Date: Mon, 26 Apr 2004 23:40:35 -0700 (PDT) From: Zoltan Frombach <zoltan@frombach.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/66016: [patch] security/ssh2: extends ChRootUsers and ChRootGroups option. Do not need to list a bunch of users or groups anymore, just list the exceptions instead Message-ID: <200404270640.i3R6eZ8R021299@www.freebsd.org> Resent-Message-ID: <200404270650.i3R6oI7p055999@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 66016
>Category: ports
>Synopsis: [patch] security/ssh2: extends ChRootUsers and ChRootGroups option. Do not need to list a bunch of users or groups anymore, just list the exceptions instead
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Mon Apr 26 23:50:18 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator: Zoltan Frombach
>Release: FreeBSD 5.2.1-RELEASE i386
>Organization:
Frombach Inc.
>Environment:
FreeBSD www.frombach.com 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #8: Sat Mar 27 21:55:56 PST 2004 tss@www.frombach.com:/usr/obj/usr/src/sys/firewall i386
>Description:
[patch] security/ssh2: this patch extends ChRootUsers and ChRootGroups option that can be used in sshd2_config file. For example "ChRootGroups !wheel,!0" now chroots every user except users who are members of group 0 (which is the wheel group). No more need to list a bunch of system users and/or system groups in sshd2_config file anymore! Instead list the exceptions only! This way you can make sure that even future users and groups will be chrooted that are not created yet, but will be created later in the system. I think it can be very useful when you allow SFTP for your users, for example. They won't see each others directories and files. It is all done in a fully backward compatible way, so if someone does not need this feature he/she does not even have to know about it, and he/she does not need to change their existing sshd2_config file. In my implemetation the exclamation mark means the logical NOT. (It's similar to "DefaultRoot" option in the ProFTPd program.)
Important note: User must specify both textual and numeric representation of the desired id separated by a comma (example: "ChRootGroups !wheel,!0" will work as expected). However, providing just one of them will not work. Eg: "ChRootGroups !wheel" in itself is not enough, and it will not work. This is due to the way SSH2 is originally written. SSH2 accepts both textual and/or numeric values (they can be mixed together) in a logically OR'ed fashion when these id's are listed. Originally it is always an INCLUSIVE list of id's. However, when using the logical NOT'ed values (made possible by this patch), user wants to specify id's that should be EXCLUDED from the full list of all system id's. But those NOT'ed values will still be logically OR'ed together by the SSH2 program! Therefore, to make it work as user excepting it to work, user MUST specify both textual and numerical representation of those id's that should be excluded. Only the logical NOT'ed id's (eg: id's that are sta
rting with the exclamation sign on this list) must be listed both ways (textually and numerically). I wish I could resolve this minor issue in this patch. However, I did not want to break the existing logic of the SSH2 program for the chroot feature. I also wanted to change the original program as little as possible while implementing this new feature. Most importantly, I did not wanted to create a patch that would break the existing format of the config file. So I settled with this minor issue: User must list id's to be exluded both ways. It's not that terrible.
>How-To-Repeat:
This is not a problem, it is an improvement!! (In other words, it adds a brand new feature to the original SSH2 program!)
>Fix:
--- patch-apps::ssh::auths-common.c begins here ---
--- apps/ssh/auths-common.c.orig Wed Apr 21 18:03:14 2004
+++ apps/ssh/auths-common.c Wed Apr 21 18:13:59 2004
@@ -109,6 +109,9 @@
{
SshPatternHolder holder;
SshADTHandle handle;
+ char *tssptr; /* patch made by TSS!! */
+ Boolean monce = FALSE;
+ Boolean nflag = TRUE;
for (handle = ssh_adt_enumerate_start(list);
handle != SSH_ADT_INVALID;
@@ -116,12 +119,20 @@
{
holder = (SshPatternHolder) ssh_adt_get(list, handle);
SSH_ASSERT(holder);
- if (ssh_match_string(string, holder->pattern, holder->regex_syntax,
+ if ((char)*holder->pattern == '!')
+ {
+ tssptr = (char*)holder->pattern;
+ tssptr += sizeof(char);
+ nflag &= (ssh_match_string(string, tssptr, holder->regex_syntax,
+ rex_ctx) ? FALSE : TRUE);
+ monce = TRUE;
+ }
+ else if (ssh_match_string(string, holder->pattern, holder->regex_syntax,
rex_ctx))
return TRUE;
}
-
- return FALSE;
+
+ return monce & nflag;
}
/* Helper function to check whether given 'string' or 'number' matches
--- patch-apps::ssh::auths-common.c ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404270640.i3R6eZ8R021299>