contrib/chroot.diff - third_party/openssh-portable - Git at Google

 From: Ricardo Cerqueira <rmcc@clix.pt>

 A patch to cause sshd to chroot when it encounters the magic token
 '/./' in a users home directory. The directory portion before the
 token is the directory to chroot() to, the portion after the
 token is the user's home directory relative to the new root.

 Index: session.c
 ===================================================================
 RCS file: /var/cvs/openssh/session.c,v
 retrieving revision 1.4
 diff -u -r1.4 session.c
 --- session.c	2000/04/16 02:31:51	1.4
 +++ session.c	2000/04/16 02:47:55
 @@ -27,6 +27,8 @@
  #include "ssh2.h"
  #include "auth.h"

 +#define CHROOT
 +
  /* types */

  #define TTYSZ 64
 @@ -783,6 +785,10 @@
  	extern char **environ;
  	struct stat st;
  	char *argv[10];
 +#ifdef CHROOT
 +	char *user_dir;
 +	char *new_root;
 +#endif /* CHROOT */

  #ifndef USE_PAM /* pam_nologin handles this */
  	f = fopen("/etc/nologin", "r");
 @@ -799,6 +805,26 @@
  	/* Set login name in the kernel. */
  	if (setlogin(pw->pw_name) < 0)
  		error("setlogin failed: %s", strerror(errno));
 +
 +#ifdef CHROOT
 +	user_dir = xstrdup(pw->pw_dir);
 +	new_root = user_dir + 1;
 +
 +	while((new_root = strchr(new_root, '.')) != NULL) {
 +		new_root--;
 +		if(strncmp(new_root, "/./", 3) == 0) {
 +			*new_root = '\0';
 +			new_root += 2;
 +
 +			if(chroot(user_dir) != 0)
 +				fatal("Couldn't chroot to user directory %s", user_dir);
 +
 +			pw->pw_dir = new_root;
 +			break;
 +		}
 +		new_root += 2;
 +	}
 +#endif /* CHROOT */

  	/* Set uid, gid, and groups. */
  	/* Login(1) does this as well, and it needs uid 0 for the "-h"
	From: Ricardo Cerqueira <rmcc@clix.pt>

	A patch to cause sshd to chroot when it encounters the magic token
	'/./' in a users home directory. The directory portion before the
	token is the directory to chroot() to, the portion after the
	token is the user's home directory relative to the new root.

	Index: session.c
	===================================================================
	RCS file: /var/cvs/openssh/session.c,v
	retrieving revision 1.4
	diff -u -r1.4 session.c
	--- session.c 2000/04/16 02:31:51 1.4
	+++ session.c 2000/04/16 02:47:55
	@@ -27,6 +27,8 @@
	#include "ssh2.h"
	#include "auth.h"

	+#define CHROOT
	+
	/* types */

	#define TTYSZ 64
	@@ -783,6 +785,10 @@
	extern char **environ;
	struct stat st;
	char *argv[10];
	+#ifdef CHROOT
	+ char *user_dir;
	+ char *new_root;
	+#endif /* CHROOT */

	#ifndef USE_PAM /* pam_nologin handles this */
	f = fopen("/etc/nologin", "r");
	@@ -799,6 +805,26 @@
	/* Set login name in the kernel. */
	if (setlogin(pw->pw_name) < 0)
	error("setlogin failed: %s", strerror(errno));
	+
	+#ifdef CHROOT
	+ user_dir = xstrdup(pw->pw_dir);
	+ new_root = user_dir + 1;
	+
	+ while((new_root = strchr(new_root, '.')) != NULL) {
	+ new_root--;
	+ if(strncmp(new_root, "/./", 3) == 0) {
	+ *new_root = '\0';
	+ new_root += 2;
	+
	+ if(chroot(user_dir) != 0)
	+ fatal("Couldn't chroot to user directory %s", user_dir);
	+
	+ pw->pw_dir = new_root;
	+ break;
	+ }
	+ new_root += 2;
	+ }
	+#endif /* CHROOT */

	/* Set uid, gid, and groups. */
	/* Login(1) does this as well, and it needs uid 0 for the "-h"