1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
Index: pam/modules/pam_limits/pam_limits.c
===================================================================
--- pam.orig/modules/pam_limits/pam_limits.c
+++ pam/modules/pam_limits/pam_limits.c
@@ -88,6 +88,7 @@
int flag_numsyslogins; /* whether to limit logins only for a
specific user or to count all logins */
int priority; /* the priority to run user process with */
+ char chroot_dir[8092]; /* directory to chroot into */
struct user_limits_struct limits[RLIM_NLIMITS];
const char *conf_file;
int utmp_after_pam_call;
@@ -98,6 +99,7 @@
#define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2
#define LIMIT_PRI RLIM_NLIMITS+3
+#define LIMIT_CHROOT RLIM_NLIMITS+4
#define LIMIT_SOFT 1
#define LIMIT_HARD 2
@@ -484,6 +486,8 @@
pl->login_limit = -2;
pl->login_limit_def = LIMITS_DEF_NONE;
+ pl->chroot_dir[0] = '\0';
+
return retval;
}
@@ -554,6 +558,8 @@
pl->flag_numsyslogins = 1;
} else if (strcmp(lim_item, "priority") == 0) {
limit_item = LIMIT_PRI;
+ } else if (strcmp(lim_item, "chroot") == 0) {
+ limit_item = LIMIT_CHROOT;
} else {
pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
return;
@@ -591,9 +597,9 @@
pam_syslog(pamh, LOG_DEBUG,
"wrong limit value '%s' for limit type '%s'",
lim_value, lim_type);
- return;
+ return;
}
- } else {
+ } else if (limit_item != LIMIT_CHROOT) {
#ifdef __USE_FILE_OFFSET64
rlimit_value = strtoull (lim_value, &endptr, 10);
#else
@@ -654,7 +660,11 @@
#endif
}
- if ( (limit_item != LIMIT_LOGIN)
+ if (limit_item == LIMIT_CHROOT) {
+ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)-1);
+ pl->chroot_dir[sizeof(pl->chroot_dir)-1]='\0';
+ }
+ else if ( (limit_item != LIMIT_LOGIN)
&& (limit_item != LIMIT_NUMSYSLOGINS)
&& (limit_item != LIMIT_PRI) ) {
if (limit_type & LIMIT_SOFT) {
@@ -998,6 +1008,15 @@
retval |= LOGIN_ERR;
}
+ if (!retval && pl->chroot_dir[0]) {
+ i = chdir(pl->chroot_dir);
+ if (i == 0)
+ i = chroot(pl->chroot_dir);
+ if (i == 0)
+ i = chdir("/");
+ if (i != 0)
+ retval = LIMIT_ERR;
+ }
return retval;
}
Index: pam/modules/pam_limits/limits.conf.5.xml
===================================================================
--- pam.orig/modules/pam_limits/limits.conf.5.xml
+++ pam/modules/pam_limits/limits.conf.5.xml
@@ -266,6 +266,12 @@
(Linux 2.6.12 and higher)</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>chroot</option></term>
+ <listitem>
+ <para>the directory to chroot the user to</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</listitem>
</varlistentry>
Index: pam/modules/pam_limits/limits.conf.5
===================================================================
--- pam.orig/modules/pam_limits/limits.conf.5
+++ pam/modules/pam_limits/limits.conf.5
@@ -271,6 +271,11 @@
.RS 4
maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher)
.RE
+.PP
+\fBchroot\fR
+.RS 4
+the directory to chroot the user to
+.RE
.RE
.PP
All items support the values
Index: pam/modules/pam_limits/limits.conf
===================================================================
--- pam.orig/modules/pam_limits/limits.conf
+++ pam/modules/pam_limits/limits.conf
@@ -35,6 +35,7 @@
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
+# - chroot - change root to directory (Debian-specific)
#
#<domain> <type> <item> <value>
#
@@ -45,6 +46,7 @@
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
+#ftp - chroot /ftp
#@student - maxlogins 4
# End of file
|