# # openssh-4.6p1-sshjail.patch # code by Goncalo Silva # # tar -zxvf openssh-x.xpx.tar.gz # patch -p0 < openssh-x.xpx-sshjail.patch # # More information on http://paradigma.pt/~gngs/sshjail # --- openssh-4.6p1/session.c 2007-02-19 11:10:25.000000000 +0000 +++ openssh-4.6p1-sshjail/session.c 2007-07-09 22:27:31.000000000 +0100 @@ -88,6 +88,10 @@ #include "kex.h" #include "monitor_wrap.h" +#define SSHJAIL +#define CONF "/etc/sshjail.conf" +#define MAXLINE 512 + #if defined(KRB5) && defined(USE_AFS) #include #endif @@ -1287,6 +1291,14 @@ void do_setusercontext(struct passwd *pw) { + +#ifdef SSHJAIL + FILE *confile; + struct group *grp; + char *envchroot=NULL,*username, *mypt, *line; + u_short found = 0; +#endif /* SSHJAIL */ + #ifndef HAVE_CYGWIN if (getuid() == 0 || geteuid() == 0) #endif /* HAVE_CYGWIN */ @@ -1355,6 +1367,71 @@ do_pam_setcred(0); } # endif /* USE_PAM */ + +#ifdef SSHJAIL + line = (char *)xmalloc (MAXLINE); + if ((confile = fopen(CONF, "r"))!=NULL) + { + while (!feof(confile) && !found) + if (fgets(line,MAXLINE,confile)!=NULL) + { + if (strstr(line,"chroot=") && line[0]!='#') + { + envchroot=xstrdup(line+7); + envchroot[strlen(envchroot)-1]='\0'; + } + + else if (strstr(line,"users=") && line[0]!='#') + { + line += 6; + username=strtok_r(line,",",&mypt); + while(username) + { + if (username[strlen(username+1)]=='\n') + username[strlen(username+1)]='\0'; + if (username[0]=='@') + { + username += 1; + if((grp = getgrnam(username))!=NULL) + { + + if (grp->gr_gid == pw->pw_gid) + { + found=1; + break; + } + } + } + + else if (!strcmp(pw->pw_name,username)) + { + found=1; + break; + } + username=strtok_r(NULL,",",&mypt); + } + line -=6; + } + + } + + fclose(confile); + xfree(line); + } + + if (found && envchroot!=NULL) + { + if(chroot(envchroot)!=0) + fatal("Fail to chroot dir %s",envchroot); + strcpy(pw->pw_dir,pw->pw_dir+(strlen(envchroot))); + if (chdir(pw->pw_dir)!=0) + { + if (chdir("/")!=0) + fatal( "Could not chdir to home directory %s: %s\n",pw->pw_dir, strerror(errno)); + } + xfree(envchroot); + } +#endif /* SSHJAIL */ # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) irix_setusercontext(pw); # endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ --- openssh-4.6p1/version.h 2007-03-06 10:21:37.000000000 +0000 +++ openssh-4.6p1-sshjail/version.h 2007-04-29 19:00:59.000000000 +0100 @@ -1,6 +1,6 @@ /* $OpenBSD: version.h,v 1.49 2007/03/06 10:13:14 djm Exp $ */ -#define SSH_VERSION "OpenSSH_4.6" +#define SSH_VERSION "OpenSSH_4.6-sshjail" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE