From owner-freebsd-questions Fri Jun 1 15:21:29 2001 Delivered-To: freebsd-questions@freebsd.org Received: from gscamnlm03.wr.usgs.gov (gscamnlm03.wr.usgs.gov [130.118.4.113]) by hub.freebsd.org (Postfix) with ESMTP id 4C77137B43C; Fri, 1 Jun 2001 15:21:24 -0700 (PDT) (envelope-from rsowders@usgs.gov) To: Kris Kennaway Cc: freebsd-questions@FreeBSD.ORG, owner-freebsd-questions@FreeBSD.ORG, Rob Simmons MIME-Version: 1.0 X-Mailer: Lotus Notes Release 5.0.7 March 21, 2001 Message-ID: From: "Robert L Sowders" Date: Fri, 1 Jun 2001 15:21:10 -0700 Subject: Re: chroot for sftp X-MIMETrack: Serialize by Router on gscamnlm03/SERVER/USGS/DOI(Release 5.0.7 |March 21, 2001) at 06/01/2001 03:21:23 PM Content-Type: multipart/mixed; boundary="=_mixed 007B26BE88256A5E_=" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=_mixed 007B26BE88256A5E_= Content-Type: text/plain; charset="us-ascii" Here is a diff to chroot ssh sessions, from the contib directory of the openssh distribution. Since the sftp session is handed of by the sshd process it should work, but all ssh session for the user would be chrooted. Maybe you could modify it to suit your purposes. ------------------------------------------------------------------------- From: Ricardo Cerqueira A patch to cause sshd to chroot when it encounters the magic token '/./' in a users home directory. The directory portion before the token is the directory to chroot() to, the portion after the token is the user's home directory relative to the new root. Index: session.c =================================================================== RCS file: /var/cvs/openssh/session.c,v retrieving revision 1.4 diff -u -r1.4 session.c --- session.c 2000/04/16 02:31:51 1.4 +++ session.c 2000/04/16 02:47:55 @@ -27,6 +27,8 @@ #include "ssh2.h" #include "auth.h" +#define CHROOT + /* types */ #define TTYSZ 64 @@ -783,6 +785,10 @@ extern char **environ; struct stat st; char *argv[10]; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ #ifndef USE_PAM /* pam_nologin handles this */ f = fopen("/etc/nologin", "r"); @@ -799,6 +805,26 @@ /* Set login name in the kernel. */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); + +#ifdef CHROOT + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + + while((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if(strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + if(chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s", user_dir); + + pw->pw_dir = new_root; + break; + } + new_root += 2; + } +#endif /* CHROOT */ /* Set uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" Kris Kennaway Sent by: owner-freebsd-questions@FreeBSD.ORG 05/31/2001 07:11 PM To: Rob Simmons cc: freebsd-questions@FreeBSD.ORG Subject: Re: chroot for sftp On Thu, May 31, 2001 at 06:46:28PM -0400, Rob Simmons wrote: > Is there a way to chroot regular users when they login via sftp? I didn't > see a login.conf option for this. I'm looking for the same effect as > adding the user to /etc/ftpchroot with standard ftp. I don't think so, although there might be in newer releases now that OpenBSD have adopted a login.conf system. Kris --=_mixed 007B26BE88256A5E_= Content-Type: application/octet-stream; name="att1kb4i.dat" Content-Disposition: attachment; filename="att1kb4i.dat" Content-Transfer-Encoding: base64 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NClZlcnNpb246IEdudVBHIHYxLjAuNiAoRnJl ZUJTRCkNCkNvbW1lbnQ6IEZvciBpbmZvIHNlZSBodHRwOi8vd3d3LmdudXBnLm9yZw0KDQppRDhE QlFFN0Z2bS9XcnkwQldqb1FLVVJBdTlWQUtEL09mbjgzd2dLWk5YUkx6dzVtcExqeTM1RS9nQ2cz ZjFuDQo2OTNlakRoTlZrbkNQZ3A5RWIxTVRXWT0NCj1adlZsDQotLS0tLUVORCBQR1AgU0lHTkFU VVJFLS0tLS0NCg== --=_mixed 007B26BE88256A5E_=-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message