I have a use for sftp to run in a chroot jail.
Since sftp doesn't quite work properly for that, I did the
work to make it function like that.
This required two different changes:
sftpsh is a replacement for nologin. It
works like nologin except under certain circumstances --
where it will start up sftp-server.
The other part was to add an option to sftp-server.
the '-c' option causes sftp-server to
chroot(".");chdir("/");
(the latter being to avoid chroot hole problems).
It's been a while since I've done anything security-critical,
so PLEASE feel free to audit/critique my code.
The changes for sftp-server.c and sftp-server.8 are as follows:
==================================================================RCS file:
RCS/sftp-server.c,v
retrieving revision 1.38
diff -u -r1.38 sftp-server.c
--- sftp-server.c 2002/11/10 22:56:08 1.38
+++ sftp-server.c 2002/11/11 04:01:02
@@ -1058,6 +1058,11 @@
ssize_t len, olen, set_size;
/* XXX should use getopt */
+ if(ac == 2 && strcmp(av[1],"-c") == 0 ){
+ chroot(".");
+ chdir("/"); /* get rid of '.' chroot hole */
+ setuid(getuid());
+ };
__progname = get_progname(av[0]);
handle_init();
====================================================================================================================================RCS
file: RCS/sftp-server.8,v
retrieving revision 1.1
diff -u -r1.1 sftp-server.8
--- sftp-server.8 2002/11/10 23:17:06 1.1
+++ sftp-server.8 2002/11/10 23:35:44
@@ -43,6 +43,10 @@
See
.Xr sshd 8
for more information.
+.Sh OPTIONS
+.Bl -tag -width CC
+.It Fl c
+chroot jail: (do a chroot and setuid(getuid()) when starting)
.Sh SEE ALSO
.Xr sftp 1 ,
.Xr ssh 1 ,
==================================================================
sftpsh.c is attached (83 lines including copyright)
Notes:
sftpsh needs to be installed setuid.
I don't have install scripts for it.
The location of sftp-server is hardwired into sftpsh.c .
sftpsh.c uses /proc/ppid/cmdline to check the name and pid of it's parent
No docs for sftpsh.c
Conditions for sftpsh calling sftp-server:
Parent process is sshd, and is uid-root.
parameters are: "-c /usr/libexec/sshd/sshd-server"
If sftp-server doesn't cooperate, you end up with a (potential) remote root
exploit.
Perhaps instead of checking for a parameter of '-c' I should just check
for euid==0?
--
Stephen Samuel +1(604)876-0426 samuel at bcgreen.com
http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: sftpsh.c
Url:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021110/882386af/attachment.c
