From 8bc65c49b7e5e758c87eb7b6c9cfcf9cb360ed7b Mon Sep 17 00:00:00 2001 From: Jan F Date: Tue, 5 Apr 2011 20:54:12 +0200 Subject: [PATCH] the intermediate context is set to sshd_sftpd_t do not crash in packet.c if no connection --- openssh-5.8p1-packet.patch | 12 ++++++++++++ openssh-5.8p1-sftpcontext.patch | 34 ++++++++++++--------------------- openssh.spec | 7 +++++++ 3 files changed, 31 insertions(+), 22 deletions(-) create mode 100644 openssh-5.8p1-packet.patch diff --git a/openssh-5.8p1-packet.patch b/openssh-5.8p1-packet.patch new file mode 100644 index 0000000..4951af6 --- /dev/null +++ b/openssh-5.8p1-packet.patch @@ -0,0 +1,12 @@ +diff -up openssh-5.8p1/packet.c.packet openssh-5.8p1/packet.c +--- openssh-5.8p1/packet.c.packet 2011-04-05 13:29:06.998648899 +0200 ++++ openssh-5.8p1/packet.c 2011-04-05 13:30:32.967648596 +0200 +@@ -294,6 +294,8 @@ packet_connection_is_on_socket(void) + struct sockaddr_storage from, to; + socklen_t fromlen, tolen; + ++ if (!active_state) ++ return 0; + /* filedescriptors in and out are the same, so it's a socket */ + if (active_state->connection_in == active_state->connection_out) + return 1; diff --git a/openssh-5.8p1-sftpcontext.patch b/openssh-5.8p1-sftpcontext.patch index 569f361..872dae9 100644 --- a/openssh-5.8p1-sftpcontext.patch +++ b/openssh-5.8p1-sftpcontext.patch @@ -1,24 +1,14 @@ diff -up openssh-5.8p1/session.c.sftpcontext openssh-5.8p1/session.c ---- openssh-5.8p1/session.c.sftpcontext 2011-04-01 11:22:26.988648474 +0200 -+++ openssh-5.8p1/session.c 2011-04-01 11:31:49.127665411 +0200 -@@ -831,6 +831,10 @@ do_exec(Session *s, const char *command) - if (s->command != NULL) - s->command_handle = PRIVSEP(audit_run_command(s->command)); - #endif -+#ifdef WITH_SELINUX -+debug(">>> %d:%d %s ~ %d", getuid(), geteuid(), s->command, IS_INTERNAL_SFTP(s->command)); -+// ssh_selinux_change_context("sftpd_t"); -+#endif - if (s->ttyfd != -1) - ret = do_exec_pty(s, command); - else -@@ -1780,9 +1784,6 @@ do_child(Session *s, const char *command - argv[i] = NULL; - optind = optreset = 1; - __progname = argv[0]; --#ifdef WITH_SELINUX -- ssh_selinux_change_context("sftpd_t"); --#endif - exit(sftp_server_main(i, argv, s->pw)); - } +--- openssh-5.8p1/session.c.sftpcontext 2011-04-05 19:46:53.674654050 +0200 ++++ openssh-5.8p1/session.c 2011-04-05 19:48:32.942658237 +0200 +@@ -1520,6 +1520,10 @@ do_setusercontext(struct passwd *pw) + free(chroot_path); + } ++#ifdef WITH_SELINUX ++ ssh_selinux_change_context("sshd_sftpd_t"); ++#endif ++ + #ifdef HAVE_LOGIN_CAP + if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { + perror("unable to set user context (setuser)"); diff --git a/openssh.spec b/openssh.spec index 62627c9..2a65367 100644 --- a/openssh.spec +++ b/openssh.spec @@ -110,6 +110,8 @@ Patch3: openssh-5.8p1-audit3.patch Patch4: openssh-5.8p1-audit4.patch Patch5: openssh-5.8p1-audit5.patch #? +Patch6: openssh-5.8p1-packet.patch +#? Patch7: openssh-5.8p1-entropy.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) Patch9: openssh-5.8p1-vendor.patch @@ -325,6 +327,7 @@ The module is most useful for su and sudo service stacks. %patch3 -p1 -b .audit3 %patch4 -p1 -b .audit4 %patch5 -p1 -b .audit5 +%patch6 -p1 -b .packet %patch7 -p1 -b .entropy %patch9 -p1 -b .vendor %if %{pam_ssh_agent} @@ -658,6 +661,10 @@ fi %endif %changelog +* Tue Apr 5 2011 Jan F. Chadima - 5.8p1-24 + 0.9.2-30 +- the intermediate context is set to sshd_sftpd_t +- do not crash in packet.c if no connection + * Thu Mar 31 2011 Jan F. Chadima - 5.8p1-24 + 0.9.2-30 - resolve warnings in port_linux.c