From 0a76e8dc3af00e240352fd378ee4c721995642a3a0a4c622aff142e680933319 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Thu, 27 Aug 2009 22:21:56 +0000 Subject: [PATCH] Accepting request 19015 from Base:System Copy from Base:System/openssh based on submit request 19015 from user coolo OBS-URL: https://build.opensuse.org/request/show/19015 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=31 --- openssh-5.2p1-homechroot.patch | 162 +++++++++++++++++++++++++++++++++ openssh-askpass-gnome.spec | 2 +- openssh.changes | 6 ++ openssh.spec | 4 +- 4 files changed, 172 insertions(+), 2 deletions(-) create mode 100644 openssh-5.2p1-homechroot.patch diff --git a/openssh-5.2p1-homechroot.patch b/openssh-5.2p1-homechroot.patch new file mode 100644 index 0000000..7aeeab1 --- /dev/null +++ b/openssh-5.2p1-homechroot.patch @@ -0,0 +1,162 @@ ++++ openssh-5.2p1/chrootenv.h ++++ openssh-5.2p1/chrootenv.h +@@ -0,0 +1,32 @@ ++/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */ ++ ++/* ++ * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. ++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++#ifndef CHROOTENV_H ++#define CHROOTENV_H ++ ++extern int chroot_no_tree; ++ ++#endif ++ +--- openssh-5.2p1/session.c ++++ openssh-5.2p1/session.c 2009-07-24 07:33:14.000000000 +0200 +@@ -119,6 +119,8 @@ void do_child(Session *, const char *); + void do_motd(void); + int check_quietlogin(Session *, const char *); + ++int chroot_no_tree = 0; ++ + static void do_authenticated1(Authctxt *); + static void do_authenticated2(Authctxt *); + +@@ -802,6 +804,11 @@ do_exec(Session *s, const char *command) + debug("Forced command (key option) '%.900s'", command); + } + ++ if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) { ++ logit("You aren't welcomed, go away!"); ++ exit (1); ++ } ++ + #ifdef SSH_AUDIT_EVENTS + if (command != NULL) + PRIVSEP(audit_run_command(command)); +@@ -1408,6 +1415,7 @@ safely_chroot(const char *path, uid_t ui + const char *cp; + char component[MAXPATHLEN]; + struct stat st; ++ int last; + + if (*path != '/') + fatal("chroot path does not begin at root"); +@@ -1419,7 +1427,7 @@ safely_chroot(const char *path, uid_t ui + * root-owned directory with strict permissions. + */ + for (cp = path; cp != NULL;) { +- if ((cp = strchr(cp, '/')) == NULL) ++ if (((last = ((cp = strchr(cp, '/')) == NULL)))) + strlcpy(component, path, sizeof(component)); + else { + cp++; +@@ -1432,15 +1440,19 @@ safely_chroot(const char *path, uid_t ui + if (stat(component, &st) != 0) + fatal("%s: stat(\"%s\"): %s", __func__, + component, strerror(errno)); +- if (st.st_uid != 0 || (st.st_mode & 022) != 0) ++ if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid)) + fatal("bad ownership or modes for chroot " + "directory %s\"%s\"", + cp == NULL ? "" : "component ", component); + if (!S_ISDIR(st.st_mode)) + fatal("chroot path %s\"%s\" is not a directory", + cp == NULL ? "" : "component ", component); +- + } ++ setenv ("TZ", "/etc/localtime", 0); ++ tzset (); ++ ++ if (st.st_uid != uid) ++ ++chroot_no_tree; + + if (chdir(path) == -1) + fatal("Unable to chdir to chroot path \"%s\": " +@@ -1451,6 +1463,10 @@ safely_chroot(const char *path, uid_t ui + if (chdir("/") == -1) + fatal("%s: chdir(/) after chroot: %s", + __func__, strerror(errno)); ++ ++ if (access ("/etc/localtime", R_OK) < 0) ++ ++chroot_no_tree; ++ + verbose("Changed root directory to \"%s\"", path); + } + +--- openssh-5.2p1/sftp.c ++++ openssh-5.2p1/sftp.c +@@ -94,6 +94,8 @@ int remote_glob(struct sftp_conn *, cons + + extern char *__progname; + ++int chroot_no_tree = 0; ++ + /* Separators for interactive commands */ + #define WHITESPACE " \t\r\n" + +--- openssh-5.2p1/sftp-common.c ++++ openssh-5.2p1/sftp-common.c +@@ -40,6 +40,7 @@ + #include "xmalloc.h" + #include "buffer.h" + #include "log.h" ++#include "chrootenv.h" + + #include "sftp.h" + #include "sftp-common.h" +@@ -194,13 +195,13 @@ ls_file(const char *name, const struct s + char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1]; + + strmode(st->st_mode, mode); +- if (!remote && (pw = getpwuid(st->st_uid)) != NULL) { ++ if (!remote && !chroot_no_tree && (pw = getpwuid(st->st_uid)) != NULL) { + user = pw->pw_name; + } else { + snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid); + user = ubuf; + } +- if (!remote && (gr = getgrgid(st->st_gid)) != NULL) { ++ if (!remote && !chroot_no_tree && (gr = getgrgid(st->st_gid)) != NULL) { + group = gr->gr_name; + } else { + snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid); +--- openssh-5.2p1/sftp-server-main.c ++++ openssh-5.2p1/sftp-server-main.c +@@ -22,11 +22,14 @@ + #include + #include + #include ++#include + + #include "log.h" + #include "sftp.h" + #include "misc.h" + ++int chroot_no_tree = 0; ++ + void + cleanup_exit(int i) + { diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 4661df0..9e3c0cf 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -23,7 +23,7 @@ BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev License: BSD 3-clause (or similar) Group: Productivity/Networking/SSH Version: 5.2p1 -Release: 6 +Release: 7 Requires: openssh = %{version} openssh-askpass = %{version} AutoReqProv: on Summary: A GNOME-Based Passphrase Dialog for OpenSSH diff --git a/openssh.changes b/openssh.changes index 057c193..27bc2ef 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Aug 20 16:54:08 CEST 2009 - anicka@suse.cz + +- make sftp in chroot users life easier (ie. bnc#518238), + many thanks jchadima@redhat.com for a patch + ------------------------------------------------------------------- Sun Jul 12 21:43:21 CEST 2009 - coolo@novell.com diff --git a/openssh.spec b/openssh.spec index 15870f6..e9e7d23 100644 --- a/openssh.spec +++ b/openssh.spec @@ -38,7 +38,7 @@ PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_pr Conflicts: nonfreessh AutoReqProv: on Version: 5.2p1 -Release: 6 +Release: 7 %define xversion 1.2.4.1 Summary: Secure Shell Client and Server (Remote Login Program) Url: http://www.openssh.com/ @@ -71,6 +71,7 @@ Patch44: %{name}-%{version}-audit.patch Patch45: %{name}-%{version}-pts.diff Patch46: %{name}-%{version}-pam-fix4.diff Patch48: %{name}-%{version}-forwards.diff +Patch49: %{name}-%{version}-homechroot.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %package askpass @@ -162,6 +163,7 @@ Authors: %patch45 %patch46 -p1 %patch48 +%patch49 -p1 cp -v %{SOURCE4} . cp -v %{SOURCE6} . cd ../x11-ssh-askpass-%{xversion}