changes to allow chroot'ed sftp

Mon Nov 11 17:41:53 EST 2002

I have a use for sftp to run in a chroot jail.

Since sftp doesn't quite work properly for that, I did the
work to make it function like that.

This required two different changes:

sftpsh   is a replacement for nologin.  It
works like nologin except under certain circumstances --
where it will start up sftp-server.

The other part was to add an option to sftp-server.
the '-c' option causes sftp-server to chroot(".");chdir("/");
(the latter being to avoid chroot hole problems).

It's been a while since I've done anything security-critical,
so PLEASE feel free to audit/critique my code.

The changes for sftp-server.c and sftp-server.8 are as follows:
===================================================================
RCS file: RCS/sftp-server.c,v
retrieving revision 1.38
diff -u -r1.38 sftp-server.c

--- sftp-server.c       2002/11/10 22:56:08     1.38
+++ sftp-server.c       2002/11/11 04:01:02
@@ -1058,6 +1058,11 @@
         ssize_t len, olen, set_size;

         /* XXX should use getopt */
+       if(ac == 2 && strcmp(av[1],"-c") == 0 ){
+               chroot(".");
+               chdir("/"); /* get rid of '.' chroot hole */
+               setuid(getuid());
+       };

         __progname = get_progname(av[0]);
         handle_init();
===================================================================
===================================================================
RCS file: RCS/sftp-server.8,v
retrieving revision 1.1
diff -u -r1.1 sftp-server.8
--- sftp-server.8       2002/11/10 23:17:06     1.1
+++ sftp-server.8       2002/11/10 23:35:44
@@ -43,6 +43,10 @@
  See
  .Xr sshd 8
  for more information.
+.Sh OPTIONS
+.Bl -tag -width CC
+.It Fl c
+chroot jail:  (do a chroot and setuid(getuid()) when starting)
  .Sh SEE ALSO
  .Xr sftp 1 ,
  .Xr ssh 1 ,
===================================================================

sftpsh.c is attached (83 lines including copyright)

Notes:
   sftpsh needs to be installed setuid.
   I don't have install scripts for it.
   The location of sftp-server is hardwired into sftpsh.c .
   sftpsh.c uses /proc/ppid/cmdline to check the name and pid of it's parent

No docs for sftpsh.c

Conditions for sftpsh calling sftp-server:
    Parent process is sshd, and is uid-root.
    parameters are: "-c /usr/libexec/sshd/sshd-server"

If sftp-server doesn't cooperate, you end up with a (potential) remote root exploit.

Perhaps instead of checking for a parameter of '-c' I should just check for euid==0?

-- 
Stephen Samuel +1(604)876-0426                samuel at bcgreen.com
		   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: sftpsh.c
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021110/882386af/attachment.c 
