- djm@cvs.openbsd.org 2008/02/08 23:24:07
[servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config]
[sshd_config.5]
add sshd_config ChrootDirectory option to chroot(2) users to a directory
and tweak internal sftp server to work with it (no special files in
chroot required). ok markus@
diff --git a/servconf.c b/servconf.c
index 19c286c..d38d0bf 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.175 2008/01/01 09:27:33 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.176 2008/02/08 23:24:08 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -122,6 +122,7 @@
options->permit_tun = -1;
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
+ options->chroot_directory = NULL;
}
void
@@ -291,7 +292,7 @@
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
- sMatch, sPermitOpen, sForceCommand,
+ sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -403,6 +404,7 @@
{ "match", sMatch, SSHCFG_ALL },
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
+ { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
@@ -1147,6 +1149,7 @@
case sBanner:
charptr = &options->banner;
goto parse_filename;
+
/*
* These options can contain %X options expanded at
* connect time, so that you can specify paths like:
@@ -1255,6 +1258,10 @@
options->adm_forced_command = xstrdup(cp + len);
return 0;
+ case sChrootDirectory:
+ charptr = &options->chroot_directory;
+ goto parse_filename;
+
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
@@ -1363,6 +1370,7 @@
if (preauth)
return;
M_CP_STROPT(adm_forced_command);
+ M_CP_STROPT(chroot_directory);
}
#undef M_CP_INTOPT