Handle root logins the same way as other users (#1269072)
root users are unconfined by definition, but they can be limited by SELinux so having privilege separation still makes sense. As a consequence we can remove hunk that handled this condition if we skipped forking.
This commit is contained in:
Jakub Jelen
parent
22a08c3da4
commit
0ebe96b604
@ -122,17 +122,13 @@ index 07f9926..a97f8b7 100644
|
|||||||
/* Change our root directory */
|
/* Change our root directory */
|
||||||
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
|
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
|
||||||
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
|
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
|
||||||
@@ -768,6 +772,13 @@ privsep_postauth(Authctxt *authctxt)
|
@@ -755,6 +755,9 @@ privsep_postauth(Authctxt *authctxt)
|
||||||
do_setusercontext(authctxt->pw);
|
|
||||||
|
|
||||||
skip:
|
|
||||||
+#ifdef WITH_SELINUX
|
|
||||||
+ /* switch SELinux content for root too */
|
|
||||||
+ if (authctxt->pw->pw_uid == 0) {
|
|
||||||
+ sshd_selinux_copy_context();
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/* It is safe now to apply the key state */
|
|
||||||
monitor_apply_keystate(pmonitor);
|
|
||||||
|
|
||||||
|
#ifdef DISABLE_FD_PASSING
|
||||||
|
if (1) {
|
||||||
|
+#elif defined(WITH_SELINUX)
|
||||||
|
+ if (options.use_login) {
|
||||||
|
+ /* even root user can be confined by SELinux */
|
||||||
|
#else
|
||||||
|
if (authctxt->pw->pw_uid == 0 || options.use_login) {
|
||||||
|
#endif
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user