Good Morning All,
Attached is a full patch [or so I hope] enabling chroot support for sshd. I
know varied opinions about chroot exist
among the masses; however, I continue to believe that until something far
outside the scope of openssh tackles the
sandbox issue, the role of enforcer will continue to be with the daemon.
This patch is based on a previous work by John Furman as well as Eric Johnson.
I've been sitting on this for a month or
two and have been running it sucessfully for about the same amount of time.
This patch assumes:
The ~username/chome directory exists with owner uid=root,gid=root [the directory
name is configurable via sshd_config].
A proper jail has been setup underneath.
Unfortunately, syslogin_perform_logout is broken, as I'm not sure how to
handle this [securely] as after the chroot, the
file is no longer accessible.
This patch does work with privilege separation.
This patch requires a binary for scp/sftp-server to be in the proper locations
in each jail as well.
You can chrootAll with exceptions or chroot none with a list of chroot'ed
users.
If your're concerned with scp/sftp only rssh is still your solution.
[http://www.pizzashack.org/rssh]
A web page with the patch is also available:
http://majikal.dyn.dhs.org/projekts/openssh_chroot_patch/
Problems/Complaints/Suggestions/Additions can be sent to me at this address.
Cheers,
nick
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: chroot.patch
Url:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030103/6ef03ef4/attachment.ksh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 250 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030103/6ef03ef4/attachment.bin
