Date: Fri, 1 Jun 2001 15:21:10 -0700 From: "Robert L Sowders" <rsowders@usgs.gov> To: Kris Kennaway <kris@obsecurity.org> Cc: freebsd-questions@FreeBSD.ORG, owner-freebsd-questions@FreeBSD.ORG, Rob Simmons <rsimmons@wlcg.com> Subject: Re: chroot for sftp Message-ID: <OFD68873FE.20ACD97C-ON88256A5E.007A64BF@wr.usgs.gov>
next in thread | raw e-mail | index | archive | help
--=_mixed 007B26BE88256A5E_=
Content-Type: text/plain; charset="us-ascii"
Here is a diff to chroot ssh sessions, from the contib directory of the
openssh distribution. Since the sftp session is handed of by the sshd
process it should work, but all ssh session for the user would be
chrooted.
Maybe you could modify it to suit your purposes.
-------------------------------------------------------------------------
From: Ricardo Cerqueira <rmcc@clix.pt>
A patch to cause sshd to chroot when it encounters the magic token
'/./' in a users home directory. The directory portion before the
token is the directory to chroot() to, the portion after the
token is the user's home directory relative to the new root.
Index: session.c
===================================================================
RCS file: /var/cvs/openssh/session.c,v
retrieving revision 1.4
diff -u -r1.4 session.c
--- session.c 2000/04/16 02:31:51 1.4
+++ session.c 2000/04/16 02:47:55
@@ -27,6 +27,8 @@
#include "ssh2.h"
#include "auth.h"
+#define CHROOT
+
/* types */
#define TTYSZ 64
@@ -783,6 +785,10 @@
extern char **environ;
struct stat st;
char *argv[10];
+#ifdef CHROOT
+ char *user_dir;
+ char *new_root;
+#endif /* CHROOT */
#ifndef USE_PAM /* pam_nologin handles this */
f = fopen("/etc/nologin", "r");
@@ -799,6 +805,26 @@
/* Set login name in the kernel. */
if (setlogin(pw->pw_name) < 0)
error("setlogin failed: %s", strerror(errno));
+
+#ifdef CHROOT
+ user_dir = xstrdup(pw->pw_dir);
+ new_root = user_dir + 1;
+
+ while((new_root = strchr(new_root, '.')) != NULL) {
+ new_root--;
+ if(strncmp(new_root, "/./", 3) == 0) {
+ *new_root = '\0';
+ new_root += 2;
+
+ if(chroot(user_dir) != 0)
+ fatal("Couldn't chroot to user directory
%s", user_dir);
+
+ pw->pw_dir = new_root;
+ break;
+ }
+ new_root += 2;
+ }
+#endif /* CHROOT */
/* Set uid, gid, and groups. */
/* Login(1) does this as well, and it needs uid 0 for the "-h"
Kris Kennaway <kris@obsecurity.org>
Sent by: owner-freebsd-questions@FreeBSD.ORG
05/31/2001 07:11 PM
To: Rob Simmons <rsimmons@wlcg.com>
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: chroot for sftp
On Thu, May 31, 2001 at 06:46:28PM -0400, Rob Simmons wrote:
> Is there a way to chroot regular users when they login via sftp? I
didn't
> see a login.conf option for this. I'm looking for the same effect as
> adding the user to /etc/ftpchroot with standard ftp.
I don't think so, although there might be in newer releases now that
OpenBSD have adopted a login.conf system.
Kris
--=_mixed 007B26BE88256A5E_=
Content-Type: application/octet-stream; name="att1kb4i.dat"
Content-Disposition: attachment; filename="att1kb4i.dat"
Content-Transfer-Encoding: base64
LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NClZlcnNpb246IEdudVBHIHYxLjAuNiAoRnJl
ZUJTRCkNCkNvbW1lbnQ6IEZvciBpbmZvIHNlZSBodHRwOi8vd3d3LmdudXBnLm9yZw0KDQppRDhE
QlFFN0Z2bS9XcnkwQldqb1FLVVJBdTlWQUtEL09mbjgzd2dLWk5YUkx6dzVtcExqeTM1RS9nQ2cz
ZjFuDQo2OTNlakRoTlZrbkNQZ3A5RWIxTVRXWT0NCj1adlZsDQotLS0tLUVORCBQR1AgU0lHTkFU
VVJFLS0tLS0NCg==
--=_mixed 007B26BE88256A5E_=--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OFD68873FE.20ACD97C-ON88256A5E.007A64BF>