This is the patch part of contrib/chroot.diff updated to be appliable
against openssh-2.9p2. Tested on FreeBSD (various 3.x and 4.x) without
PAM or UseLogin.
Also, as part of deployment (replacing emergency-withdrawal of Telnet
access) I've chosen to get sftp on the relevant boxes. The deployment
had a scriptlet doing the config/make/etc and after the "make install"
would change Makefile to tack " -static" onto LDFLAGS and set
EXEEXT=.static -- this binary, installed stripped inside the chroot'd
environment, appears to work gorgeously. :^)
Thanks for the hard work on OpenSSH.
-----------------------------< cut here >-------------------------------
--- session.c.orig Sun Jun 17 05:40:51 2001
+++ session.c Fri Jul 20 01:40:33 2001
@@ -93,6 +93,9 @@
# include <uinfo.h>
#endif
+/* support /./ in homedir */
+#define DOT_CHROOT
+
/* types */
#define TTYSZ 64
@@ -1037,6 +1040,10 @@
extern char **environ;
struct stat st;
char *argv[10];
+#ifdef DOT_CHROOT
+ char *user_dir;
+ char *new_root;
+#endif
int do_xauth = s->auth_proto != NULL && s->auth_data != NULL;
#ifdef WITH_IRIX_PROJECT
prid_t projid;
@@ -1093,6 +1100,25 @@
# ifdef HAVE_GETUSERATTR
set_limits_from_userattr(pw->pw_name);
# endif /* HAVE_GETUSERATTR */
+# ifdef DOT_CHROOT
+ user_dir = xstrdup(pw->pw_dir);
+ new_root = user_dir + 1;
+
+ while((new_root = strchr(new_root, '.')) != NULL) {
+ new_root--;
+ if(strncmp(new_root, "/./", 3) == 0) {
+ *new_root = '\0';
+ new_root += 2;
+
+ if(chroot(user_dir) != 0)
+ fatal("Couldn't chroot to user directory %s", user_dir);
+
+ pw->pw_dir = new_root;
+ break;
+ }
+ new_root += 2;
+ }
+# endif /* DOT_CHROOT */
# ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
(LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
-----------------------------< cut here >-------------------------------
--
Civilisation: where they cut down the trees and name streets after them.
