openssh-5.9p1-privsep-selinux.patch - change SELinux context also for
root user (#827109)
This commit is contained in:
Petr Lautrbach
parent
b648890ead
commit
0c438f5bc5
@ -1,40 +1,35 @@
|
|||||||
diff --git a/session.c b/session.c
|
diff -up openssh-5.9p1/session.c.privsep-selinux openssh-5.9p1/session.c
|
||||||
index 436ea48..49c9321 100644
|
--- openssh-5.9p1/session.c.privsep-selinux 2012-08-01 15:36:33.397565915 +0200
|
||||||
--- a/session.c
|
+++ openssh-5.9p1/session.c 2012-08-02 18:18:15.038094629 +0200
|
||||||
+++ b/session.c
|
@@ -1536,6 +1536,13 @@ do_setusercontext(struct passwd *pw)
|
||||||
@@ -1561,6 +1561,13 @@ do_setusercontext(struct passwd *pw)
|
/* Permanently switch to the desired uid. */
|
||||||
|
permanently_set_uid(pw);
|
||||||
#endif
|
#endif
|
||||||
|
+
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+ if (options.chroot_directory == NULL ||
|
||||||
|
+ strcasecmp(options.chroot_directory, "none") == 0) {
|
||||||
|
+ ssh_selinux_copy_context();
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
|
||||||
|
diff -up openssh-5.9p1/sshd.c.privsep-selinux openssh-5.9p1/sshd.c
|
||||||
|
--- openssh-5.9p1/sshd.c.privsep-selinux 2012-08-01 16:09:22.949423356 +0200
|
||||||
|
+++ openssh-5.9p1/sshd.c 2012-08-02 18:07:22.912225684 +0200
|
||||||
|
@@ -790,6 +790,14 @@ privsep_postauth(Authctxt *authctxt)
|
||||||
|
do_setusercontext(authctxt->pw);
|
||||||
|
|
||||||
|
skip:
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ if (options.chroot_directory == NULL ||
|
+ /* switch SELinux content for root too */
|
||||||
+ strcasecmp(options.chroot_directory, "none") == 0) {
|
+ if (authctxt->pw->pw_uid == 0 && (options.chroot_directory == NULL ||
|
||||||
|
+ strcasecmp(options.chroot_directory, "none") == 0)) {
|
||||||
+ ssh_selinux_copy_context();
|
+ ssh_selinux_copy_context();
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
|
/* It is safe now to apply the key state */
|
||||||
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
|
monitor_apply_keystate(pmonitor);
|
||||||
}
|
|
||||||
@@ -1670,7 +1677,9 @@ do_child(Session *s, const char *command
|
|
||||||
/* When PAM is enabled we rely on it to do the nologin check */
|
|
||||||
if (!options.use_pam)
|
|
||||||
do_nologin(pw);
|
|
||||||
- do_setusercontext(pw);
|
|
||||||
+ /* We are already separated */
|
|
||||||
+ if (!use_privsep)
|
|
||||||
+ do_setusercontext(pw);
|
|
||||||
/*
|
|
||||||
* PAM session modules in do_setusercontext may have
|
|
||||||
* generated messages, so if this in an interactive
|
|
||||||
@@ -1791,8 +1800,8 @@ do_child(Session *s, const char *command
|
|
||||||
optind = optreset = 1;
|
|
||||||
__progname = argv[0];
|
|
||||||
#ifdef WITH_SELINUX
|
|
||||||
- if (options.chroot_directory == NULL ||
|
|
||||||
- strcasecmp(options.chroot_directory, "none") == 0) {
|
|
||||||
+ if (!use_privsep &&
|
|
||||||
+ (options.chroot_directory == NULL || strcasecmp(options.chroot_directory, "none") == 0)) {
|
|
||||||
ssh_selinux_copy_context();
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user