forked from rpms/openssh
8fe15092c3
change selinux contex for internal sftp in do_usercontext exit(0) after sigterm
91 lines
2.8 KiB
Diff
91 lines
2.8 KiB
Diff
diff -up openssh-5.8p1/session.c.sftpcontext openssh-5.8p1/session.c
|
|
--- openssh-5.8p1/session.c.sftpcontext 2011-03-17 06:20:41.651773603 +0100
|
|
+++ openssh-5.8p1/session.c 2011-03-17 06:39:11.947648737 +0100
|
|
@@ -1479,12 +1479,21 @@ safely_chroot(const char *path, uid_t ui
|
|
|
|
/* Set login name, uid, gid, and groups. */
|
|
void
|
|
+#ifdef WITH_SELINUX
|
|
+do_setusercontext(struct passwd *pw, const char *context)
|
|
+#else
|
|
do_setusercontext(struct passwd *pw)
|
|
+#endif
|
|
{
|
|
char *chroot_path, *tmp;
|
|
|
|
platform_setusercontext(pw);
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+ if (context)
|
|
+ ssh_selinux_change_context(context);
|
|
+#endif
|
|
+
|
|
if (platform_privileged_uidswap()) {
|
|
#ifdef HAVE_LOGIN_CAP
|
|
if (setusercontext(lc, pw, pw->pw_uid,
|
|
@@ -1633,7 +1642,11 @@ do_child(Session *s, const char *command
|
|
|
|
/* Force a password change */
|
|
if (s->authctxt->force_pwchange) {
|
|
+#ifdef WITH_SELINUX
|
|
+ do_setusercontext(pw, NULL); //should be passwd_t context set here?
|
|
+#else
|
|
do_setusercontext(pw);
|
|
+#endif
|
|
child_close_fds();
|
|
do_pwchange(s);
|
|
exit(1);
|
|
@@ -1660,7 +1673,11 @@ do_child(Session *s, const char *command
|
|
/* When PAM is enabled we rely on it to do the nologin check */
|
|
if (!options.use_pam)
|
|
do_nologin(pw);
|
|
+#ifdef WITH_SELINUX
|
|
+ do_setusercontext(pw, s->is_subsystem == SUBSYSTEM_INT_SFTP ? "sftpd_t" : NULL);
|
|
+#else
|
|
do_setusercontext(pw);
|
|
+#endif
|
|
/*
|
|
* PAM session modules in do_setusercontext may have
|
|
* generated messages, so if this in an interactive
|
|
@@ -1780,9 +1797,6 @@ do_child(Session *s, const char *command
|
|
argv[i] = NULL;
|
|
optind = optreset = 1;
|
|
__progname = argv[0];
|
|
-#ifdef WITH_SELINUX
|
|
- ssh_selinux_change_context("sftpd_t");
|
|
-#endif
|
|
exit(sftp_server_main(i, argv, s->pw));
|
|
}
|
|
|
|
diff -up openssh-5.8p1/session.h.sftpcontext openssh-5.8p1/session.h
|
|
--- openssh-5.8p1/session.h.sftpcontext 2011-03-17 06:38:15.287648531 +0100
|
|
+++ openssh-5.8p1/session.h 2011-03-17 06:40:25.907648653 +0100
|
|
@@ -84,7 +84,11 @@ Session *session_new(void);
|
|
Session *session_by_id(int);
|
|
Session *session_by_tty(char *);
|
|
void session_close(Session *);
|
|
+#ifdef WITH_SELINUX
|
|
+void do_setusercontext(struct passwd *, const char *);
|
|
+#else
|
|
void do_setusercontext(struct passwd *);
|
|
+#endif
|
|
void child_set_env(char ***envp, u_int *envsizep, const char *name,
|
|
const char *value);
|
|
|
|
diff -up openssh-5.8p1/sshd.c.sftpcontext openssh-5.8p1/sshd.c
|
|
--- openssh-5.8p1/sshd.c.sftpcontext 2011-03-17 06:40:55.961663207 +0100
|
|
+++ openssh-5.8p1/sshd.c 2011-03-17 06:45:14.037735849 +0100
|
|
@@ -772,7 +772,11 @@ privsep_postauth(Authctxt *authctxt)
|
|
RAND_seed(rnd, sizeof(rnd));
|
|
|
|
/* Drop privileges */
|
|
- do_setusercontext(authctxt->pw);
|
|
+#ifdef WITH_SELINUX
|
|
+ do_setusercontext(authctxt->pw, NULL);
|
|
+#else
|
|
+ do_setusercontext(authctxt->pw);
|
|
+#endif
|
|
|
|
skip:
|
|
/* It is safe now to apply the key state */
|