num_deny_users; > char *deny_users[MAX_DENY_USERS]; >+ u_int num_chroot_users; >+ char * chroot_users[MAX_CHROOT_USERS]; >+ u_int num_nochroot_users; >+ char * nochroot_users[MAX_CHROOT_USERS]; > u_int num_allow_groups; > char *allow_groups[MAX_ALLOW_GROUPS]; > u_int num_deny_groups; >@@ -122,6 +127,8 @@ > > char *authorized_keys_file; /* File containing public keys */ > char *authorized_keys_file2; >+ int chroot_all; >+ char *chroot_dir; > int use_pam; /* Enable auth via PAM */ > } ServerOptions; > >--- openssh-3.7.1p2/session.c.orig 2003-09-23 10:59:08.000000000 +0200 >+++ openssh-3.7.1p2/session.c 2004-01-05 19:36:21.000000000 +0100 >@@ -57,6 +57,12 @@ > #include "canohost.h" > #include "session.h" > #include "monitor_wrap.h" >+#include "match.h" >+#include "readconf.h" >+ >+#ifdef HAVE_CYGWIN >+#undef CHROOT >+#endif > > #ifdef GSSAPI > #include "ssh-gss.h" >@@ -85,6 +91,11 @@ > > static int session_pty_req(Session *); > >+#ifdef CHROOT >+int chroot_ok (struct passwd *pw); >+#endif >+ >+ > /* import */ > extern ServerOptions options; > extern char *__progname; >@@ -1227,10 +1238,49 @@ > } > } > >+#ifdef CHROOT >+int >+chroot_ok (struct passwd *pw) >+{ >+ int i,rv=0; >+ const char *hostname = NULL; >+ const char *ipaddr = NULL; >+ >+ hostname = get_canonical_hostname (options.use_dns); >+ ipaddr = get_remote_ipaddr (); >+ if (options.chroot_all == 1){ >+ rv = 1; >+ for (i = 0; i < options.num_nochroot_users; i++){ >+ if (match_user (pw->pw_name, hostname, ipaddr, options.nochroot_users[i])){ >+ debug ("Match found for %s@%s[%s]:%s", pw->pw_name, ipaddr, >+ hostname, options.nochroot_users[i]); >+ return 0; >+ } >+ } >+ } >+ else if (options.num_chroot_users > 0){ >+ for (i = 0; i < options.num_chroot_users; i++){ >+ if (match_user (pw->pw_name, hostname, ipaddr, options.chroot_users[i])){ >+ debug ("Match found for %s@%s[%s]:%s", pw->pw_name, ipaddr, >+ hostname, options.chroot_users[i]); >+ return 1; >+ } >+ } >+ } >+ debug ("No Match found for %s@%s[%s]", pw->pw_name, ipaddr, hostname); >+ return rv; >+} >+#endif >+ > /* Set login name, uid, gid, and groups. */ > void > do_setusercontext(struct passwd *pw) > { >+#ifdef CHROOT >+ char *new_home = NULL; >+ struct passwd *tpw; //After Chroot,chdir to the homedir >+ struct stat st_root; >+#endif > #ifndef HAVE_CYGWIN > if (getuid() == 0 || geteuid() == 0) > #endif /* HAVE_CYGWIN */ >@@ -1240,6 +1290,36 @@ > if (setpcred(pw->pw_name, (char **)NULL) == -1) > fatal("Failed to set process credentials"); > #endif /* HAVE_SETPCRED */ >+#ifdef CHROOT >+ if (chroot_ok (pw)) { >+ new_home = chroot_dir (pw); >+ debug ("My new home is '%s'", new_home); >+ if ((stat(new_home,&st_root)) != 0) { >+ fatal("can't stat %s: %s",new_home,strerror(errno)); >+ } >+ if (!S_ISDIR(st_root.st_mode)) { >+ fatal("%s not a directory",new_home); >+ } >+ if (st_root.st_uid != 0 || st_root.st_gid != 0) { >+ fatal("owner of %s is uid %d and gid %d, not root's uid or gid",new_home,st_root.st_uid,st_root.st_gid); >+ } >+ if (chdir (new_home) == -1) >+ fatal ("chdir to %s failed: %s", new_home, strerror (errno)); >+ if (chroot (new_home) == -1) { >+ fatal ("chroot to %s failed: %s", new_home, strerror (errno)); >+ } >+ else { >+ if (chdir ("/") == -1) >+ fatal ("chdir to %s failed: %s", "/", strerror (errno)); >+ //Post CHROOT, need to try and get a new homedir for user >+ tpw = getpwuid (pw->pw_uid); >+ pw->pw_dir = tpw->pw_dir; >+ debug ("New Home dir is %s", pw->pw_dir); >+ //Shouldn't this be freed @ somepoint? >+ } >+ xfree (new_home); >+ } >+#endif /* CHROOT */ > #ifdef HAVE_LOGIN_CAP > # ifdef __bsdi__ > setpgid(0, 0); >--- openssh-3.7.1p2/sshd_config.orig 2003-09-02 14:51:18.000000000 +0200 >+++ openssh-3.7.1p2/sshd_config 2004-01-05 19:25:59.000000000 +0100 >@@ -92,5 +92,13 @@ > # no default banner path > #Banner /some/path > >+#Chroot Additions >+#ChrootDir %h/chome/ >+#ChrootAll yes >+#List of Usernames space separated below, ignored if ChrootAll is set. >+#ChrootUsers >+#NoChrootUsers root >+ >+ > # override default of no subsystems > Subsystem sftp /usr/libexec/sftp-server >--- openssh-3.7.1p2/servconf.c.orig 2004-01-06 03:19:34.000000000 +0100 >+++ openssh-3.7.1p2/servconf.c 2004-01-06 03:20:31.000000000 +0100 >@@ -109,6 +109,8 @@ > options->num_deny_users = 0; > options->num_allow_groups = 0; > options->num_deny_groups = 0; >+ options->num_chroot_users = 0; >+ options->num_nochroot_users = 0; > options->ciphers = NULL; > options->macs = NULL; > options->protocol = SSH_PROTO_UNKNOWN; >@@ -123,6 +125,8 @@ > options->client_alive_count_max = -1; > options->authorized_keys_file = NULL; > options->authorized_keys_file2 = NULL; >+ options->chroot_dir = NULL; >+ options->chroot_all = 0; > options->x509rsasigtype = -1; > options->allowedcertpurpose = -1; > #ifndef SSH_X509STORE_DISABLED >@@ -255,7 +259,10 @@ > } > if (options->authorized_keys_file == NULL) > options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; >- >+ if (options->chroot_dir == NULL) >+ options->chroot_dir = _SSH_USER_CHROOT_DIR; >+ if (options->chroot_all == -1 ) >+ options->chroot_dir = NULL; > if (options->x509rsasigtype == -1) > options->x509rsasigtype = SSH_X509RSA_MD5; > options->x509rsasigtype = ssh_x509rsasig(options->x509rsasigtype); >@@ -304,12 +311,12 @@ > sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, > sStrictModes, sEmptyPasswd, sKeepAlives, > sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, >- sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, >+ sAllowUsers, sDenyUsers, sChrootUsers, sNoChrootUsers, sAllowGroups, sDenyGroups, > sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, > sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, > sBanner, sUseDNS, sHostbasedAuthentication, > sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, >- sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, >+ sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sChrootDir,sChrootAll, > sGssAuthentication, sGssCleanupCreds, > sUsePrivilegeSeparation, > sX509rsaSigType, >@@ -390,6 +397,8 @@ > { "allowtcpforwarding", sAllowTcpForwarding }, > { "allowusers", sAllowUsers }, > { "denyusers", sDenyUsers }, >+ { "chrootusers", sChrootUsers }, >+ { "nochrootusers", sNoChrootUsers }, > { "allowgroups", sAllowGroups }, > { "denygroups", sDenyGroups }, > { "ciphers", sCiphers }, >@@ -406,6 +415,8 @@ > { "clientalivecountmax", sClientAliveCountMax }, > { "authorizedkeysfile", sAuthorizedKeysFile }, > { "authorizedkeysfile2", sAuthorizedKeysFile2 }, >+ { "chrootdir", sChrootDir }, >+ { "chrootall", sChrootAll }, > { "useprivilegeseparation", sUsePrivilegeSeparation}, > { "x509rsasigtype", sX509rsaSigType }, > { "allowedcertpurpose", sAllowedClientCertPurpose }, >@@ -813,6 +824,24 @@ > } > break; > >+ case sChrootUsers: >+ while ((arg = strdelim(&cp)) && *arg != '\0') { >+ if (options->num_chroot_users >= MAX_CHROOT_USERS) >+ fatal( "%s line %d: too many chroot users.", >+ filename, linenum); >+ options->chroot_users[options->num_chroot_users++] = >+ xstrdup(arg); >+ } >+ break; >+ case sNoChrootUsers: >+ while ((arg = strdelim(&cp)) && *arg != '\0') { >+ if (options->num_nochroot_users >= MAX_CHROOT_USERS) >+ fatal( "%s line %d: too many NonChroot'ed users.", >+ filename, linenum); >+ options->nochroot_users[options->num_nochroot_users++] = >+ xstrdup(arg); >+ } >+ break; > case sAllowGroups: > while ((arg = strdelim(&cp)) && *arg != '\0') { > if (options->num_allow_groups >= MAX_ALLOW_GROUPS) >@@ -927,6 +956,13 @@ > &options->authorized_keys_file2; > goto parse_filename; > >+ case sChrootDir: >+ charptr = &options->chroot_dir; >+ goto parse_filename; >+ case sChrootAll: >+ intptr = &options->chroot_all; >+ goto parse_flag; >+ > case sClientAliveInterval: > intptr = &options->client_alive_interval; > goto parse_time; >--- openssh-3.7.1p2/pathnames.h.orig 2004-01-06 03:09:10.000000000 +0100 >+++ openssh-3.7.1p2/pathnames.h 2004-01-06 03:10:46.000000000 +0100 >@@ -120,6 +120,9 @@ > /* backward compat for protocol v2 */ > #define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2" > >+/* default user chroot dir */ >+#define _SSH_USER_CHROOT_DIR "chome" >+ > /* > * Per-user and system-wide ssh "rc" files. These files are executed with > * /bin/sh before starting the shell or command if they exist. They will be
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 26615
:
20889
|
20890
| 23366 |
28499