chroot.diff
Ricardo Cerqueira
rmcc at novis.pt
Thu Jan 4 06:32:57 EST 2001
Hi there, everyone;
I've had a few requests for an updated version of my chroot patch. (the
version found in contrib is outdated)
So, here it goes, updated to 2.3.0p1; "chroot.diff" is a plain diff for
session.c (apply, compile and go). "chroot+configure.diff" is the same
patch, plus an option to "configure" for enabling/disabling chroot support
(./configure --with-chroot). If you use this one, please run autoconf after
applying the patch to generate a fresh "configure" script.
RC
--
+-------------------
| Ricardo Cerqueira
| PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42
| Novis Telecom - Engenharia ISP / Rede Técnica
| Pç. Duque Saldanha, 1, 7º E / 1050-094 Lisboa / Portugal
| Tel: +351 2 1010 0000 - Fax: +351 2 1010 4459
-------------- next part --------------
--- openssh-2.3.0p1/session.c Sat Oct 28 04:19:58 2000
+++ openssh-2.3.0p1-chroot/session.c Wed Jan 3 19:29:11 2001
@@ -159,6 +159,8 @@
static login_cap_t *lc;
#endif
+#define CHROOT
+
/*
* Remove local Xauthority file.
*/
@@ -1011,6 +1013,10 @@
extern char **environ;
struct stat st;
char *argv[10];
+#ifdef CHROOT
+ char *user_dir;
+ char *new_root;
+#endif /* CHROOT */
#ifdef WITH_IRIX_PROJECT
prid_t projid;
#endif /* WITH_IRIX_PROJECT */
@@ -1076,6 +1082,26 @@
# else /* HAVE_LOGIN_CAP */
if (setlogin(pw->pw_name) < 0)
error("setlogin failed: %s", strerror(errno));
+# ifdef CHROOT
+ user_dir = xstrdup(pw->pw_dir);
+ new_root = user_dir + 1;
+
+ while((new_root = strchr(new_root, '.')) != NULL) {
+ new_root--;
+ if(strncmp(new_root, "/./", 3) == 0) {
+ *new_root = '\0';
+ new_root += 2;
+
+ if(chroot(user_dir) != 0)
+ fatal("Couldn't chroot to user directory %s", user_dir);
+
+ pw->pw_dir = new_root;
+ break;
+ }
+ new_root += 2;
+ }
+# endif /* CHROOT */
+
if (setgid(pw->pw_gid) < 0) {
perror("setgid");
exit(1);
@@ -1122,7 +1148,6 @@
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
#endif
-
#ifdef AFS
/* Try to get AFS tokens for the local cell. */
if (k_hasafs()) {
-------------- next part --------------
diff -u openssh-2.3.0p1/acconfig.h openssh-2.3.0p1-chroot/acconfig.h
--- openssh-2.3.0p1/acconfig.h Wed Oct 18 14:11:44 2000
+++ openssh-2.3.0p1-chroot/acconfig.h Wed Jan 3 19:23:48 2001
@@ -199,6 +199,9 @@
/* Define if you want to allow MD5 passwords */
#undef HAVE_MD5_PASSWORDS
+/* Define if you want to use chrooting when a magic token is found */
+#undef CHROOT
+
/* Define if you want to disable shadow passwords */
#undef DISABLE_SHADOW
Only in openssh-2.3.0p1-chroot/: acconfig.h~
diff -u openssh-2.3.0p1/config.h.in openssh-2.3.0p1-chroot/config.h.in
--- openssh-2.3.0p1/config.h.in Mon Nov 6 03:25:18 2000
+++ openssh-2.3.0p1-chroot/config.h.in Wed Jan 3 19:23:48 2001
@@ -198,6 +198,9 @@
/* Define if you want to allow MD5 passwords */
#undef HAVE_MD5_PASSWORDS
+/* Define if you want to use chrooting when a magic token is found */
+#undef CHROOT
+
/* Define if you want to disable shadow passwords */
#undef DISABLE_SHADOW
Only in openssh-2.3.0p1-chroot/: config.h.in~
diff -u openssh-2.3.0p1/configure openssh-2.3.0p1-chroot/configure
--- openssh-2.3.0p1/configure Mon Nov 6 03:25:18 2000
+++ openssh-2.3.0p1-chroot/configure Wed Jan 3 19:23:50 2001
@@ -42,6 +42,8 @@
ac_help="$ac_help
--with-md5-passwords Enable use of MD5 passwords"
ac_help="$ac_help
+ --with-chroot Enable user chrooting through magic token"
+ac_help="$ac_help
--without-shadow Disable shadow password support"
ac_help="$ac_help
--with-ipaddr-display Use ip address instead of hostname in \$DISPLAY"
@@ -3065,7 +3067,7 @@
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 3069 "configure"
+#line 3071 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
@@ -3694,7 +3696,7 @@
u_int64_t a; a = 1;
; return 0; }
EOF
-if { (eval echo configure:3698: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:3700: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_have_u_int64_t="yes"
else
@@ -6396,6 +6398,24 @@
fi
+# Check whether to enable chrooting
+CHROOT_MSG="no"
+# Check whether --with-chroot or --without-chroot was given.
+if test "${with_chroot+set}" = set; then
+ withval="$with_chroot"
+
+ if test "x$withval" != "xno" ; then
+ cat >> confdefs.h <<\EOF
+#define CHROOT 1
+EOF
+
+ CHROOT_MSG="yes"
+ fi
+
+
+fi
+
+
# Whether to disable shadow password support
# Check whether --with-shadow or --without-shadow was given.
if test "${with_shadow+set}" = set; then
@@ -7521,6 +7541,7 @@
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
+echo " Magic token chroot support: $CHROOT_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Use IPv4 by default hack: $IPV4_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
diff -u openssh-2.3.0p1/configure.in openssh-2.3.0p1-chroot/configure.in
--- openssh-2.3.0p1/configure.in Sun Nov 5 09:08:45 2000
+++ openssh-2.3.0p1-chroot/configure.in Wed Jan 3 19:23:50 2001
@@ -1156,6 +1156,18 @@
]
)
+# Check whether to enable chrooting
+CHROOT_MSG="no"
+AC_ARG_WITH(chroot,
+ [ --with-chroot Enable user chrooting through magic token],
+ [
+ if test "x$withval" != "xno" ; then
+ AC_DEFINE(CHROOT)
+ CHROOT_MSG="yes"
+ fi
+ ]
+)
+
# Whether to disable shadow password support
AC_ARG_WITH(shadow,
[ --without-shadow Disable shadow password support],
@@ -1568,6 +1580,7 @@
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
+echo " Magic token chroot support: $CHROOT_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Use IPv4 by default hack: $IPV4_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
Only in openssh-2.3.0p1-chroot/: configure.in~
Only in openssh-2.3.0p1-chroot/: configure~
Common subdirectories: openssh-2.3.0p1/contrib and openssh-2.3.0p1-chroot/contrib
diff -u openssh-2.3.0p1/session.c openssh-2.3.0p1-chroot/session.c
--- openssh-2.3.0p1/session.c Sat Oct 28 04:19:58 2000
+++ openssh-2.3.0p1-chroot/session.c Wed Jan 3 19:23:50 2001
@@ -1011,6 +1011,10 @@
extern char **environ;
struct stat st;
char *argv[10];
+#ifdef CHROOT
+ char *user_dir;
+ char *new_root;
+#endif /* CHROOT */
#ifdef WITH_IRIX_PROJECT
prid_t projid;
#endif /* WITH_IRIX_PROJECT */
@@ -1076,6 +1080,26 @@
# else /* HAVE_LOGIN_CAP */
if (setlogin(pw->pw_name) < 0)
error("setlogin failed: %s", strerror(errno));
+# ifdef CHROOT
+ user_dir = xstrdup(pw->pw_dir);
+ new_root = user_dir + 1;
+
+ while((new_root = strchr(new_root, '.')) != NULL) {
+ new_root--;
+ if(strncmp(new_root, "/./", 3) == 0) {
+ *new_root = '\0';
+ new_root += 2;
+
+ if(chroot(user_dir) != 0)
+ fatal("Couldn't chroot to user directory %s", user_dir);
+
+ pw->pw_dir = new_root;
+ break;
+ }
+ new_root += 2;
+ }
+# endif /* CHROOT */
+
if (setgid(pw->pw_gid) < 0) {
perror("setgid");
exit(1);
@@ -1122,7 +1146,6 @@
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
#endif
-
#ifdef AFS
/* Try to get AFS tokens for the local cell. */
if (k_hasafs()) {
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 524 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010103/6eeed9e6/attachment.bin
More information about the openssh-unix-dev
mailing list