net-misc/openssh/files/openssh-3.9_p1-chroot.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

################################################################################
################################################################################
#                                                                              #
# Original patch by Ricardo Cerqueira <rmcc@clix.pt>                           #
#                                                                              #
# Updated by James Dennis <james@firstaidmusic.com> for openssh-3.7.1p2        #
#                                                                              #
# A patch to cause sshd to chroot when it encounters the magic token           #
# '/./' in a users home directory. The directory portion before the            #
# token is the directory to chroot() to, the portion after the                 #
# token is the user's home directory relative to the new root.                 #
#                                                                              #
# Patch source using: patch -p0 < /path/to/patch                               #
#                                                                              #
# Systems with a bad diff (doesn't understand -u or -N) should use gnu diff.   #
# Solaris may store this as gdiff under /opt/sfw/bin. I can't say much about   #
# other systems (unless you email me your experiences!).                       #
#                                                                              #
################################################################################
################################################################################

diff -uNr openssh-3.7.1p2/session.c openssh-3.7.1p2-chroot/session.c
--- openssh-3.7.1p2/session.c	Tue Sep 23 04:59:08 2003
+++ openssh-3.7.1p2-chroot/session.c	Fri Sep 26 13:42:52 2003
@@ -58,6 +58,8 @@
 #include "session.h"
 #include "monitor_wrap.h"
 
+#define CHROOT
+
 #ifdef GSSAPI
 #include "ssh-gss.h"
 #endif
@@ -1231,6 +1233,12 @@
 void
 do_setusercontext(struct passwd *pw)
 {
+
+#ifdef CHROOT
+	char *user_dir;
+	char *new_root;
+#endif /* CHROOT */
+
 #ifndef HAVE_CYGWIN
 	if (getuid() == 0 || geteuid() == 0)
 #endif /* HAVE_CYGWIN */
@@ -1268,6 +1276,27 @@
 			do_pam_setcred(0);
 		}
 # endif /* USE_PAM */
+
+#ifdef CHROOT
+       user_dir = xstrdup(pw->pw_dir);
+       new_root = user_dir + 1;
+
+       while((new_root = strchr(new_root, '.')) != NULL) {
+           new_root--;
+           if(strncmp(new_root, "/./", 3) == 0) {
+               *new_root = '\0';
+               new_root += 2;
+
+               if(chroot(user_dir) != 0)
+                   fatal("Couldn't chroot to user directory % s", user_dir);
+                   pw->pw_dir = new_root;
+                   break;
+               }
+               new_root += 2;
+       }
+#endif /* CHROOT */
+
+
 # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
 		irix_setusercontext(pw);
 #  endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */