Original patch by Ricardo Cerqueira Updated by James Dennis for OpenSSH-4.2p1 A patch to cause sshd to chroot when it encounters the magic token '/./' in a users home directory. The directory portion before the token is the directory to chroot() to, the portion after the token is the user's home directory relative to the new root. Patch source using: patch -p0 < /path/to/patch Systems with a bad diff (doesn't understand -u or -N) should use gnu diff. Solaris may store this as gdiff under /opt/sfw/bin. I can't say much about other systems (unless you email me your experiences!). ================================================================================ diff -ruN openssh-4.2p1/session.c openssh-4.2p1-chroot/session.c --- openssh-4.2p1/session.c 2005-08-31 09:59:49.000000000 -0700 +++ openssh-4.2p1-chroot/session.c 2005-09-01 10:45:07.000000000 -0700 @@ -59,6 +59,8 @@ #include "kex.h" #include "monitor_wrap.h" +#define CHROOT + #if defined(KRB5) && defined(USE_AFS) #include #endif @@ -1260,6 +1262,11 @@ void do_setusercontext(struct passwd *pw) { +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ + #ifndef HAVE_CYGWIN if (getuid() == 0 || geteuid() == 0) #endif /* HAVE_CYGWIN */ @@ -1317,6 +1324,27 @@ restore_uid(); } #endif + +#ifdef CHROOT + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + + while((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if(strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + if(chroot(user_dir) != 0) + fatal("Couldn't chroot to user's directory %s", user_dir); + pw->pw_dir = new_root; + break; + } + + new_root += 2; + } +#endif /* CHROOT */ + # ifdef USE_PAM /* * PAM credentials may take the form of supplementary groups. diff -ruN openssh-4.2p1/version.h openssh-4.2p1-chroot/version.h --- openssh-4.2p1/version.h 2005-08-31 02:47:07.000000000 -0700 +++ openssh-4.2p1-chroot/version.h 2005-09-01 10:51:49.000000000 -0700 @@ -1,6 +1,6 @@ /* $OpenBSD: version.h,v 1.45 2005/08/31 09:28:42 markus Exp $ */ -#define SSH_VERSION "OpenSSH_4.2" +#define SSH_VERSION "OpenSSH_4.2-chrootssh" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE