Chroot patch (v3.4p1)

John Furman john at venus.ark.com
Thu Jul 4 10:47:44 EST 2002 

The following is a patch I've been working on to support a "ChrootUser" 
option in the sshd_config file.

I was looking for a way to offer sftp access and at the same time restict 
interactive shell access.  This patch is a necessary first step (IMO).

It applies clean with 'patch -l'.

Also attached is a shell script that helps to build a chrooted home dir on 
a RedHat 7.2 box.

(I would appreciate some feedback from a core developer as to whether 
this looks to be a useful approach or not.)

--- openssh-3.4p1.vanilla/servconf.c	Mon Jun 24 23:22:04 2002
+++ openssh-3.4p1/servconf.c	Wed Jul  3 11:23:26 2002
@@ -292,7 +292,7 @@
 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
 	sStrictModes, sEmptyPasswd, sKeepAlives,
 	sUseLogin, sAllowTcpForwarding, sCompression,
-	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+       sAllowUsers, sDenyUsers, sChrootUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
 	sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
@@ -360,6 +360,7 @@
 	{ "allowtcpforwarding", sAllowTcpForwarding },
 	{ "allowusers", sAllowUsers },
 	{ "denyusers", sDenyUsers },
+       { "chrootusers", sChrootUsers },
 	{ "allowgroups", sAllowGroups },
 	{ "denygroups", sDenyGroups },
 	{ "ciphers", sCiphers },
@@ -779,6 +780,16 @@
 		}
 		break;
 
+        case sChrootUsers:
+                while ((arg = strdelim(&cp)) && *arg != '\0') {
+                        if (options->num_chroot_users >= MAX_CHROOT_USERS)
+                                fatal( "%s line %d: too many chroot users.",
+                                    filename, linenum);
+                        options->chroot_users[options->num_chroot_users++] =
+                            xstrdup(arg);
+                }
+                break;
+
 	case sAllowGroups:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
 			if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
--- openssh-3.4p1.vanilla/servconf.h	Thu Jun 20 21:09:47 2002
+++ openssh-3.4p1/servconf.h	Wed Jul  3 11:23:26 2002
@@ -20,6 +20,7 @@
 
 #define MAX_ALLOW_USERS		256	/* Max # users on allow list. */
 #define MAX_DENY_USERS		256	/* Max # users on deny list. */
+#define MAX_CHROOT_USERS       256     /* Max # users on chroot list. */
 #define MAX_ALLOW_GROUPS	256	/* Max # groups on allow list. */
 #define MAX_DENY_GROUPS		256	/* Max # groups on deny list. */
 #define MAX_SUBSYSTEMS		256	/* Max # subsystems. */
@@ -104,6 +105,8 @@
 	char   *allow_users[MAX_ALLOW_USERS];
 	u_int num_deny_users;
 	char   *deny_users[MAX_DENY_USERS];
+       u_int num_chroot_users;
+       char   *chroot_users[MAX_CHROOT_USERS];
 	u_int num_allow_groups;
 	char   *allow_groups[MAX_ALLOW_GROUPS];
 	u_int num_deny_groups;
--- openssh-3.4p1.vanilla/session.c	Wed Jun 26 09:51:06 2002
+++ openssh-3.4p1/session.c	Wed Jul  3 16:29:01 2002
@@ -57,6 +57,8 @@
 #include "canohost.h"
 #include "session.h"
 #include "monitor_wrap.h"
+#include "match.h"
+#include "readconf.h"
 
 #ifdef HAVE_CYGWIN
 #include <windows.h>
@@ -64,6 +66,8 @@
 #define is_winnt       (GetVersion() < 0x80000000)
 #endif
 
+#define CHROOT
+
 /* func */
 
 Session *session_new(void);
@@ -1160,6 +1164,12 @@
 do_setusercontext(struct passwd *pw)
 {
 	char tty='\0';
+       int i;
+#ifdef CHROOT
+       char *new_root = "/";
+       const char *hostname = NULL;
+       const char *ipaddr = NULL;
+#endif /* CHROOT */
 
 #ifdef HAVE_CYGWIN
 	if (is_winnt) {
@@ -1187,6 +1197,26 @@
 
 		if (setlogin(pw->pw_name) < 0)
 			error("setlogin failed: %s", strerror(errno));
+#ifdef CHROOT
+
+		if (options.num_chroot_users > 0) {
+		    hostname = get_canonical_hostname(options.verify_reverse_mapping);
+		    ipaddr = get_remote_ipaddr();
+		    for (i = 0; i < options.num_chroot_users; i++) {
+			if (match_user(pw->pw_name, hostname, ipaddr, 
+			    options.chroot_users[i])) {
+			    if(chroot(pw->pw_dir) != 0) {
+				fatal("Couldn't chroot to user directory %s", 
+				pw->pw_dir);
+			    }
+			    else
+			    pw->pw_dir = new_root;
+			}
+		    }
+		}
+
+
+#endif /* CHROOT */
 		if (setgid(pw->pw_gid) < 0) {
 			perror("setgid");
 			exit(1);

Regards,
--
John Furman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-3.4p1-chroot-patch.tar.gz
Type: application/x-gzip
Size: 2616 bytes
Desc: Shell script & patch tarball
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020703/b9a95ed0/attachment.bin

More information about the openssh-unix-dev mailing list