![](https://seccdn.libravatar.org/avatar/e2145bc5cf53dda95c308a3c75e8fef3.jpg?s=120&d=mm&r=g)
Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at Fri Aug 28 00:21:49 CEST 2009. -------- --- openssh/openssh.changes 2009-07-12 21:43:48.000000000 +0200 +++ openssh/openssh.changes 2009-08-20 17:04:38.000000000 +0200 @@ -1,0 +2,6 @@ +Thu Aug 20 16:54:08 CEST 2009 - anicka@suse.cz + +- make sftp in chroot users life easier (ie. bnc#518238), + many thanks jchadima@redhat.com for a patch + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- openssh-5.2p1-homechroot.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.oOOxMH/_old 2009-08-28 00:20:22.000000000 +0200 +++ /var/tmp/diff_new_pack.oOOxMH/_new 2009-08-28 00:20:22.000000000 +0200 @@ -23,7 +23,7 @@ License: BSD 3-clause (or similar) Group: Productivity/Networking/SSH Version: 5.2p1 -Release: 6 +Release: 7 Requires: openssh = %{version} openssh-askpass = %{version} AutoReqProv: on Summary: A GNOME-Based Passphrase Dialog for OpenSSH ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.oOOxMH/_old 2009-08-28 00:20:22.000000000 +0200 +++ /var/tmp/diff_new_pack.oOOxMH/_new 2009-08-28 00:20:22.000000000 +0200 @@ -38,7 +38,7 @@ Conflicts: nonfreessh AutoReqProv: on Version: 5.2p1 -Release: 6 +Release: 7 %define xversion 1.2.4.1 Summary: Secure Shell Client and Server (Remote Login Program) Url: http://www.openssh.com/ @@ -71,6 +71,7 @@ Patch45: %{name}-%{version}-pts.diff Patch46: %{name}-%{version}-pam-fix4.diff Patch48: %{name}-%{version}-forwards.diff +Patch49: %{name}-%{version}-homechroot.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %package askpass @@ -162,6 +163,7 @@ %patch45 %patch46 -p1 %patch48 +%patch49 -p1 cp -v %{SOURCE4} . cp -v %{SOURCE6} . cd ../x11-ssh-askpass-%{xversion} ++++++ openssh-5.2p1-homechroot.patch ++++++ +++ openssh-5.2p1/chrootenv.h +++ openssh-5.2p1/chrootenv.h @@ -0,0 +1,32 @@ +/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */ + +/* + * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef CHROOTENV_H +#define CHROOTENV_H + +extern int chroot_no_tree; + +#endif + --- openssh-5.2p1/session.c +++ openssh-5.2p1/session.c 2009-07-24 07:33:14.000000000 +0200 @@ -119,6 +119,8 @@ void do_child(Session *, const char *); void do_motd(void); int check_quietlogin(Session *, const char *); +int chroot_no_tree = 0; + static void do_authenticated1(Authctxt *); static void do_authenticated2(Authctxt *); @@ -802,6 +804,11 @@ do_exec(Session *s, const char *command) debug("Forced command (key option) '%.900s'", command); } + if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) { + logit("You aren't welcomed, go away!"); + exit (1); + } + #ifdef SSH_AUDIT_EVENTS if (command != NULL) PRIVSEP(audit_run_command(command)); @@ -1408,6 +1415,7 @@ safely_chroot(const char *path, uid_t ui const char *cp; char component[MAXPATHLEN]; struct stat st; + int last; if (*path != '/') fatal("chroot path does not begin at root"); @@ -1419,7 +1427,7 @@ safely_chroot(const char *path, uid_t ui * root-owned directory with strict permissions. */ for (cp = path; cp != NULL;) { - if ((cp = strchr(cp, '/')) == NULL) + if (((last = ((cp = strchr(cp, '/')) == NULL)))) strlcpy(component, path, sizeof(component)); else { cp++; @@ -1432,15 +1440,19 @@ safely_chroot(const char *path, uid_t ui if (stat(component, &st) != 0) fatal("%s: stat(\"%s\"): %s", __func__, component, strerror(errno)); - if (st.st_uid != 0 || (st.st_mode & 022) != 0) + if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid)) fatal("bad ownership or modes for chroot " "directory %s\"%s\"", cp == NULL ? "" : "component ", component); if (!S_ISDIR(st.st_mode)) fatal("chroot path %s\"%s\" is not a directory", cp == NULL ? "" : "component ", component); - } + setenv ("TZ", "/etc/localtime", 0); + tzset (); + + if (st.st_uid != uid) + ++chroot_no_tree; if (chdir(path) == -1) fatal("Unable to chdir to chroot path \"%s\": " @@ -1451,6 +1463,10 @@ safely_chroot(const char *path, uid_t ui if (chdir("/") == -1) fatal("%s: chdir(/) after chroot: %s", __func__, strerror(errno)); + + if (access ("/etc/localtime", R_OK) < 0) + ++chroot_no_tree; + verbose("Changed root directory to \"%s\"", path); } --- openssh-5.2p1/sftp.c +++ openssh-5.2p1/sftp.c @@ -94,6 +94,8 @@ int remote_glob(struct sftp_conn *, cons extern char *__progname; +int chroot_no_tree = 0; + /* Separators for interactive commands */ #define WHITESPACE " \t\r\n" --- openssh-5.2p1/sftp-common.c +++ openssh-5.2p1/sftp-common.c @@ -40,6 +40,7 @@ #include "xmalloc.h" #include "buffer.h" #include "log.h" +#include "chrootenv.h" #include "sftp.h" #include "sftp-common.h" @@ -194,13 +195,13 @@ ls_file(const char *name, const struct s char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1]; strmode(st->st_mode, mode); - if (!remote && (pw = getpwuid(st->st_uid)) != NULL) { + if (!remote && !chroot_no_tree && (pw = getpwuid(st->st_uid)) != NULL) { user = pw->pw_name; } else { snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid); user = ubuf; } - if (!remote && (gr = getgrgid(st->st_gid)) != NULL) { + if (!remote && !chroot_no_tree && (gr = getgrgid(st->st_gid)) != NULL) { group = gr->gr_name; } else { snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid); --- openssh-5.2p1/sftp-server-main.c +++ openssh-5.2p1/sftp-server-main.c @@ -22,11 +22,14 @@ #include <stdarg.h> #include <stdio.h> #include <unistd.h> +#include <time.h> #include "log.h" #include "sftp.h" #include "misc.h" +int chroot_no_tree = 0; + void cleanup_exit(int i) { ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org