Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 98256 Details for
Bug 147605
[net-misc/openssh=4.3_p2] breaks w/ slashes in usernames
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
openssh-4.3_p2-selinux-metux.patch
openssh-4.3_p2-selinux-metux.patch (text/plain), 12.53 KB, created by
Enrico 'nekrad' Weigelt
on 2006-09-27 12:50:16 UTC
(
hide
)
Description:
openssh-4.3_p2-selinux-metux.patch
Filename:
MIME Type:
Creator:
Enrico 'nekrad' Weigelt
Created:
2006-09-27 12:50:16 UTC
Size:
12.53 KB
patch
obsolete
>diff -ruN openssh-4.3p2.orig/Makefile.in openssh-4.3p2/Makefile.in >--- openssh-4.3p2.orig/Makefile.in 2006-09-27 20:29:53.779114312 +0200 >+++ openssh-4.3p2/Makefile.in 2006-09-27 20:31:08.721982692 +0200 >@@ -43,6 +43,7 @@ > CFLAGS=@CFLAGS@ > CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ > LIBS=@LIBS@ >+LIBSELINUX=@LIBSELINUX@ > LIBEDIT=@LIBEDIT@ > LIBPAM=@LIBPAM@ > LIBWRAP=@LIBWRAP@ >@@ -77,7 +78,7 @@ > sshconnect.o sshconnect1.o sshconnect2.o > > SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ >- sshpty.o sshlogin.o servconf.o serverloop.o \ >+ sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \ > auth.o auth1.o auth2.o auth-options.o session.o \ > auth-chall.o auth2-chall.o groupaccess.o \ > auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ >@@ -136,7 +137,7 @@ > $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) > > sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) >- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) >+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS) > > scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o > $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) >diff -ruN openssh-4.3p2.orig/auth.h openssh-4.3p2/auth.h >--- openssh-4.3p2.orig/auth.h 2006-09-27 20:29:53.786116916 +0200 >+++ openssh-4.3p2/auth.h 2006-09-27 20:33:16.947664908 +0200 >@@ -58,6 +58,9 @@ > char *service; > struct passwd *pw; /* set if 'valid' */ > char *style; >+#ifdef WITH_SELINUX >+ char *role; >+#endif > void *kbdintctxt; > #ifdef BSD_AUTH > auth_session_t *as; >diff -ruN openssh-4.3p2.orig/auth1.c openssh-4.3p2/auth1.c >--- openssh-4.3p2.orig/auth1.c 2006-09-27 20:29:53.787117288 +0200 >+++ openssh-4.3p2/auth1.c 2006-09-27 20:34:47.852468920 +0200 >@@ -370,7 +370,10 @@ > do_authentication(Authctxt *authctxt) > { > u_int ulen; >- char *user, *style = NULL; >+ char *user, *style = NULL; >+#ifdef WITH_SELINUX >+ char *role=NULL; >+#endif > > /* Get the name of the user that we wish to log in as. */ > packet_read_expect(SSH_CMSG_USER); >@@ -379,11 +382,24 @@ > user = packet_get_string(&ulen); > packet_check_eom(); > >+#ifdef WITH_SELINUX >+ if ((role = strchr(user, '/')) != NULL) >+ *role++ = '\0'; >+#endif >+ > if ((style = strchr(user, ':')) != NULL) > *style++ = '\0'; >+#ifdef WITH_SELINUX >+ else >+ if (role && (style = strchr(role, ':')) != NULL) >+ *style++ = '\0'; >+#endif > > authctxt->user = user; > authctxt->style = style; >+#ifdef WITH_SELINUX >+ authctxt->role = role; >+#endif > > /* Verify that the user is a valid user. */ > if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) >diff -ruN openssh-4.3p2.orig/auth2.c openssh-4.3p2/auth2.c >--- openssh-4.3p2.orig/auth2.c 2006-09-27 20:29:53.788117660 +0200 >+++ openssh-4.3p2/auth2.c 2006-09-27 20:35:22.412320404 +0200 >@@ -134,7 +134,11 @@ > { > Authctxt *authctxt = ctxt; > Authmethod *m = NULL; >- char *user, *service, *method, *style = NULL; >+ char *user, *service, *method, *style = NULL; >+#ifdef WITH_SELINUX >+ char *role = NULL; >+#endif >+ > int authenticated = 0; > > if (authctxt == NULL) >@@ -171,8 +175,15 @@ > use_privsep ? " [net]" : ""); > authctxt->service = xstrdup(service); > authctxt->style = style ? xstrdup(style) : NULL; >- if (use_privsep) >+#ifdef WITH_SELINUX >+ authctxt->role = role ? xstrdup(role) : NULL; >+#endif >+ if (use_privsep) { > mm_inform_authserv(service, style); >+#ifdef WITH_SELINUX >+ mm_inform_authrole(role); >+#endif >+ } > } else if (strcmp(user, authctxt->user) != 0 || > strcmp(service, authctxt->service) != 0) { > packet_disconnect("Change of username or service not allowed: " >diff -ruN openssh-4.3p2.orig/configure.ac openssh-4.3p2/configure.ac >--- openssh-4.3p2.orig/configure.ac 2006-09-27 20:29:53.800122124 +0200 >+++ openssh-4.3p2/configure.ac 2006-09-27 20:31:08.760997200 +0200 >@@ -2952,6 +2952,20 @@ > [#include <arpa/nameser.h>]) > ]) > >+# Check whether user wants SELinux support >+SELINUX_MSG="no" >+LIBSELINUX="" >+AC_ARG_WITH(selinux, >+ [ --with-selinux Enable SELinux support], >+ [ if test "x$withval" != "xno" ; then >+ AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.]) >+ SELINUX_MSG="yes" >+ AC_CHECK_HEADERS(selinux.h) >+ LIBSELINUX="-lselinux" >+ fi >+ ]) >+AC_SUBST(LIBSELINUX) >+ > # Check whether user wants Kerberos 5 support > KRB5_MSG="no" > AC_ARG_WITH(kerberos5, >@@ -3770,6 +3784,7 @@ > echo " Manpage format: $MANTYPE" > echo " PAM support: $PAM_MSG" > echo " KerberosV support: $KRB5_MSG" >+echo " SELinux support: $SELINUX_MSG" > echo " Smartcard support: $SCARD_MSG" > echo " S/KEY support: $SKEY_MSG" > echo " TCP Wrappers support: $TCPW_MSG" >diff -ruN openssh-4.3p2.orig/monitor.c openssh-4.3p2/monitor.c >--- openssh-4.3p2.orig/monitor.c 2006-09-27 20:29:53.812126588 +0200 >+++ openssh-4.3p2/monitor.c 2006-09-27 20:36:51.506451096 +0200 >@@ -114,6 +114,9 @@ > int mm_answer_authpassword(int, Buffer *); > int mm_answer_bsdauthquery(int, Buffer *); > int mm_answer_bsdauthrespond(int, Buffer *); >+#ifdef WITH_SELINUX >+int mm_answer_authrole(int, Buffer *); >+#endif > int mm_answer_skeyquery(int, Buffer *); > int mm_answer_skeyrespond(int, Buffer *); > int mm_answer_keyallowed(int, Buffer *); >@@ -181,6 +184,9 @@ > {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, > {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, > {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, >+#ifdef WITH_SELINUX >+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, >+#endif > {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, > {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, > #ifdef USE_PAM >@@ -623,6 +629,9 @@ > else { > /* Allow service/style information on the auth context */ > monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); >+#ifdef WITH_SELINUX >+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); >+#endif > monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); > } > >@@ -670,6 +679,25 @@ > return (0); > } > >+#ifdef WITH_SELINUX >+int >+mm_answer_authrole(int sock, Buffer *m) >+{ >+ monitor_permit_authentications(1); >+ >+ authctxt->role = buffer_get_string(m, NULL); >+ debug3("%s: role=%s", >+ __func__, authctxt->role); >+ >+ if (strlen(authctxt->role) == 0) { >+ xfree(authctxt->role); >+ authctxt->role = NULL; >+ } >+ >+ return (0); >+} >+#endif >+ > int > mm_answer_authpassword(int sock, Buffer *m) > { >diff -ruN openssh-4.3p2.orig/monitor.h openssh-4.3p2/monitor.h >--- openssh-4.3p2.orig/monitor.h 2006-09-27 20:29:53.812126588 +0200 >+++ openssh-4.3p2/monitor.h 2006-09-27 20:37:38.463912776 +0200 >@@ -31,6 +31,9 @@ > enum monitor_reqtype { > MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, > MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, >+#ifdef WITH_SELINUX >+ MONITOR_REQ_AUTHROLE, >+#endif > MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, > MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, > MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, >diff -ruN openssh-4.3p2.orig/monitor_wrap.c openssh-4.3p2/monitor_wrap.c >--- openssh-4.3p2.orig/monitor_wrap.c 2006-09-27 20:29:53.813126960 +0200 >+++ openssh-4.3p2/monitor_wrap.c 2006-09-27 20:38:08.458066452 +0200 >@@ -271,6 +271,25 @@ > buffer_free(&m); > } > >+#ifdef WITH_SELINUX >+/* Inform the privileged process about role */ >+ >+void >+mm_inform_authrole(char *role) >+{ >+ Buffer m; >+ >+ debug3("%s entering", __func__); >+ >+ buffer_init(&m); >+ buffer_put_cstring(&m, role ? role : ""); >+ >+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); >+ >+ buffer_free(&m); >+} >+#endif >+ > /* Do the password authentication */ > int > mm_auth_password(Authctxt *authctxt, char *password) >diff -ruN openssh-4.3p2.orig/monitor_wrap.h openssh-4.3p2/monitor_wrap.h >--- openssh-4.3p2.orig/monitor_wrap.h 2006-09-27 20:29:53.813126960 +0200 >+++ openssh-4.3p2/monitor_wrap.h 2006-09-27 20:38:27.184029920 +0200 >@@ -44,6 +44,9 @@ > DH *mm_choose_dh(int, int, int); > int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); > void mm_inform_authserv(char *, char *); >+#ifdef WITH_SELINUX >+void mm_inform_authrole(char *); >+#endif > struct passwd *mm_getpwnamallow(const char *); > char *mm_auth2_read_banner(void); > int mm_auth_password(struct Authctxt *, char *); >diff -ruN openssh-4.3p2.orig/selinux.c openssh-4.3p2/selinux.c >--- openssh-4.3p2.orig/selinux.c 1970-01-01 01:00:00.000000000 +0100 >+++ openssh-4.3p2/selinux.c 2006-09-27 20:31:08.770000548 +0200 >@@ -0,0 +1,86 @@ >+#include "includes.h" >+#include "auth.h" >+#include "log.h" >+ >+#ifdef WITH_SELINUX >+#include <selinux/selinux.h> >+#include <selinux/flask.h> >+#include <selinux/context.h> >+#include <selinux/get_context_list.h> >+#include <selinux/get_default_type.h> >+extern Authctxt *the_authctxt; >+ >+static const security_context_t selinux_get_user_context(const char *name) { >+ security_context_t user_context=NULL; >+ char *role=NULL; >+ int ret=-1; >+ char *seuser=NULL; >+ char *level=NULL; >+ >+ if (the_authctxt) >+ role=the_authctxt->role; >+ >+ if (getseuserbyname(name, &seuser, &level)==0) { >+ if (role != NULL && role[0]) >+ ret=get_default_context_with_rolelevel(seuser, role, level,NULL,&user_context); >+ else >+ ret=get_default_context_with_level(seuser, level, NULL,&user_context); >+ } >+ >+ if ( ret < 0 ) { >+ if (security_getenforce() > 0) >+ fatal("Failed to get default security context for %s.", name); >+ else >+ error("Failed to get default security context for %s. Continuing in permissive mode", name); >+ } >+ return user_context; >+} >+ >+void setup_selinux_pty(const char *name, const char *tty) { >+ if (is_selinux_enabled() > 0) { >+ security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; >+ >+ user_context=selinux_get_user_context(name); >+ >+ if (getfilecon(tty, &old_tty_context) < 0) { >+ error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno)); >+ } else { >+ if (security_compute_relabel(user_context,old_tty_context, >+ SECCLASS_CHR_FILE, >+ &new_tty_context) != 0) { >+ error("security_compute_relabel(%.100s) failed: %.100s", tty, >+ strerror(errno)); >+ } else { >+ if (setfilecon (tty, new_tty_context) != 0) >+ error("setfilecon(%.100s, %s) failed: %.100s", >+ tty, new_tty_context, >+ strerror(errno)); >+ freecon(new_tty_context); >+ } >+ freecon(old_tty_context); >+ } >+ if (user_context) { >+ freecon(user_context); >+ } >+ } >+} >+ >+void setup_selinux_exec_context(char *name) { >+ >+ if (is_selinux_enabled() > 0) { >+ security_context_t user_context=selinux_get_user_context(name); >+ if (setexeccon(user_context)) { >+ if (security_getenforce() > 0) >+ fatal("Failed to set exec security context %s for %s.", user_context, name); >+ else >+ error("Failed to set exec security context %s for %s. Continuing in permissive mode", user_context, name); >+ } >+ if (user_context) { >+ freecon(user_context); >+ } >+ } >+} >+#else >+inline void setup_selinux_pty(const char *name, const char *tty) {} >+inline void setup_selinux_exec_context(const char *name) {} >+#endif /* WITH_SELINUX */ >diff -ruN openssh-4.3p2.orig/selinux.h openssh-4.3p2/selinux.h >--- openssh-4.3p2.orig/selinux.h 1970-01-01 01:00:00.000000000 +0100 >+++ openssh-4.3p2/selinux.h 2006-09-27 20:39:03.941698688 +0200 >@@ -0,0 +1,9 @@ >+#ifndef __SELINUX_H_ >+#define __SELINUX_H_ >+ >+#ifdef WITH_SELINUX >+extern void setup_selinux_pty(const char *name, const char *tty); >+extern void setup_selinux_exec_context(const char *name); >+#endif >+ >+#endif /* __SELINUX_H_ */ >diff -ruN openssh-4.3p2.orig/session.c openssh-4.3p2/session.c >--- openssh-4.3p2.orig/session.c 2006-09-27 20:29:53.822130308 +0200 >+++ openssh-4.3p2/session.c 2006-09-27 20:39:34.031888076 +0200 >@@ -59,6 +59,10 @@ > #include "kex.h" > #include "monitor_wrap.h" > >+#ifdef WITH_SELINUX >+#include "selinux.h" >+#endif >+ > #if defined(KRB5) && defined(USE_AFS) > #include <kafs.h> > #endif >@@ -1340,6 +1344,10 @@ > #endif > if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) > fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); >+ >+#ifdef WITH_SELINUX >+ setup_selinux_exec_context(pw->pw_name); >+#endif > } > > static void >diff -ruN openssh-4.3p2.orig/sshpty.c openssh-4.3p2/sshpty.c >--- openssh-4.3p2.orig/sshpty.c 2006-09-27 20:29:53.834134772 +0200 >+++ openssh-4.3p2/sshpty.c 2006-09-27 20:40:05.663650716 +0200 >@@ -22,6 +22,10 @@ > #include "log.h" > #include "misc.h" > >+#ifdef WITH_SELINUX >+#include "selinux.h" >+#endif >+ > #ifdef HAVE_PTY_H > # include <pty.h> > #endif >@@ -200,6 +204,10 @@ > fatal("stat(%.100s) failed: %.100s", tty, > strerror(errno)); > >+#ifdef WITH_SELINUX >+ setup_selinux_pty(pw->pw_name, tty); >+#endif >+ > if (st.st_uid != pw->pw_uid || st.st_gid != gid) { > if (chown(tty, pw->pw_uid, gid) < 0) { > if (errno == EROFS &&
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=98256">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 147605
:
97019
| 98256
