Bug#624248: openssh-server: allow %g (group) pattern in ChrootDirectory directive
Package: openssh-server
Version: 1:5.5p1-6
Severity: wishlist
Tags: patch
(I file this here because I can't find a issue tracker on
openssh.org...)
I would like to make it possible to chroot users into their "group home"
instead of their own home. It's a rather specific requirement, but it
would be very useful in our case, where we want to allow multiple SFTP
chrooted users to access the same data, something that's currently very
hard to do.
The patch would be quite simple to do, but I am really rusty with C so
this shouldn't be merged in without proper testing and review.
-- System Information:
Debian Release: 6.0.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_CA.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-server depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
ii dpkg 1.15.8.10 Debian package management system
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-2 common error description library
ii libgssapi-krb5-2 1.8.3+dfsg-4 MIT Kerberos runtime libraries - k
ii libkrb5-3 1.8.3+dfsg-4 MIT Kerberos runtime libraries
ii libpam-modules 1.1.1-6.1 Pluggable Authentication Modules f
ii libpam-runtime 1.1.1-6.1 Runtime support for the PAM librar
ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l
ii libselinux1 2.0.96-1 SELinux runtime shared libraries
ii libssl0.9.8 0.9.8o-4squeeze1 SSL shared libraries
ii libwrap0 7.6.q-19 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.5p1-6 secure shell (SSH) client, for sec
ii procps 1:3.2.8-9 /proc file system utilities
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.4-1 X authentication utility
Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
pn rssh <none> (no description available)
ii ssh-askpass 1:1.2.4.1-9 under X, asks user for a passphras
pn ufw <none> (no description available)
-- Configuration Files:
/etc/pam.d/sshd changed [not included]
-- debconf information excluded
--- session.c.orig 2011-04-26 16:28:17.000000000 -0400
+++ session.c 2011-04-26 16:37:00.000000000 -0400
@@ -1564,16 +1564,21 @@
ssh_selinux_setup_exec_context(pw->pw_name);
#endif
+ {
+ struct group *primary_group;
+ primary_group = getgrgid(pw->pw_gid);
+
if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
tmp = tilde_expand_filename(options.chroot_directory,
pw->pw_uid);
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
- "u", pw->pw_name, (char *)NULL);
+ "u", pw->pw_name, "g", primary_group->gr_name, (char *)NULL);
safely_chroot(chroot_path, pw->pw_uid);
free(tmp);
free(chroot_path);
}
+ }
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
Reply to: