2000-03-15 01:13:01 +00:00
|
|
|
From: Ricardo Cerqueira <rmcc@clix.pt>
|
|
|
|
|
|
|
|
A patch to cause sshd to chroot when it encounters the magic token
|
|
|
|
'/./' in a users home directory. The directory portion before the
|
|
|
|
token is the directory to chroot() to, the portion after the
|
|
|
|
token is the user's home directory relative to the new root.
|
|
|
|
|
2000-04-16 02:50:52 +00:00
|
|
|
Index: session.c
|
|
|
|
===================================================================
|
|
|
|
RCS file: /var/cvs/openssh/session.c,v
|
|
|
|
retrieving revision 1.4
|
|
|
|
diff -u -r1.4 session.c
|
|
|
|
--- session.c 2000/04/16 02:31:51 1.4
|
|
|
|
+++ session.c 2000/04/16 02:47:55
|
|
|
|
@@ -27,6 +27,8 @@
|
|
|
|
#include "ssh2.h"
|
|
|
|
#include "auth.h"
|
|
|
|
|
|
|
|
+#define CHROOT
|
|
|
|
+
|
|
|
|
/* types */
|
|
|
|
|
|
|
|
#define TTYSZ 64
|
|
|
|
@@ -783,6 +785,10 @@
|
2000-03-15 01:13:01 +00:00
|
|
|
extern char **environ;
|
|
|
|
struct stat st;
|
|
|
|
char *argv[10];
|
2000-04-16 02:50:52 +00:00
|
|
|
+#ifdef CHROOT
|
|
|
|
+ char *user_dir;
|
|
|
|
+ char *new_root;
|
2000-03-15 01:13:01 +00:00
|
|
|
+#endif /* CHROOT */
|
|
|
|
|
|
|
|
#ifndef USE_PAM /* pam_nologin handles this */
|
2000-04-16 02:50:52 +00:00
|
|
|
f = fopen("/etc/nologin", "r");
|
|
|
|
@@ -799,6 +805,26 @@
|
|
|
|
/* Set login name in the kernel. */
|
|
|
|
if (setlogin(pw->pw_name) < 0)
|
|
|
|
error("setlogin failed: %s", strerror(errno));
|
|
|
|
+
|
|
|
|
+#ifdef CHROOT
|
|
|
|
+ user_dir = xstrdup(pw->pw_dir);
|
|
|
|
+ new_root = user_dir + 1;
|
|
|
|
+
|
|
|
|
+ while((new_root = strchr(new_root, '.')) != NULL) {
|
|
|
|
+ new_root--;
|
|
|
|
+ if(strncmp(new_root, "/./", 3) == 0) {
|
|
|
|
+ *new_root = '\0';
|
|
|
|
+ new_root += 2;
|
|
|
|
+
|
|
|
|
+ if(chroot(user_dir) != 0)
|
|
|
|
+ fatal("Couldn't chroot to user directory %s", user_dir);
|
|
|
|
+
|
|
|
|
+ pw->pw_dir = new_root;
|
|
|
|
+ break;
|
|
|
|
+ }
|
|
|
|
+ new_root += 2;
|
|
|
|
+ }
|
2000-03-15 01:13:01 +00:00
|
|
|
+#endif /* CHROOT */
|
|
|
|
|
2000-04-16 02:50:52 +00:00
|
|
|
/* Set uid, gid, and groups. */
|
|
|
|
/* Login(1) does this as well, and it needs uid 0 for the "-h"
|