I have a use for sftp to run in a chroot jail. Since sftp doesn't quite work properly for that, I did the work to make it function like that. This required two different changes: sftpsh is a replacement for nologin. It works like nologin except under certain circumstances -- where it will start up sftp-server. The other part was to add an option to sftp-server. the '-c' option causes sftp-server to chroot(".");chdir("/"); (the latter being to avoid chroot hole problems). It's been a while since I've done anything security-critical, so PLEASE feel free to audit/critique my code. The changes for sftp-server.c and sftp-server.8 are as follows: ==================================================================RCS file: RCS/sftp-server.c,v retrieving revision 1.38 diff -u -r1.38 sftp-server.c --- sftp-server.c 2002/11/10 22:56:08 1.38 +++ sftp-server.c 2002/11/11 04:01:02 @@ -1058,6 +1058,11 @@ ssize_t len, olen, set_size; /* XXX should use getopt */ + if(ac == 2 && strcmp(av[1],"-c") == 0 ){ + chroot("."); + chdir("/"); /* get rid of '.' chroot hole */ + setuid(getuid()); + }; __progname = get_progname(av[0]); handle_init(); ====================================================================================================================================RCS file: RCS/sftp-server.8,v retrieving revision 1.1 diff -u -r1.1 sftp-server.8 --- sftp-server.8 2002/11/10 23:17:06 1.1 +++ sftp-server.8 2002/11/10 23:35:44 @@ -43,6 +43,10 @@ See .Xr sshd 8 for more information. +.Sh OPTIONS +.Bl -tag -width CC +.It Fl c +chroot jail: (do a chroot and setuid(getuid()) when starting) .Sh SEE ALSO .Xr sftp 1 , .Xr ssh 1 , ================================================================== sftpsh.c is attached (83 lines including copyright) Notes: sftpsh needs to be installed setuid. I don't have install scripts for it. The location of sftp-server is hardwired into sftpsh.c . sftpsh.c uses /proc/ppid/cmdline to check the name and pid of it's parent No docs for sftpsh.c Conditions for sftpsh calling sftp-server: Parent process is sshd, and is uid-root. parameters are: "-c /usr/libexec/sshd/sshd-server" If sftp-server doesn't cooperate, you end up with a (potential) remote root exploit. Perhaps instead of checking for a parameter of '-c' I should just check for euid==0? -- Stephen Samuel +1(604)876-0426 samuel at bcgreen.com http://www.bcgreen.com/~samuel/ Powerful committed communication, reaching through fear, uncertainty and doubt to touch the jewel within each person and bring it to life. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: sftpsh.c Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021110/882386af/attachment.c