From 257d66a4fb4febeb8b2aa576d1f801b9c6377a72 Mon Sep 17 00:00:00 2001 From: Jan F. Chadima Date: Sep 07 2009 10:20:22 +0000 Subject: Add check for nosuid, nodev in homechroot --- diff --git a/openssh-5.2p1-homechroot.patch b/openssh-5.2p1-homechroot.patch index 4bc4793..6b3a7a3 100644 --- a/openssh-5.2p1-homechroot.patch +++ b/openssh-5.2p1-homechroot.patch @@ -1,6 +1,6 @@ diff -up /dev/null openssh-5.2p1/chrootenv.h ---- /dev/null 2009-07-23 14:57:23.604046842 +0200 -+++ openssh-5.2p1/chrootenv.h 2009-07-24 07:11:29.000000000 +0200 +--- /dev/null 2009-08-19 20:21:50.796466837 +0200 ++++ openssh-5.2p1/chrootenv.h 2009-08-19 23:22:15.000000000 +0200 @@ -0,0 +1,32 @@ +/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */ + @@ -35,8 +35,8 @@ diff -up /dev/null openssh-5.2p1/chrootenv.h +#endif + diff -up openssh-5.2p1/session.c.homechroot openssh-5.2p1/session.c ---- openssh-5.2p1/session.c.homechroot 2009-07-24 07:11:22.000000000 +0200 -+++ openssh-5.2p1/session.c 2009-07-24 07:33:14.000000000 +0200 +--- openssh-5.2p1/session.c.homechroot 2009-08-19 23:22:14.000000000 +0200 ++++ openssh-5.2p1/session.c 2009-08-19 23:22:15.000000000 +0200 @@ -119,6 +119,8 @@ void do_child(Session *, const char *); void do_motd(void); int check_quietlogin(Session *, const char *); @@ -58,7 +58,69 @@ diff -up openssh-5.2p1/session.c.homechroot openssh-5.2p1/session.c #ifdef SSH_AUDIT_EVENTS if (command != NULL) PRIVSEP(audit_run_command(command)); -@@ -1408,6 +1415,7 @@ safely_chroot(const char *path, uid_t ui +@@ -1399,6 +1406,61 @@ do_nologin(struct passwd *pw) + } + + /* ++ * Test if filesystem is mounted nosuid and nodev ++ */ ++ ++static void ++test_nosuid (dev_t fs) ++{ ++ FILE *f; ++ struct stat st; ++ char buf[4096], *s, *on, *mountpoint, *opt; ++ int nodev, nosuid; ++ ++ if (!(f = popen ("/bin/mount", "r"))) ++ fatal ("%s: popen(\"/bin/mount\", \"r\"): %s", ++ __func__, strerror (errno)); ++ for (;;) { ++ s = fgets (buf, sizeof (buf), f); ++ if (ferror (f)) ++ fatal ("%s: read from popen: %s", __func__, ++ strerror (errno)); ++ if (!s) { ++ pclose (f); ++ fatal ("cannot found filesystem with the chroot directory"); ++ } ++ (void) strtok (buf, " "); ++ on = strtok (NULL, " "); ++ if (strcmp (on, "on")) { ++ pclose (f); ++ fatal ("bad format of mount output"); ++ } ++ mountpoint = strtok (NULL, " "); ++ if (stat(mountpoint, &st) != 0) { ++ pclose (f); ++ fatal("%s: stat(\"%s\"): %s", __func__, ++ mountpoint, strerror(errno)); ++ } ++ if (fs != st.st_dev) ++ continue; ++ nodev = nosuid = 0; ++ for (opt = strtok (NULL, "("); opt; opt = strtok (NULL, " ,)")) { ++ if (!strcmp (opt, "nodev")) ++ nodev = 1; ++ else if (!strcmp (opt, "nosuid")) ++ nosuid = 1; ++ else if (!strcmp (opt, "noexec")) ++ nosuid = 1; ++ if (nodev && nosuid) { ++ pclose (f); ++ return; ++ } ++ } ++ fatal ("chroot into directory without nodev or nosuid"); ++ } ++} ++ ++/* + * Chroot into a directory after checking it for safety: all path components + * must be root-owned directories with strict permissions. + */ +@@ -1408,6 +1470,7 @@ safely_chroot(const char *path, uid_t ui const char *cp; char component[MAXPATHLEN]; struct stat st; @@ -66,7 +128,7 @@ diff -up openssh-5.2p1/session.c.homechroot openssh-5.2p1/session.c if (*path != '/') fatal("chroot path does not begin at root"); -@@ -1419,7 +1427,7 @@ safely_chroot(const char *path, uid_t ui +@@ -1419,7 +1482,7 @@ safely_chroot(const char *path, uid_t ui * root-owned directory with strict permissions. */ for (cp = path; cp != NULL;) { @@ -75,7 +137,7 @@ diff -up openssh-5.2p1/session.c.homechroot openssh-5.2p1/session.c strlcpy(component, path, sizeof(component)); else { cp++; -@@ -1432,15 +1440,19 @@ safely_chroot(const char *path, uid_t ui +@@ -1432,14 +1495,20 @@ safely_chroot(const char *path, uid_t ui if (stat(component, &st) != 0) fatal("%s: stat(\"%s\"): %s", __func__, component, strerror(errno)); @@ -87,30 +149,30 @@ diff -up openssh-5.2p1/session.c.homechroot openssh-5.2p1/session.c if (!S_ISDIR(st.st_mode)) fatal("chroot path %s\"%s\" is not a directory", cp == NULL ? "" : "component ", component); -- - } ++ } + setenv ("TZ", "/etc/localtime", 0); + tzset (); -+ -+ if (st.st_uid != uid) + ++ if (st.st_uid) { ++ test_nosuid (st.st_dev); + ++chroot_no_tree; + } if (chdir(path) == -1) - fatal("Unable to chdir to chroot path \"%s\": " -@@ -1451,6 +1463,10 @@ safely_chroot(const char *path, uid_t ui +@@ -1451,6 +1520,10 @@ safely_chroot(const char *path, uid_t ui if (chdir("/") == -1) fatal("%s: chdir(/) after chroot: %s", __func__, strerror(errno)); + + if (access ("/etc/localtime", R_OK) < 0) -+ ++chroot_no_tree; ++ ++chroot_no_tree; + verbose("Changed root directory to \"%s\"", path); } diff -up openssh-5.2p1/sftp.c.homechroot openssh-5.2p1/sftp.c --- openssh-5.2p1/sftp.c.homechroot 2009-02-14 06:26:19.000000000 +0100 -+++ openssh-5.2p1/sftp.c 2009-07-24 07:11:29.000000000 +0200 ++++ openssh-5.2p1/sftp.c 2009-08-19 23:22:15.000000000 +0200 @@ -94,6 +94,8 @@ int remote_glob(struct sftp_conn *, cons extern char *__progname; @@ -122,7 +184,7 @@ diff -up openssh-5.2p1/sftp.c.homechroot openssh-5.2p1/sftp.c diff -up openssh-5.2p1/sftp-common.c.homechroot openssh-5.2p1/sftp-common.c --- openssh-5.2p1/sftp-common.c.homechroot 2006-08-05 04:39:40.000000000 +0200 -+++ openssh-5.2p1/sftp-common.c 2009-07-24 07:11:29.000000000 +0200 ++++ openssh-5.2p1/sftp-common.c 2009-08-19 23:22:15.000000000 +0200 @@ -40,6 +40,7 @@ #include "xmalloc.h" #include "buffer.h" @@ -149,7 +211,7 @@ diff -up openssh-5.2p1/sftp-common.c.homechroot openssh-5.2p1/sftp-common.c snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid); diff -up openssh-5.2p1/sftp-server-main.c.homechroot openssh-5.2p1/sftp-server-main.c --- openssh-5.2p1/sftp-server-main.c.homechroot 2009-02-21 22:47:02.000000000 +0100 -+++ openssh-5.2p1/sftp-server-main.c 2009-07-24 07:11:29.000000000 +0200 ++++ openssh-5.2p1/sftp-server-main.c 2009-08-19 23:22:15.000000000 +0200 @@ -22,11 +22,14 @@ #include #include @@ -165,3 +227,42 @@ diff -up openssh-5.2p1/sftp-server-main.c.homechroot openssh-5.2p1/sftp-server-m void cleanup_exit(int i) { +diff -up openssh-5.2p1/sshd_config.0.homechroot openssh-5.2p1/sshd_config.0 +--- openssh-5.2p1/sshd_config.0.homechroot 2009-08-19 23:22:14.000000000 +0200 ++++ openssh-5.2p1/sshd_config.0 2009-08-19 23:31:26.000000000 +0200 +@@ -112,6 +112,14 @@ DESCRIPTION + essary if the in-process sftp server is used (see Subsystem for + details). + ++ In the special case when only sftp is used, not ssh nor scp, it ++ is possible to use ChrootDirectory %h or ChrootDirectory ++ /some/path/%u. The file system containing this directory must be ++ mounted with options nodev and either nosuid or noexec. The owner ++ of the directory should be the user. The ownership of the other ++ components of the path must fulfill the usual conditions. No adi- ++ tional files are required to be present in the directory. ++ + The default is not to chroot(2). + + Ciphers +diff -up openssh-5.2p1/sshd_config.5.homechroot openssh-5.2p1/sshd_config.5 +--- openssh-5.2p1/sshd_config.5.homechroot 2009-08-19 23:22:14.000000000 +0200 ++++ openssh-5.2p1/sshd_config.5 2009-08-19 23:22:15.000000000 +0200 +@@ -219,6 +219,17 @@ in-process sftp server is used (see + .Cm Subsystem + for details). + .Pp ++In the special case when only sftp is used, not ssh nor scp, ++it is possible to use ++.Cm ChrootDirectory ++%h or ++.Cm ChrootDirectory ++/some/path/%u. The file system containing this directory must be ++mounted with options nodev and either nosuid or noexec. The owner of the ++directory should be the user. The ownership of the other components of the path ++must fulfill the usual conditions. No aditional files are required to be present ++in the directory. ++.Pp + The default is not to + .Xr chroot 2 . + .It Cm Ciphers diff --git a/openssh.spec b/openssh.spec index 33478f2..05c200e 100644 --- a/openssh.spec +++ b/openssh.spec @@ -63,7 +63,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.2p1 -Release: 23%{?dist}%{?rescue_rel} +Release: 24%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -468,6 +468,9 @@ fi %endif %changelog +* Mon Sep 7 2009 Jan F. Chadima - 5.2p1-24 +- Add check for nosuid, nodev in homechroot + * Tue Sep 1 2009 Jan F. Chadima - 5.2p1-23 - add correct patch for ip-opts