[pathnames.h servconf.c servconf.h sshd.c]
     _PATH_PRIVSEP_CHROOT_DIR; ok provos@
This commit is contained in:
Ben Lindstrom 2002-03-22 02:42:37 +00:00
parent 01426a67c8
commit 7a7edf77ed
5 changed files with 15 additions and 17 deletions

View File

@ -75,6 +75,9 @@
[servconf.c]
UnprivUser/UnprivGroup usable now--specify numeric user/group; ok
provos@
- stevesk@cvs.openbsd.org 2002/03/19 03:03:43
[pathnames.h servconf.c servconf.h sshd.c]
_PATH_PRIVSEP_CHROOT_DIR; ok provos@
20020317
- (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is wanted,
@ -7921,4 +7924,4 @@
- Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1
$Id: ChangeLog,v 1.1946 2002/03/22 02:40:03 mouring Exp $
$Id: ChangeLog,v 1.1947 2002/03/22 02:42:37 mouring Exp $

View File

@ -1,4 +1,4 @@
/* $OpenBSD: pathnames.h,v 1.11 2002/02/09 17:37:34 deraadt Exp $ */
/* $OpenBSD: pathnames.h,v 1.12 2002/03/19 03:03:43 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -139,6 +139,9 @@
#ifndef _PATH_SFTP_SERVER
#define _PATH_SFTP_SERVER "/usr/libexec/sftp-server"
#endif
/* chroot directory for unprivileged user when UsePrivilegeSeparation=yes */
#define _PATH_PRIVSEP_CHROOT_DIR "/var/empty"
#ifndef _PATH_LS
#define _PATH_LS "ls"
#endif

View File

@ -10,7 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.103 2002/03/18 23:52:51 stevesk Exp $");
RCSID("$OpenBSD: servconf.c,v 1.104 2002/03/19 03:03:43 stevesk Exp $");
#if defined(KRB4) || defined(KRB5)
#include <krb.h>
@ -115,7 +115,6 @@ initialize_server_options(ServerOptions *options)
options->unprivileged_user = -1;
options->unprivileged_group = -1;
options->unprivileged_dir = NULL;
/* Needs to be accessable in many places */
use_privsep = -1;
@ -252,8 +251,6 @@ fill_default_server_options(ServerOptions *options)
options->unprivileged_user = 32767;
if (options->unprivileged_group == -1)
options->unprivileged_group = 32767;
if (options->unprivileged_dir == NULL)
options->unprivileged_dir = "/var/empty";
}
/* Keyword tokens. */
@ -286,7 +283,7 @@ typedef enum {
sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sUsePrivilegeSeparation, sUnprivUser, sUnprivGroup, sUnprivDir,
sUsePrivilegeSeparation, sUnprivUser, sUnprivGroup,
sDeprecated
} ServerOpCodes;
@ -365,7 +362,6 @@ static struct {
{ "useprivilegeseparation", sUsePrivilegeSeparation},
{ "unprivuser", sUnprivUser},
{ "unprivgroup", sUnprivGroup},
{ "unprivdir", sUnprivDir},
{ NULL, sBadOption }
};
@ -754,10 +750,6 @@ parse_flag:
intptr = &options->unprivileged_group;
goto parse_int;
case sUnprivDir:
charptr = &options->unprivileged_dir;
goto parse_filename;
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)

View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.55 2002/03/18 17:50:31 provos Exp $ */
/* $OpenBSD: servconf.h,v 1.56 2002/03/19 03:03:43 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -133,7 +133,6 @@ typedef struct {
int unprivileged_user; /* User unprivileged child uses */
int unprivileged_group; /* Group unprivileged child uses */
char *unprivileged_dir; /* Chroot dir for unprivileged user */
} ServerOptions;
void initialize_server_options(ServerOptions *);

7
sshd.c
View File

@ -42,7 +42,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshd.c,v 1.231 2002/03/18 17:50:31 provos Exp $");
RCSID("$OpenBSD: sshd.c,v 1.232 2002/03/19 03:03:43 stevesk Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
@ -533,8 +533,9 @@ privsep_preauth_child(void)
demote_sensitive_data();
/* Change our root directory*/
if (chroot(options.unprivileged_dir) == -1)
fatal("chroot(/var/empty)");
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
strerror(errno));
if (chdir("/") == -1)
fatal("chdir(/)");