# # openssh-4.2p1-sshjail.patch # code by Gonçalo Silva # # tar -zxvf openssh-x.xpx.tar.gz # patch -p0 < openssh-x.xpx-sshjail.patch # # More information on http://paradigma.pt/~gngs/sshjail # --- openssh-4.2p1/session.c 2005-08-31 17:59:49.000000000 +0100 +++ openssh-4.2p1-sshjail/session.c 2005-11-15 19:45:59.152441984 +0000 @@ -59,6 +59,10 @@ #include "kex.h" #include "monitor_wrap.h" +#define SSHJAIL +#define CONF "/etc/sshjail.conf" +#define MAXLINE 512 + #if defined(KRB5) && defined(USE_AFS) #include #endif @@ -1260,6 +1264,14 @@ void do_setusercontext(struct passwd *pw) { + +#ifdef SSHJAIL + FILE *confile; + struct group *grp; + char *envchroot='\0', *username, *mypt, *line; + u_short found = 0; +#endif /* SSHJAIL */ + #ifndef HAVE_CYGWIN if (getuid() == 0 || geteuid() == 0) #endif /* HAVE_CYGWIN */ @@ -1317,6 +1329,7 @@ restore_uid(); } #endif + # ifdef USE_PAM /* * PAM credentials may take the form of supplementary groups. @@ -1328,6 +1341,68 @@ do_pam_setcred(0); } # endif /* USE_PAM */ + +#ifdef SSHJAIL + line = (char *)xmalloc (MAXLINE); + if ((confile = fopen(CONF, "r")) != NULL) + { + while (!feof(confile) && !found) + if (fgets(line,MAXLINE,confile)!=NULL) + { + if (strstr(line,"chroot=") && line[0]!='#') + { + envchroot=xstrdup(line+7); + envchroot[strlen(envchroot)-1]='\0'; + } + + else if (strstr(line,"users=") && line[0]!='#') + { + line += 6; + username=strtok_r(line,",",&mypt); + while(username) + { + if (username[strlen(username+1)]=='\n') + username[strlen(username+1)]='\0'; + if (username[0]=='@') + { + username += 1; + if((grp = getgrnam(username))!= NULL) + { + + if (grp->gr_gid == pw->pw_gid) + { + found=1; + break; + } + } + } + + else if (!strcmp(pw->pw_name,username)) + { + found=1; + break; + } + username=strtok_r(NULL,",",&mypt); + } + line -=6; + } + + } + + fclose(confile); + xfree(line); + } + + if (found && *envchroot!='\0') + { + if(chroot(envchroot) != 0) + fatal("Fail to chroot dir %s",envchroot); + strcpy(pw->pw_dir,pw->pw_dir+(strlen(envchroot))); + xfree(envchroot); + } +#endif /* SSHJAIL */ + + # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) irix_setusercontext(pw); # endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ --- openssh-4.2p1/version.h 2005-08-31 10:47:07.000000000 +0100 +++ openssh-4.2p1-sshjail/version.h 2005-11-11 02:35:47.000000000 +0000 @@ -1,6 +1,6 @@ /* $OpenBSD: version.h,v 1.45 2005/08/31 09:28:42 markus Exp $ */ -#define SSH_VERSION "OpenSSH_4.2" +#define SSH_VERSION "OpenSSH_4.2-sshjail" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE