|
Line
Link Here
|
| 0 |
-- openssh-4.3p1/Makefile.in |
0 |
++ openssh-4.3p1/Makefile.in |
|
Lines 43-48
Link Here
|
| 43 |
CFLAGS=@CFLAGS@ |
43 |
CFLAGS=@CFLAGS@ |
| 44 |
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
44 |
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
| 45 |
LIBS=@LIBS@ |
45 |
LIBS=@LIBS@ |
|
|
46 |
LIBSELINUX=@LIBSELINUX@ |
| 46 |
LIBEDIT=@LIBEDIT@ |
47 |
LIBEDIT=@LIBEDIT@ |
| 47 |
LIBPAM=@LIBPAM@ |
48 |
LIBPAM=@LIBPAM@ |
| 48 |
LIBWRAP=@LIBWRAP@ |
49 |
LIBWRAP=@LIBWRAP@ |
|
Lines 77-83
Link Here
|
| 77 |
sshconnect.o sshconnect1.o sshconnect2.o |
78 |
sshconnect.o sshconnect1.o sshconnect2.o |
| 78 |
|
79 |
|
| 79 |
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
80 |
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
| 80 |
sshpty.o sshlogin.o servconf.o serverloop.o \ |
81 |
sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \ |
| 81 |
auth.o auth1.o auth2.o auth-options.o session.o \ |
82 |
auth.o auth1.o auth2.o auth-options.o session.o \ |
| 82 |
auth-chall.o auth2-chall.o groupaccess.o \ |
83 |
auth-chall.o auth2-chall.o groupaccess.o \ |
| 83 |
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ |
84 |
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ |
|
Lines 136-142
Link Here
|
| 136 |
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
137 |
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
| 137 |
|
138 |
|
| 138 |
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) |
139 |
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) |
| 139 |
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) |
140 |
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS) |
| 140 |
|
141 |
|
| 141 |
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o |
142 |
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o |
| 142 |
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
143 |
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
| 143 |
-- openssh-4.3p1/auth.h |
144 |
++ openssh-4.3p1/auth.h |
|
Lines 58-63
Link Here
|
| 58 |
char *service; |
58 |
char *service; |
| 59 |
struct passwd *pw; /* set if 'valid' */ |
59 |
struct passwd *pw; /* set if 'valid' */ |
| 60 |
char *style; |
60 |
char *style; |
|
|
61 |
char *role; |
| 61 |
void *kbdintctxt; |
62 |
void *kbdintctxt; |
| 62 |
#ifdef BSD_AUTH |
63 |
#ifdef BSD_AUTH |
| 63 |
auth_session_t *as; |
64 |
auth_session_t *as; |
| 64 |
-- openssh-4.3p1/auth1.c |
65 |
++ openssh-4.3p1/auth1.c |
|
Lines 370-376
Link Here
|
| 370 |
do_authentication(Authctxt *authctxt) |
370 |
do_authentication(Authctxt *authctxt) |
| 371 |
{ |
371 |
{ |
| 372 |
u_int ulen; |
372 |
u_int ulen; |
| 373 |
char *user, *style = NULL; |
373 |
char *user, *style = NULL, *role=NULL; |
| 374 |
|
374 |
|
| 375 |
/* Get the name of the user that we wish to log in as. */ |
375 |
/* Get the name of the user that we wish to log in as. */ |
| 376 |
packet_read_expect(SSH_CMSG_USER); |
376 |
packet_read_expect(SSH_CMSG_USER); |
|
Lines 379-389
Link Here
|
| 379 |
user = packet_get_string(&ulen); |
379 |
user = packet_get_string(&ulen); |
| 380 |
packet_check_eom(); |
380 |
packet_check_eom(); |
| 381 |
|
381 |
|
|
|
382 |
// if ((role = strchr(user, '/')) != NULL) |
| 383 |
// *role++ = '\0'; |
| 384 |
|
| 382 |
if ((style = strchr(user, ':')) != NULL) |
385 |
if ((style = strchr(user, ':')) != NULL) |
| 383 |
*style++ = '\0'; |
386 |
*style++ = '\0'; |
|
|
387 |
else |
| 388 |
if (role && (style = strchr(role, ':')) != NULL) |
| 389 |
*style++ = '\0'; |
| 390 |
|
| 384 |
|
391 |
|
| 385 |
authctxt->user = user; |
392 |
authctxt->user = user; |
| 386 |
authctxt->style = style; |
393 |
authctxt->style = style; |
|
|
394 |
authctxt->role = role; |
| 387 |
|
395 |
|
| 388 |
/* Verify that the user is a valid user. */ |
396 |
/* Verify that the user is a valid user. */ |
| 389 |
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) |
397 |
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) |
| 390 |
-- openssh-4.3p1/auth2.c |
398 |
++ openssh-4.3p1/auth2.c |
|
Lines 134-140
Link Here
|
| 134 |
{ |
134 |
{ |
| 135 |
Authctxt *authctxt = ctxt; |
135 |
Authctxt *authctxt = ctxt; |
| 136 |
Authmethod *m = NULL; |
136 |
Authmethod *m = NULL; |
| 137 |
char *user, *service, *method, *style = NULL; |
137 |
char *user, *service, *method, *style = NULL, *role = NULL; |
| 138 |
int authenticated = 0; |
138 |
int authenticated = 0; |
| 139 |
|
139 |
|
| 140 |
if (authctxt == NULL) |
140 |
if (authctxt == NULL) |
|
Lines 171-178
Link Here
|
| 171 |
use_privsep ? " [net]" : ""); |
174 |
use_privsep ? " [net]" : ""); |
| 172 |
authctxt->service = xstrdup(service); |
175 |
authctxt->service = xstrdup(service); |
| 173 |
authctxt->style = style ? xstrdup(style) : NULL; |
176 |
authctxt->style = style ? xstrdup(style) : NULL; |
| 174 |
if (use_privsep) |
177 |
authctxt->role = role ? xstrdup(role) : NULL; |
|
|
178 |
if (use_privsep) { |
| 175 |
mm_inform_authserv(service, style); |
179 |
mm_inform_authserv(service, style); |
|
|
180 |
mm_inform_authrole(role); |
| 181 |
} |
| 176 |
} else if (strcmp(user, authctxt->user) != 0 || |
182 |
} else if (strcmp(user, authctxt->user) != 0 || |
| 177 |
strcmp(service, authctxt->service) != 0) { |
183 |
strcmp(service, authctxt->service) != 0) { |
| 178 |
packet_disconnect("Change of username or service not allowed: " |
184 |
packet_disconnect("Change of username or service not allowed: " |
| 179 |
-- openssh-4.3p1/configure.ac |
185 |
++ openssh-4.3p1/configure.ac |
|
Lines 2945-2950
Link Here
|
| 2945 |
[#include <arpa/nameser.h>]) |
2945 |
[#include <arpa/nameser.h>]) |
| 2946 |
]) |
2946 |
]) |
| 2947 |
|
2947 |
|
|
|
2948 |
# Check whether user wants SELinux support |
| 2949 |
SELINUX_MSG="no" |
| 2950 |
LIBSELINUX="" |
| 2951 |
AC_ARG_WITH(selinux, |
| 2952 |
[ --with-selinux Enable SELinux support], |
| 2953 |
[ if test "x$withval" != "xno" ; then |
| 2954 |
AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.]) |
| 2955 |
SELINUX_MSG="yes" |
| 2956 |
AC_CHECK_HEADERS(selinux.h) |
| 2957 |
LIBSELINUX="-lselinux" |
| 2958 |
fi |
| 2959 |
]) |
| 2960 |
AC_SUBST(LIBSELINUX) |
| 2961 |
|
| 2948 |
# Check whether user wants Kerberos 5 support |
2962 |
# Check whether user wants Kerberos 5 support |
| 2949 |
KRB5_MSG="no" |
2963 |
KRB5_MSG="no" |
| 2950 |
AC_ARG_WITH(kerberos5, |
2964 |
AC_ARG_WITH(kerberos5, |
|
Lines 3763-3768
Link Here
|
| 3763 |
echo " Manpage format: $MANTYPE" |
3777 |
echo " Manpage format: $MANTYPE" |
| 3764 |
echo " PAM support: $PAM_MSG" |
3778 |
echo " PAM support: $PAM_MSG" |
| 3765 |
echo " KerberosV support: $KRB5_MSG" |
3779 |
echo " KerberosV support: $KRB5_MSG" |
|
|
3780 |
echo " SELinux support: $SELINUX_MSG" |
| 3766 |
echo " Smartcard support: $SCARD_MSG" |
3781 |
echo " Smartcard support: $SCARD_MSG" |
| 3767 |
echo " S/KEY support: $SKEY_MSG" |
3782 |
echo " S/KEY support: $SKEY_MSG" |
| 3768 |
echo " TCP Wrappers support: $TCPW_MSG" |
3783 |
echo " TCP Wrappers support: $TCPW_MSG" |
| 3769 |
-- openssh-4.3p1/monitor.c |
3784 |
++ openssh-4.3p1/monitor.c |
|
Lines 115-120
Link Here
|
| 115 |
int mm_answer_authpassword(int, Buffer *); |
115 |
int mm_answer_authpassword(int, Buffer *); |
| 116 |
int mm_answer_bsdauthquery(int, Buffer *); |
116 |
int mm_answer_bsdauthquery(int, Buffer *); |
| 117 |
int mm_answer_bsdauthrespond(int, Buffer *); |
117 |
int mm_answer_bsdauthrespond(int, Buffer *); |
|
|
118 |
int mm_answer_authrole(int, Buffer *); |
| 118 |
int mm_answer_skeyquery(int, Buffer *); |
119 |
int mm_answer_skeyquery(int, Buffer *); |
| 119 |
int mm_answer_skeyrespond(int, Buffer *); |
120 |
int mm_answer_skeyrespond(int, Buffer *); |
| 120 |
int mm_answer_keyallowed(int, Buffer *); |
121 |
int mm_answer_keyallowed(int, Buffer *); |
|
Lines 181-186
Link Here
|
| 181 |
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
182 |
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
| 182 |
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
183 |
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
| 183 |
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
184 |
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
|
|
185 |
{MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, |
| 184 |
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
186 |
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
| 185 |
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
187 |
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
| 186 |
#ifdef USE_PAM |
188 |
#ifdef USE_PAM |
|
Lines 623-628
Link Here
|
| 623 |
else { |
625 |
else { |
| 624 |
/* Allow service/style information on the auth context */ |
626 |
/* Allow service/style information on the auth context */ |
| 625 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
627 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
|
|
628 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); |
| 626 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
629 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
| 627 |
} |
630 |
} |
| 628 |
|
631 |
|
|
Lines 671-676
Link Here
|
| 671 |
} |
674 |
} |
| 672 |
|
675 |
|
| 673 |
int |
676 |
int |
|
|
677 |
mm_answer_authrole(int sock, Buffer *m) |
| 678 |
{ |
| 679 |
monitor_permit_authentications(1); |
| 680 |
|
| 681 |
authctxt->role = buffer_get_string(m, NULL); |
| 682 |
debug3("%s: role=%s", |
| 683 |
__func__, authctxt->role); |
| 684 |
|
| 685 |
if (strlen(authctxt->role) == 0) { |
| 686 |
xfree(authctxt->role); |
| 687 |
authctxt->role = NULL; |
| 688 |
} |
| 689 |
|
| 690 |
return (0); |
| 691 |
} |
| 692 |
|
| 693 |
int |
| 674 |
mm_answer_authpassword(int sock, Buffer *m) |
694 |
mm_answer_authpassword(int sock, Buffer *m) |
| 675 |
{ |
695 |
{ |
| 676 |
static int call_count; |
696 |
static int call_count; |
| 677 |
-- openssh-4.3p1/monitor.h |
697 |
++ openssh-4.3p1/monitor.h |
|
Lines 30-36
Link Here
|
| 30 |
|
30 |
|
| 31 |
enum monitor_reqtype { |
31 |
enum monitor_reqtype { |
| 32 |
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, |
32 |
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, |
| 33 |
MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, |
33 |
MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE, |
| 34 |
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, |
34 |
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, |
| 35 |
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, |
35 |
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, |
| 36 |
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, |
36 |
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, |
| 37 |
-- openssh-4.3p1/monitor_wrap.c |
37 |
++ openssh-4.3p1/monitor_wrap.c |
|
Lines 271-276
Link Here
|
| 271 |
buffer_free(&m); |
271 |
buffer_free(&m); |
| 272 |
} |
272 |
} |
| 273 |
|
273 |
|
|
|
274 |
/* Inform the privileged process about role */ |
| 275 |
|
| 276 |
void |
| 277 |
mm_inform_authrole(char *role) |
| 278 |
{ |
| 279 |
Buffer m; |
| 280 |
|
| 281 |
debug3("%s entering", __func__); |
| 282 |
|
| 283 |
buffer_init(&m); |
| 284 |
buffer_put_cstring(&m, role ? role : ""); |
| 285 |
|
| 286 |
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); |
| 287 |
|
| 288 |
buffer_free(&m); |
| 289 |
} |
| 290 |
|
| 274 |
/* Do the password authentication */ |
291 |
/* Do the password authentication */ |
| 275 |
int |
292 |
int |
| 276 |
mm_auth_password(Authctxt *authctxt, char *password) |
293 |
mm_auth_password(Authctxt *authctxt, char *password) |
| 277 |
-- openssh-4.3p1/monitor_wrap.h |
294 |
++ openssh-4.3p1/monitor_wrap.h |
|
Lines 44-49
Link Here
|
| 44 |
DH *mm_choose_dh(int, int, int); |
44 |
DH *mm_choose_dh(int, int, int); |
| 45 |
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); |
45 |
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); |
| 46 |
void mm_inform_authserv(char *, char *); |
46 |
void mm_inform_authserv(char *, char *); |
|
|
47 |
void mm_inform_authrole(char *); |
| 47 |
struct passwd *mm_getpwnamallow(const char *); |
48 |
struct passwd *mm_getpwnamallow(const char *); |
| 48 |
char *mm_auth2_read_banner(void); |
49 |
char *mm_auth2_read_banner(void); |
| 49 |
int mm_auth_password(struct Authctxt *, char *); |
50 |
int mm_auth_password(struct Authctxt *, char *); |
| 50 |
-- openssh-4.3p1/selinux.c |
51 |
++ openssh-4.3p1/selinux.c |
|
Line 0
Link Here
|
| 0 |
-- openssh-4.3p1/selinux.h |
1 |
#include "includes.h" |
|
|
2 |
#include "auth.h" |
| 3 |
#include "log.h" |
| 4 |
|
| 5 |
#ifdef WITH_SELINUX |
| 6 |
#include <selinux/selinux.h> |
| 7 |
#include <selinux/flask.h> |
| 8 |
#include <selinux/context.h> |
| 9 |
#include <selinux/get_context_list.h> |
| 10 |
#include <selinux/get_default_type.h> |
| 11 |
extern Authctxt *the_authctxt; |
| 12 |
|
| 13 |
static const security_context_t selinux_get_user_context(const char *name) { |
| 14 |
security_context_t user_context=NULL; |
| 15 |
char *role=NULL; |
| 16 |
int ret=-1; |
| 17 |
char *seuser=NULL; |
| 18 |
char *level=NULL; |
| 19 |
|
| 20 |
if (the_authctxt) |
| 21 |
role=the_authctxt->role; |
| 22 |
|
| 23 |
if (getseuserbyname(name, &seuser, &level)==0) { |
| 24 |
if (role != NULL && role[0]) |
| 25 |
ret=get_default_context_with_rolelevel(seuser, role, level,NULL,&user_context); |
| 26 |
else |
| 27 |
ret=get_default_context_with_level(seuser, level, NULL,&user_context); |
| 28 |
} |
| 29 |
|
| 30 |
if ( ret < 0 ) { |
| 31 |
if (security_getenforce() > 0) |
| 32 |
fatal("Failed to get default security context for %s.", name); |
| 33 |
else |
| 34 |
error("Failed to get default security context for %s. Continuing in permissive mode", name); |
| 35 |
} |
| 36 |
return user_context; |
| 37 |
} |
| 38 |
|
| 39 |
void setup_selinux_pty(const char *name, const char *tty) { |
| 40 |
if (is_selinux_enabled() > 0) { |
| 41 |
security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; |
| 42 |
|
| 43 |
user_context=selinux_get_user_context(name); |
| 44 |
|
| 45 |
if (getfilecon(tty, &old_tty_context) < 0) { |
| 46 |
error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno)); |
| 47 |
} else { |
| 48 |
if (security_compute_relabel(user_context,old_tty_context, |
| 49 |
SECCLASS_CHR_FILE, |
| 50 |
&new_tty_context) != 0) { |
| 51 |
error("security_compute_relabel(%.100s) failed: %.100s", tty, |
| 52 |
strerror(errno)); |
| 53 |
} else { |
| 54 |
if (setfilecon (tty, new_tty_context) != 0) |
| 55 |
error("setfilecon(%.100s, %s) failed: %.100s", |
| 56 |
tty, new_tty_context, |
| 57 |
strerror(errno)); |
| 58 |
freecon(new_tty_context); |
| 59 |
} |
| 60 |
freecon(old_tty_context); |
| 61 |
} |
| 62 |
if (user_context) { |
| 63 |
freecon(user_context); |
| 64 |
} |
| 65 |
} |
| 66 |
} |
| 67 |
|
| 68 |
void setup_selinux_exec_context(char *name) { |
| 69 |
|
| 70 |
if (is_selinux_enabled() > 0) { |
| 71 |
security_context_t user_context=selinux_get_user_context(name); |
| 72 |
if (setexeccon(user_context)) { |
| 73 |
if (security_getenforce() > 0) |
| 74 |
fatal("Failed to set exec security context %s for %s.", user_context, name); |
| 75 |
else |
| 76 |
error("Failed to set exec security context %s for %s. Continuing in permissive mode", user_context, name); |
| 77 |
} |
| 78 |
if (user_context) { |
| 79 |
freecon(user_context); |
| 80 |
} |
| 81 |
} |
| 82 |
} |
| 83 |
#else |
| 84 |
inline void setup_selinux_pty(const char *name, const char *tty) {} |
| 85 |
inline void setup_selinux_exec_context(const char *name) {} |
| 86 |
#endif /* WITH_SELINUX */ |
|
|
87 |
++ openssh-4.3p1/selinux.h |
|
Line 0
Link Here
|
| 0 |
-- openssh-4.3p1/session.c |
1 |
#ifndef __SELINUX_H_ |
|
|
2 |
#define __SELINUX_H_ |
| 3 |
extern void setup_selinux_pty(const char *name, const char *tty); |
| 4 |
extern void setup_selinux_exec_context(const char *name); |
| 5 |
#endif /* __SELINUX_H_ */ |
|
|
6 |
++ openssh-4.3p1/session.c |
|
Lines 59-64
Link Here
|
| 59 |
#include "kex.h" |
59 |
#include "kex.h" |
| 60 |
#include "monitor_wrap.h" |
60 |
#include "monitor_wrap.h" |
| 61 |
|
61 |
|
|
|
62 |
#include "selinux.h" |
| 63 |
|
| 62 |
#if defined(KRB5) && defined(USE_AFS) |
64 |
#if defined(KRB5) && defined(USE_AFS) |
| 63 |
#include <kafs.h> |
65 |
#include <kafs.h> |
| 64 |
#endif |
66 |
#endif |
|
Lines 1340-1345
Link Here
|
| 1340 |
#endif |
1342 |
#endif |
| 1341 |
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) |
1343 |
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) |
| 1342 |
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); |
1344 |
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); |
|
|
1345 |
|
| 1346 |
setup_selinux_exec_context(pw->pw_name); |
| 1343 |
} |
1347 |
} |
| 1344 |
|
1348 |
|
| 1345 |
static void |
1349 |
static void |
| 1346 |
-- openssh-4.3p1/sshpty.c |
1350 |
++ openssh-4.3p1/sshpty.c |
|
Lines 22-27
Link Here
|
| 22 |
#include "log.h" |
22 |
#include "log.h" |
| 23 |
#include "misc.h" |
23 |
#include "misc.h" |
| 24 |
|
24 |
|
|
|
25 |
#include "selinux.h" |
| 26 |
|
| 25 |
#ifdef HAVE_PTY_H |
27 |
#ifdef HAVE_PTY_H |
| 26 |
# include <pty.h> |
28 |
# include <pty.h> |
| 27 |
#endif |
29 |
#endif |
|
Lines 200-205
Link Here
|
| 200 |
fatal("stat(%.100s) failed: %.100s", tty, |
202 |
fatal("stat(%.100s) failed: %.100s", tty, |
| 201 |
strerror(errno)); |
203 |
strerror(errno)); |
| 202 |
|
204 |
|
|
|
205 |
setup_selinux_pty(pw->pw_name, tty); |
| 206 |
|
| 203 |
if (st.st_uid != pw->pw_uid || st.st_gid != gid) { |
207 |
if (st.st_uid != pw->pw_uid || st.st_gid != gid) { |
| 204 |
if (chown(tty, pw->pw_uid, gid) < 0) { |
208 |
if (chown(tty, pw->pw_uid, gid) < 0) { |
| 205 |
if (errno == EROFS && |
209 |
if (errno == EROFS && |
