forked from rpms/openssh
run privsep slave process as the users SELinux context (#781634)
This commit is contained in:
parent
017c65d99b
commit
cd5891d0d5
29
openssh-5.9p1-privsep-selinux.patch
Normal file
29
openssh-5.9p1-privsep-selinux.patch
Normal file
@ -0,0 +1,29 @@
|
||||
diff --git a/session.c b/session.c
|
||||
index 436ea48..49c9321 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -1561,6 +1561,13 @@ do_setusercontext(struct passwd *pw)
|
||||
#endif
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (options.chroot_directory == NULL ||
|
||||
+ strcasecmp(options.chroot_directory, "none") == 0) {
|
||||
+ ssh_selinux_copy_context();
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
|
||||
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
|
||||
}
|
||||
@@ -1693,7 +1700,9 @@ do_child(Session *s, const char *command)
|
||||
/* When PAM is enabled we rely on it to do the nologin check */
|
||||
if (!options.use_pam)
|
||||
do_nologin(pw);
|
||||
- do_setusercontext(pw);
|
||||
+ /* We are already separated */
|
||||
+ if (!use_privsep)
|
||||
+ do_setusercontext(pw);
|
||||
/*
|
||||
* PAM session modules in do_setusercontext may have
|
||||
* generated messages, so if this in an interactive
|
@ -143,6 +143,8 @@ Patch401: openssh-5.9p1-mls.patch
|
||||
Patch402: openssh-5.9p1-sftp-chroot.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1940
|
||||
Patch403: openssh-5.9p1-sesandbox.patch
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
|
||||
Patch404: openssh-5.9p1-privsep-selinux.patch
|
||||
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663
|
||||
Patch500: openssh-5.9p1-akc.patch
|
||||
@ -416,6 +418,7 @@ popd
|
||||
%patch401 -p1 -b .mls
|
||||
%patch402 -p1 -b .sftp-chroot
|
||||
%patch403 -p1 -b .sesandbox
|
||||
%patch404 -p1 -b .privsep-selinux
|
||||
%endif
|
||||
|
||||
%patch500 -p1 -b .akc
|
||||
|
Loading…
Reference in New Issue
Block a user