Chroot patch (v3.4p1)
Hank Leininger
openssh-unix-dev at progressive-comp.com
Fri Jul 5 02:32:36 EST 2002
On 2002-07-04, John Furman <john at venus.ark.com> wrote:
> The following is a patch I've been working on to support a "ChrootUser"
> option in the sshd_config file.
[snip]
> --- openssh-3.4p1.vanilla/session.c Wed Jun 26 09:51:06 2002
> +++ openssh-3.4p1/session.c Wed Jul 3 16:29:01 2002
[snip]
> @@ -1187,6 +1197,26 @@
>
> if (setlogin(pw->pw_name) < 0)
> error("setlogin failed: %s", strerror(errno));
> +#ifdef CHROOT
> +
> + if (options.num_chroot_users > 0) {
> + hostname = [snip]
Note that this like every(?) other chroot patch for openssh floating around
(including the one I maintain) does not work on *BSD, that is, any system
which has HAVE_LOGIN_CAP defined. All the chroot patches chroot between
setlogin( ... ) and setgid(); initgroups();. The problem is, that code
path is #ifdef'ed out where HAVE_LOGIN_CAP is set, and the following is
used instead:
if (setusercontext(lc, pw, pw->pw_uid,
(LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
perror("unable to set user context");
exit(1);
}
This was first reported to me by lumpy at musicvision.com, who tried to get
chroot working on a freebsd box. I have no FreeBSD or OpenBSD systems
where chrooting sshd is important, so haven't spent much time testing a
fix. I'm not sure if moving the chroot calls above the block in question,
or simply replicating the chroot code inside both code paths is
appropriate.
--
Hank Leininger <hlein at progressive-comp.com>
More information about the openssh-unix-dev
mailing list