Updated
This commit is contained in:
parent
1d2723f556
commit
dd034dad94
|
@ -5,130 +5,57 @@ A patch to cause sshd to chroot when it encounters the magic token
|
||||||
token is the directory to chroot() to, the portion after the
|
token is the directory to chroot() to, the portion after the
|
||||||
token is the user's home directory relative to the new root.
|
token is the user's home directory relative to the new root.
|
||||||
|
|
||||||
|
Index: session.c
|
||||||
|
===================================================================
|
||||||
diff -ruN openssh-1.2.3pre2-orig/acconfig.h openssh-1.2.3pre2/acconfig.h
|
RCS file: /var/cvs/openssh/session.c,v
|
||||||
--- openssh-1.2.3pre2-orig/acconfig.h Sat Mar 11 20:45:40 2000
|
retrieving revision 1.4
|
||||||
+++ openssh-1.2.3pre2/acconfig.h Wed Mar 15 11:44:33 2000
|
diff -u -r1.4 session.c
|
||||||
@@ -159,6 +159,9 @@
|
--- session.c 2000/04/16 02:31:51 1.4
|
||||||
/* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */
|
+++ session.c 2000/04/16 02:47:55
|
||||||
#undef IPV4_IN_IPV6
|
@@ -27,6 +27,8 @@
|
||||||
|
#include "ssh2.h"
|
||||||
|
#include "auth.h"
|
||||||
|
|
||||||
+/* Define if you want to enable chrooted users */
|
+#define CHROOT
|
||||||
+#undef CHROOT
|
|
||||||
+
|
+
|
||||||
@BOTTOM@
|
/* types */
|
||||||
|
|
||||||
/* ******************* Shouldn't need to edit below this line ************** */
|
#define TTYSZ 64
|
||||||
diff -ruN openssh-1.2.3pre2-orig/config.h.in openssh-1.2.3pre2/config.h.in
|
@@ -783,6 +785,10 @@
|
||||||
--- openssh-1.2.3pre2-orig/config.h.in Wed Mar 15 11:51:02 2000
|
|
||||||
+++ openssh-1.2.3pre2/config.h.in Wed Mar 15 11:46:33 2000
|
|
||||||
@@ -140,6 +140,9 @@
|
|
||||||
/* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */
|
|
||||||
#undef IPV4_IN_IPV6
|
|
||||||
|
|
||||||
+/* Define if you want to enable chrooted users */
|
|
||||||
+#undef CHROOT
|
|
||||||
+
|
|
||||||
/* The number of bytes in a char. */
|
|
||||||
#undef SIZEOF_CHAR
|
|
||||||
|
|
||||||
diff -ruN openssh-1.2.3pre2-orig/configure openssh-1.2.3pre2/configure
|
|
||||||
--- openssh-1.2.3pre2-orig/configure Wed Mar 15 11:51:03 2000
|
|
||||||
+++ openssh-1.2.3pre2/configure Wed Mar 15 11:46:34 2000
|
|
||||||
@@ -52,6 +52,8 @@
|
|
||||||
ac_help="$ac_help
|
|
||||||
--with-4in6 Check for and convert IPv4 in IPv6 mapped addresses"
|
|
||||||
ac_help="$ac_help
|
|
||||||
+ --with-chroot Enable chroot using /./ directory token"
|
|
||||||
+ac_help="$ac_help
|
|
||||||
--with-pid-dir=PATH Specify location of ssh.pid file"
|
|
||||||
|
|
||||||
# Initialize some variables set by options.
|
|
||||||
@@ -3605,6 +3607,22 @@
|
|
||||||
|
|
||||||
else
|
|
||||||
echo "$ac_t""no (default)" 1>&6
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+# Whether to enable the magic chroot token
|
|
||||||
+# Check whether --with-chroot or --without-chroot was given.
|
|
||||||
+if test "${with_chroot+set}" = set; then
|
|
||||||
+ withval="$with_chroot"
|
|
||||||
+
|
|
||||||
+ if test "x$withval" != "xno" ; then
|
|
||||||
+ cat >> confdefs.h <<\EOF
|
|
||||||
+#define CHROOT 1
|
|
||||||
+EOF
|
|
||||||
+
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
diff -ruN openssh-1.2.3pre2-orig/configure.in openssh-1.2.3pre2/configure.in
|
|
||||||
--- openssh-1.2.3pre2-orig/configure.in Sat Mar 11 20:45:41 2000
|
|
||||||
+++ openssh-1.2.3pre2/configure.in Wed Mar 15 11:46:04 2000
|
|
||||||
@@ -810,6 +810,16 @@
|
|
||||||
]
|
|
||||||
)
|
|
||||||
|
|
||||||
+# Whether to enable the magic chroot token
|
|
||||||
+AC_ARG_WITH(chroot,
|
|
||||||
+ [ --with-chroot Enable chroot using /./ directory token],
|
|
||||||
+ [
|
|
||||||
+ if test "x$withval" != "xno" ; then
|
|
||||||
+ AC_DEFINE(CHROOT)
|
|
||||||
+ fi
|
|
||||||
+ ]
|
|
||||||
+)
|
|
||||||
+
|
|
||||||
# Where to place sshd.pid
|
|
||||||
piddir=/var/run
|
|
||||||
AC_ARG_WITH(pid-dir,
|
|
||||||
diff -ruN openssh-1.2.3pre2-orig/sshd.c openssh-1.2.3pre2/sshd.c
|
|
||||||
--- openssh-1.2.3pre2-orig/sshd.c Sat Mar 11 11:58:29 2000
|
|
||||||
+++ openssh-1.2.3pre2/sshd.c Wed Mar 15 11:43:38 2000
|
|
||||||
@@ -2365,6 +2365,10 @@
|
|
||||||
extern char **environ;
|
extern char **environ;
|
||||||
struct stat st;
|
struct stat st;
|
||||||
char *argv[10];
|
char *argv[10];
|
||||||
+#ifdef CHROOT /* patch by rmcc */
|
+#ifdef CHROOT
|
||||||
+ char *user_dir;
|
+ char *user_dir;
|
||||||
+ char *new_root;
|
+ char *new_root;
|
||||||
+#endif /* CHROOT */
|
+#endif /* CHROOT */
|
||||||
|
|
||||||
#ifndef USE_PAM /* pam_nologin handles this */
|
#ifndef USE_PAM /* pam_nologin handles this */
|
||||||
/* Check /etc/nologin. */
|
f = fopen("/etc/nologin", "r");
|
||||||
@@ -2422,6 +2426,29 @@
|
@@ -799,6 +805,26 @@
|
||||||
krb_afslog(0, 0);
|
/* Set login name in the kernel. */
|
||||||
}
|
if (setlogin(pw->pw_name) < 0)
|
||||||
#endif /* AFS */
|
error("setlogin failed: %s", strerror(errno));
|
||||||
+
|
+
|
||||||
+#ifdef CHROOT /* patch by rmcc */
|
+#ifdef CHROOT
|
||||||
|
+ user_dir = xstrdup(pw->pw_dir);
|
||||||
|
+ new_root = user_dir + 1;
|
||||||
+
|
+
|
||||||
+ user_dir = xstrdup(pw->pw_dir);
|
+ while((new_root = strchr(new_root, '.')) != NULL) {
|
||||||
+ new_root = user_dir;
|
+ new_root--;
|
||||||
+
|
+ if(strncmp(new_root, "/./", 3) == 0) {
|
||||||
+ while((new_root = strchr(new_root, '.')) != NULL){
|
+ *new_root = '\0';
|
||||||
+ new_root--;
|
+ new_root += 2;
|
||||||
+ if(strncmp(new_root, "/./", 3) == 0){
|
|
||||||
+ *new_root = 0;
|
|
||||||
+ new_root += 2;
|
|
||||||
+ if(chroot(user_dir) != 0){
|
|
||||||
+ printf("Couldn't chroot!\n");
|
|
||||||
+ exit(1);
|
|
||||||
+ }
|
|
||||||
+ pw->pw_dir = new_root;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ new_root +=2;
|
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
|
+ if(chroot(user_dir) != 0)
|
||||||
|
+ fatal("Couldn't chroot to user directory %s", user_dir);
|
||||||
+
|
+
|
||||||
|
+ pw->pw_dir = new_root;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ new_root += 2;
|
||||||
|
+ }
|
||||||
+#endif /* CHROOT */
|
+#endif /* CHROOT */
|
||||||
|
|
||||||
/* Initialize the environment. */
|
/* Set uid, gid, and groups. */
|
||||||
envsize = 100;
|
/* Login(1) does this as well, and it needs uid 0 for the "-h"
|
||||||
|
|
Loading…
Reference in New Issue