openssh unix dev - Oct 2000 - feature request & patch submit: chroot(2) in sshd

Hello,

whereas most people take passwd/shadow/ldap/<whatever> as the place where 
decision on a chrooted environment / sandbox for certain users is met (just
set the given usershell appropriateley), I needed a somewhat different 
approach. Below is a tiny patch to 2.2.0p1 which enhances the sshd-config
by two options and, when set, places all users / users of a certain group
immediately in their sandbox. Makes configuration and logging/tracking
much more fun than the usershell thing mentioned above, me thinks.

TODO: - parse gid in config as well, not only gidnumber
      - negation of chrootgroup in config desireable, e.g. place alle users
        !0 in a chroot envir.
      - more than one chrootgroup in config desireable
      - combinations of all above should be possible

TODO-MAKE: - as accustomed only to linux,freebsd,sunos/solaris and hpux,
             I do not quite know wether chroot(2) is working on all unices.
             Maybe #ifdefs and ./configure-guessings have to be included.

Regards,

-- 
  Birger T?dtmann
  Network/Security Engineer
  Marcant Internet Services GmbH, Bielefeld, Germany.
  00 83 E2 57 EC 60 0B 1C  D3 18 AE 2A 40 55 81 22
-------------- next part --------------
Only in openssh-2.2.0p1chroot: auth1.c.orig
Common subdirectories: openssh-2.2.0p1/contrib and openssh-2.2.0p1chroot/contrib
Only in openssh-2.2.0p1chroot: enssh-2.2.0p1chroot2.patch
diff --ignore-space-change -u openssh-2.2.0p1/servconf.c
openssh-2.2.0p1chroot/servconf.c
--- openssh-2.2.0p1/servconf.c	Fri Aug 18 05:59:06 2000
+++ openssh-2.2.0p1chroot/servconf.c	Sun Oct 22 18:59:49 2000
@@ -68,6 +68,8 @@
 #endif
 	options->permit_empty_passwd = -1;
 	options->use_login = -1;
+	options->use_chroot = -1;
+	options->chroot_group = -1;
 	options->num_allow_users = 0;
 	options->num_deny_users = 0;
 	options->num_allow_groups = 0;
@@ -158,6 +160,10 @@
 		options->permit_empty_passwd = 0;
 	if (options->use_login == -1)
 		options->use_login = 0;
+	if (options->use_chroot == -1)
+		options->use_chroot = 0;
+	if (options->chroot_group == -1)
+		options->chroot_group = 0;
 	if (options->protocol == SSH_PROTO_UNKNOWN)
 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
 	if (options->gateway_ports == -1)
@@ -189,6 +195,7 @@
 	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
 	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
 	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+	sUseChroot, sChrootGroup,
 	sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
 	sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups
 } ServerOpCodes;
@@ -236,6 +243,8 @@
 	{ "strictmodes", sStrictModes },
 	{ "permitemptypasswords", sEmptyPasswd },
 	{ "uselogin", sUseLogin },
+	{ "usechroot", sUseChroot },
+	{ "chrootgroup", sChrootGroup },
 	{ "randomseed", sRandomSeedFile },
 	{ "keepalive", sKeepAlives },
 	{ "allowusers", sAllowUsers },
@@ -540,6 +549,14 @@
 		case sUseLogin:
 			intptr = &options->use_login;
 			goto parse_flag;
+
+		case sUseChroot:
+			intptr = &options->use_chroot;
+			goto parse_flag;
+
+		case sChrootGroup:
+			intptr = &options->chroot_group;
+			goto parse_int;
 
 		case sGatewayPorts:
 			intptr = &options->gateway_ports;
diff --ignore-space-change -u openssh-2.2.0p1/servconf.h
openssh-2.2.0p1chroot/servconf.h
--- openssh-2.2.0p1/servconf.h	Fri Aug 18 05:59:06 2000
+++ openssh-2.2.0p1chroot/servconf.h	Sun Oct 22 18:59:49 2000
@@ -87,6 +87,9 @@
 	int     permit_empty_passwd;	/* If false, do not permit empty
 					 * passwords. */
 	int     use_login;	/* If true, login(1) is used */
+	int     use_chroot;      /* If true, do a chroot to homedir */
+	int     chroot_group;      /* If nonzero, chroot only when equal 
+				      to gid */
 	unsigned int num_allow_users;
 	char   *allow_users[MAX_ALLOW_USERS];
 	unsigned int num_deny_users;
diff --ignore-space-change -u openssh-2.2.0p1/session.c
openssh-2.2.0p1chroot/session.c
--- openssh-2.2.0p1/session.c	Wed Aug 30 00:21:22 2000
+++ openssh-2.2.0p1chroot/session.c	Sun Oct 22 20:20:57 2000
@@ -947,6 +947,20 @@
 		}
 	}
 #endif /* USE_PAM */
+
+	/* Do a chroot, if configured. */
+	if (options.use_chroot) {
+	  	if ((!options.chroot_group)
+	      			|| (options.chroot_group == pw->pw_gid)) {
+	    		debug("Doing chroot to %s.",pw->pw_dir);
+	    		if (chroot(pw->pw_dir)) {
+	      			log("Requested chroot failed: [%d] %s\n",
+		  		errno,strerror(errno));
+	      			exit(1);
+	    		}
+	    		pw->pw_dir = "/";
+	  	}
+	}
 
 	/* Set login name, uid, gid, and groups. */
 	/* Login(1) does this as well, and it needs uid 0 for the "-h"
Only in openssh-2.2.0p1chroot: session.c~
diff --ignore-space-change -u openssh-2.2.0p1/sshd.8
openssh-2.2.0p1chroot/sshd.8
--- openssh-2.2.0p1/sshd.8	Tue Aug 29 02:33:51 2000
+++ openssh-2.2.0p1chroot/sshd.8	Sun Oct 22 18:59:49 2000
@@ -290,6 +290,15 @@
 Only user names are valid; a numerical user ID isn't recognized.
 By default login is allowed regardless of the user name.
 .Pp
+.It Cm ChrootGroup
+Only useful when
+.Cm UseChroot
+is set to
+.Dq yes . 
+Specifies which group of users
+.Nm sshd
+should drop into a chrooted homedir (a.k.a. sandbox) upon login. 
+Only numerical gid's are allowed.
 .It Cm Ciphers
 Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.
@@ -597,6 +606,12 @@
 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
+.It Cm UseChroot
+Do a chroot(2) into the users homedirectory after successful login.
+If option
+.Cm ChrootGroup
+is not set, this applies for all users. The default is
+.Dq no .
 .It Cm UseLogin
 Specifies whether
 .Xr login 1

On 2000-10-24, Birger Toedtmann <birger at takatukaland.de> wrote:
> Below is a tiny patch to 2.2.0p1 which enhances the sshd-config
> by two options and, when set, places all users / users of a certain group
> immediately in their sandbox.
Cool.  Hm...
> +       /* Do a chroot, if configured. */
> +       if (options.use_chroot) {
> +               if ((!options.chroot_group)
> +                               || (options.chroot_group ==pw->pw_gid))
{
> +                       debug("Doing chroot to
%s.",pw->pw_dir); +
> +                       if (chroot(pw->pw_dir)) {
> +                               log("Requested chroot failed: [%d]
%s\n",
> +                               errno,strerror(errno));
> +                               exit(1);
> +                       }
> +                       pw->pw_dir = "/";
> +               }
> +       }
Aren't you missing a 'chdir("/")' in there?  Else you leak
'.' outside the
chroot jail.  (Unless a chdir is guaranteed to be done between here, and
when user processes get control?)

--
Hank Leininger <hlein at progressive-comp.com>

On 2000-10-29, Birger Toedtmann <birger at takatukaland.de> wrote:
> On Sun, Oct 29, 2000 at 01:52:58AM -0500, Hank Leininger wrote:
> > Aren't you missing a 'chdir("/")' in there? 
Else you leak '.'
> > outside the chroot jail.  (Unless a chdir is guaranteed to be done
> > between here, and when user processes get control?)
> Well, right beneath this code session.c switches uid/gid and then sets
> the environment. $HOME is set to pw->pw_dir (already set to
"/") and
> $HOME/.ssh/environment gets its share. After this, the chdir() is
> made....
Ah.  OK, so there is a chdir() guaranteed.  Although you raise a good
point:
> ...hmmm - do you think one might be able to fool .ssh/environment into
> leaking information about "."?
I'm really not sure.  But for warm-and-fuzzy, obviously-correct behavior,
I'd vote for an explicit chdir(pw->pw_dir) right after pw->pw_dir =
"/" as
you suggest.  Consider the alternative -- we might audit the behavior of
.ssh/environment usage now and deem it safe, only to have others decide
later, for whatever seems like good reasons at the time, to break our
assumptions wrt its safety in the face of things getting reordered, odd
custom shells, forced commands from authorized_keys, scp's, and whatnot. 
Better IMHO to have the fact that it is Done Right localized and hard to
break accidentally by other subtle means.

Hm.  For instance... $HOME/.ssh/environment processing, and then chdir, are
done after dropping privs.  Which the chroot() code itself obviously cannot
be, as one needs to still be e?uid=0 to chroot(2).  What if we are told to
chroot to a directory for which the current user has no execute permission?
The chroot will succeed, but the later chdir will fail--and it will not
"know" that failure has security implications, it will only think that
a
boring erorr has occurred, and the admin is dumb.  Yes, this is a
wetware-bug if it is one at all (and a stretch in general; if one can't
execute '/', not much will work beyond that point, including accessing
$HOME/.ssh/environment =), but this kind of non-obvious consequence is not
good.
> If this could be done you are quite
> right about doing the chdir() right here, so maybe it should look like
> this: 
[snip]
> Alas: I did not manage to get $HOME/.ssh/enviroment into this kind of
> "."- intelligence-gathering, just got me curious. Any suggetions?
Well, if I understand you correctly, a simple test:
$ head -c16 .ssh/authorized_keys ;echo
from="localhost,
$ echo 'HOME=.' >.ssh/environment
$ ssh localhost echo \$HOME