# run sftp sessions inside a chroot Index: b/session.c =================================================================== --- a/session.c +++ b/session.c @@ -127,6 +127,8 @@ void do_child(Session *, const char *); void do_motd(void); int check_quietlogin(Session *, const char *); +int chroot_no_tree = 0; + static void do_authenticated1(Authctxt *); static void do_authenticated2(Authctxt *); @@ -816,6 +818,11 @@ do_exec(Session *s, const char *command) snprintf(session_type, sizeof(session_type), "command"); } + if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) { + logit("You aren't welcomed, go away!"); + exit (1); + } + if (s->ttyfd != -1) { tty = s->tty; if (strncmp(tty, "/dev/", 5) == 0) @@ -1453,6 +1460,62 @@ do_nologin(struct passwd *pw) } /* + * Test if filesystem is mounted nosuid and nodev + */ +static void +test_nosuid (char * path, dev_t fs) +{ + FILE *f; + struct stat st; + char buf[4096], *s, *on, *mountpoint, *opt; + int nodev, nosuid; + + if (!(f = popen ("/bin/mount", "r"))) + fatal ("%s: popen(\"/bin/mount\", \"r\"): %s", + __func__, strerror (errno)); + for (;;) { + s = fgets (buf, sizeof (buf), f); + if (ferror (f)) + fatal ("%s: read from popen: %s", __func__, + strerror (errno)); + if (!s) { + pclose (f); + fatal ("cannot find filesystem with the chroot directory"); + } + (void) strtok (buf, " "); + on = strtok (NULL, " "); + if (strcmp (on, "on")) { + pclose (f); + fatal ("bad format of mount output"); + } + mountpoint = strtok (NULL, " "); + if (memcmp (path, mountpoint, strlen (mountpoint))) + continue; + if (stat(mountpoint, &st) != 0) { + pclose (f); + fatal("%s: stat(\"%s\"): %s", __func__, + mountpoint, strerror(errno)); + } + if (fs != st.st_dev) + continue; + nodev = nosuid = 0; + for (opt = strtok (NULL, "("); opt; opt = strtok (NULL, " ,)")) { + if (!strcmp (opt, "nodev")) + nodev = 1; + else if (!strcmp (opt, "nosuid")) + nosuid = 1; + else if (!strcmp (opt, "noexec")) + nosuid = 1; + if (nodev && nosuid) { + pclose (f); + return; + } + } + fatal ("chroot into directory without nodev and either noexec or nosuid"); + } +} + +/* * Chroot into a directory after checking it for safety: all path components * must be root-owned directories with strict permissions. */ @@ -1462,6 +1525,7 @@ safely_chroot(const char *path, uid_t ui const char *cp; char component[PATH_MAX]; struct stat st; + int last; if (*path != '/') fatal("chroot path does not begin at root"); @@ -1473,7 +1537,7 @@ safely_chroot(const char *path, uid_t ui * root-owned directory with strict permissions. */ for (cp = path; cp != NULL;) { - if ((cp = strchr(cp, '/')) == NULL) + if (((last = ((cp = strchr(cp, '/')) == NULL)))) strlcpy(component, path, sizeof(component)); else { cp++; @@ -1486,7 +1550,7 @@ safely_chroot(const char *path, uid_t ui if (stat(component, &st) != 0) fatal("%s: stat(\"%s\"): %s", __func__, component, strerror(errno)); - if (st.st_uid != 0 || (st.st_mode & 022) != 0) + if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid)) fatal("bad ownership or modes for chroot " "directory %s\"%s\"", cp == NULL ? "" : "component ", component); @@ -1495,6 +1559,13 @@ safely_chroot(const char *path, uid_t ui cp == NULL ? "" : "component ", component); } + setenv ("TZ", "/etc/localtime", 0); + tzset(); + + if (st.st_uid) { + test_nosuid(path, st.st_dev); + ++chroot_no_tree; + } if (chdir(path) == -1) fatal("Unable to chdir to chroot path \"%s\": " Index: b/sftp-chrootenv.h =================================================================== --- /dev/null +++ b/sftp-chrootenv.h @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2009 Jan F Chadima. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef CHROOTENV_H +#define CHROOTENV_H + +extern int chroot_no_tree; + +#endif + Index: b/sftp-common.c =================================================================== --- a/sftp-common.c +++ b/sftp-common.c @@ -48,6 +48,7 @@ #include "sftp.h" #include "sftp-common.h" +#include "sftp-chrootenv.h" /* Clear contents of attributes structure */ void @@ -221,13 +222,13 @@ ls_file(const char *name, const struct s time_t now; strmode(st->st_mode, mode); - if (!remote) { + if (!remote && !chroot_no_tree) { user = user_from_uid(st->st_uid, 0); } else { snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid); user = ubuf; } - if (!remote) { + if (!remote && !chroot_no_tree) { group = group_from_gid(st->st_gid, 0); } else { snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid); Index: b/sftp-server-main.c =================================================================== --- a/sftp-server-main.c +++ b/sftp-server-main.c @@ -22,11 +22,14 @@ #include #include #include +#include #include "log.h" #include "sftp.h" #include "misc.h" +int chroot_no_tree = 0; + void cleanup_exit(int i) { Index: b/sftp.c =================================================================== --- a/sftp.c +++ b/sftp.c @@ -117,6 +117,8 @@ int remote_glob(struct sftp_conn *, cons extern char *__progname; +int chroot_no_tree = 0; + /* Separators for interactive commands */ #define WHITESPACE " \t\r\n" Index: b/sshd_config.0 =================================================================== --- a/sshd_config.0 +++ b/sshd_config.0 @@ -258,6 +258,14 @@ DESCRIPTION (especially those outside the jail). Misconfiguration can lead to unsafe environments which sshd(8) cannot detect. + In the special case when only sftp is used, not ssh nor scp, it + is possible to use ChrootDirectory %h or ChrootDirectory + /some/path/%u. The file system containing this directory must be + mounted with options nodev and either nosuid or noexec. The owner + of the directory should be the user. The ownership of the other + components of the path must fulfill the usual conditions. No adi- + tional files are required to be present in the directory. + The default is not to chroot(2). Ciphers Index: b/sshd_config.5 =================================================================== --- a/sshd_config.5 +++ b/sshd_config.5 @@ -421,6 +421,17 @@ inside the chroot directory on some oper .Xr sftp-server 8 for details). .Pp +In the special case when only sftp is used, not ssh nor scp, +it is possible to use +.Cm ChrootDirectory +%h or +.Cm ChrootDirectory +/some/path/%u. The file system containing this directory must be +mounted with options nodev and either nosuid or noexec. The owner of the +directory should be the user. The ownership of the other components of the path +must fulfill the usual conditions. No aditional files are required to be present +in the directory. +.Pp For safety, it is very important that the directory hierarchy be prevented from modification by other processes on the system (especially those outside the jail).