--cNdxnHkX5QqsyA0e
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

I made some changes [as attached].

For some reason i did not receive Darren Tucker mail, saw his mail at archive
searching for other problem.

well.. that's it


On Sat, Sep 01, 2007 at 05:22:11PM -0300, Bruno Cesar Ribas wrote:
> Hi,
>
> I made this simple path to make sftp-server restricted to a basepath!
>
> This was done because use sshfs [wich base is sftp-server] to allow people
> access medias [ cdrom,dvdrom, floppy, usb] from x-terms.
>
> Those x-terms [ diskless] does not have all users, so we share a single user
> and a DSA empty passphrase, with some acl scipts at .ssh/authorized keys.
>
> Main usage of this patch is to NOT allow a user who mounted a floppy access
> other mounted media from another user.
>
> Usage:
> sftp-server -b
>
> My page includes this path: http://www.inf.ufpr.br/ribas/sshfs_help/
>
> And it is attached too.
>
> Thanks for atention
>
> Bruno Ribas
> --
> Bruno Ribas - ribas@c3sl.ufpr.br
> http://web.inf.ufpr.br/ribas
> C3SL: http://www.c3sl.ufpr.br



> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/li...enssh-unix-dev



--
Bruno Ribas - ribas@c3sl.ufpr.br
http://web.inf.ufpr.br/ribas
C3SL: http://www.c3sl.ufpr.br

--cNdxnHkX5QqsyA0e
Content-Type: text/x-diff; charset=utf-8
Content-Disposition: attachment; filename="sftp-server.c.patch"

--- openssh-4.6p1.orig/openssh-4.6p1/sftp-server.c 2007-01-05 03:31:03.000000000 -0200
+++ openssh-4.6p1/sftp-server.c 2007-09-03 16:51:25.897032669 -0300
@@ -53,6 +53,10 @@
/* Our verbosity */
LogLevel log_level = SYSLOG_LEVEL_ERROR;

+/* Our basepath */
+char *basepath="/";
+int basepathlen=1;
+
/* Our client */
struct passwd *pw = NULL;
char *client_addr = NULL;
@@ -803,6 +807,7 @@
process_opendir(void)
{
DIR *dirp = NULL;
+ char resolvedname[MAXPATHLEN];
char *path;
int handle, status = SSH2_FX_FAILURE;
u_int32_t id;
@@ -811,19 +816,29 @@
path = get_string(NULL);
debug3("request %u: opendir", id);
logit("opendir \"%s\"", path);
- dirp = opendir(path);
- if (dirp == NULL) {
- status = errno_to_portable(errno);
+
+ if (realpath(path, resolvedname) == NULL) {
+ status=errno_to_portable(errno);
+ }else if(strncmp(basepath,resolvedname,basepathlen)!=0) {
+ logit("opendir \"%s\" out of \"%s\"",path,basepath);
+ status=errno_to_portable(EACCES);
} else {
- handle = handle_new(HANDLE_DIR, path, 0, dirp);
- if (handle < 0) {
- closedir(dirp);
+ logit("opendir: access to \"%s\" granted",path);
+ dirp = opendir(path);
+
+ if (dirp == NULL) {
+ status = errno_to_portable(errno);
} else {
- send_handle(id, handle);
- status = SSH2_FX_OK;
+ handle = handle_new(HANDLE_DIR, path, 0, dirp);
+ if (handle < 0) {
+ closedir(dirp);
+ } else {
+ send_handle(id, handle);
+ status = SSH2_FX_OK;
+ }
}
-
}
+
if (status != SSH2_FX_OK)
send_status(id, status);
xfree(path);
@@ -1222,7 +1237,7 @@
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);

- while (!skipargs && (ch = getopt(argc, argv, "C:f:l:che")) != -1) {
+ while (!skipargs && (ch = getopt(argc, argv, "C:f:l:b:che")) != -1) {
switch (ch) {
case 'c':
/*
@@ -1244,6 +1259,13 @@
if (log_level == SYSLOG_FACILITY_NOT_SET)
error("Invalid log facility \"%s\"", optarg);
break;
+ case 'b':
+ /*
+ * Set's base path to sftp-server
+ */
+ basepath=xstrdup(optarg);
+ basepathlen=strlen(basepath);
+ break;
case 'h':
default:
usage();

--cNdxnHkX5QqsyA0e
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev

--cNdxnHkX5QqsyA0e--