mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-22 01:50:16 +00:00
- stevesk@cvs.openbsd.org 2002/03/19 03:03:43
[pathnames.h servconf.c servconf.h sshd.c] _PATH_PRIVSEP_CHROOT_DIR; ok provos@
This commit is contained in:
parent
01426a67c8
commit
7a7edf77ed
@ -75,6 +75,9 @@
|
||||
[servconf.c]
|
||||
UnprivUser/UnprivGroup usable now--specify numeric user/group; ok
|
||||
provos@
|
||||
- stevesk@cvs.openbsd.org 2002/03/19 03:03:43
|
||||
[pathnames.h servconf.c servconf.h sshd.c]
|
||||
_PATH_PRIVSEP_CHROOT_DIR; ok provos@
|
||||
|
||||
20020317
|
||||
- (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is wanted,
|
||||
@ -7921,4 +7924,4 @@
|
||||
- Wrote replacements for strlcpy and mkdtemp
|
||||
- Released 1.0pre1
|
||||
|
||||
$Id: ChangeLog,v 1.1946 2002/03/22 02:40:03 mouring Exp $
|
||||
$Id: ChangeLog,v 1.1947 2002/03/22 02:42:37 mouring Exp $
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pathnames.h,v 1.11 2002/02/09 17:37:34 deraadt Exp $ */
|
||||
/* $OpenBSD: pathnames.h,v 1.12 2002/03/19 03:03:43 stevesk Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -139,6 +139,9 @@
|
||||
#ifndef _PATH_SFTP_SERVER
|
||||
#define _PATH_SFTP_SERVER "/usr/libexec/sftp-server"
|
||||
#endif
|
||||
|
||||
/* chroot directory for unprivileged user when UsePrivilegeSeparation=yes */
|
||||
#define _PATH_PRIVSEP_CHROOT_DIR "/var/empty"
|
||||
#ifndef _PATH_LS
|
||||
#define _PATH_LS "ls"
|
||||
#endif
|
||||
|
12
servconf.c
12
servconf.c
@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: servconf.c,v 1.103 2002/03/18 23:52:51 stevesk Exp $");
|
||||
RCSID("$OpenBSD: servconf.c,v 1.104 2002/03/19 03:03:43 stevesk Exp $");
|
||||
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#include <krb.h>
|
||||
@ -115,7 +115,6 @@ initialize_server_options(ServerOptions *options)
|
||||
|
||||
options->unprivileged_user = -1;
|
||||
options->unprivileged_group = -1;
|
||||
options->unprivileged_dir = NULL;
|
||||
|
||||
/* Needs to be accessable in many places */
|
||||
use_privsep = -1;
|
||||
@ -252,8 +251,6 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->unprivileged_user = 32767;
|
||||
if (options->unprivileged_group == -1)
|
||||
options->unprivileged_group = 32767;
|
||||
if (options->unprivileged_dir == NULL)
|
||||
options->unprivileged_dir = "/var/empty";
|
||||
}
|
||||
|
||||
/* Keyword tokens. */
|
||||
@ -286,7 +283,7 @@ typedef enum {
|
||||
sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||||
sUsePrivilegeSeparation, sUnprivUser, sUnprivGroup, sUnprivDir,
|
||||
sUsePrivilegeSeparation, sUnprivUser, sUnprivGroup,
|
||||
sDeprecated
|
||||
} ServerOpCodes;
|
||||
|
||||
@ -365,7 +362,6 @@ static struct {
|
||||
{ "useprivilegeseparation", sUsePrivilegeSeparation},
|
||||
{ "unprivuser", sUnprivUser},
|
||||
{ "unprivgroup", sUnprivGroup},
|
||||
{ "unprivdir", sUnprivDir},
|
||||
{ NULL, sBadOption }
|
||||
};
|
||||
|
||||
@ -754,10 +750,6 @@ parse_flag:
|
||||
intptr = &options->unprivileged_group;
|
||||
goto parse_int;
|
||||
|
||||
case sUnprivDir:
|
||||
charptr = &options->unprivileged_dir;
|
||||
goto parse_filename;
|
||||
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: servconf.h,v 1.55 2002/03/18 17:50:31 provos Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.56 2002/03/19 03:03:43 stevesk Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -133,7 +133,6 @@ typedef struct {
|
||||
|
||||
int unprivileged_user; /* User unprivileged child uses */
|
||||
int unprivileged_group; /* Group unprivileged child uses */
|
||||
char *unprivileged_dir; /* Chroot dir for unprivileged user */
|
||||
} ServerOptions;
|
||||
|
||||
void initialize_server_options(ServerOptions *);
|
||||
|
7
sshd.c
7
sshd.c
@ -42,7 +42,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: sshd.c,v 1.231 2002/03/18 17:50:31 provos Exp $");
|
||||
RCSID("$OpenBSD: sshd.c,v 1.232 2002/03/19 03:03:43 stevesk Exp $");
|
||||
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/bn.h>
|
||||
@ -533,8 +533,9 @@ privsep_preauth_child(void)
|
||||
demote_sensitive_data();
|
||||
|
||||
/* Change our root directory*/
|
||||
if (chroot(options.unprivileged_dir) == -1)
|
||||
fatal("chroot(/var/empty)");
|
||||
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
|
||||
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
|
||||
strerror(errno));
|
||||
if (chdir("/") == -1)
|
||||
fatal("chdir(/)");
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user