rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

don't use chroot_user_t for chrooted users (#830237)

Browse Source
This commit is contained in:
Petr Lautrbach 2012-09-15 12:26:36 +02:00
parent 9fe1afc163
commit 581bf30d07
3 changed files with 40 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
openssh-5.9p1-privsep-selinux.patch
View File

@ -1,35 +0,0 @@
diff -up openssh-5.9p1/session.c.privsep-selinux openssh-5.9p1/session.c
--- openssh-5.9p1/session.c.privsep-selinux 2012-08-01 15:36:33.397565915 +0200
+++ openssh-5.9p1/session.c 2012-08-02 18:18:15.038094629 +0200
@@ -1536,6 +1536,13 @@ do_setusercontext(struct passwd *pw)
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
+
+#ifdef WITH_SELINUX
+ if (options.chroot_directory == NULL ||
+ strcasecmp(options.chroot_directory, "none") == 0) {
+ ssh_selinux_copy_context();
+ }
+#endif
}
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
diff -up openssh-5.9p1/sshd.c.privsep-selinux openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.privsep-selinux 2012-08-01 16:09:22.949423356 +0200
+++ openssh-5.9p1/sshd.c 2012-08-02 18:07:22.912225684 +0200
@@ -790,6 +790,14 @@ privsep_postauth(Authctxt *authctxt)
do_setusercontext(authctxt->pw);
skip:
+#ifdef WITH_SELINUX
+ /* switch SELinux content for root too */
+ if (authctxt->pw->pw_uid == 0 && (options.chroot_directory == NULL ||
+ strcasecmp(options.chroot_directory, "none") == 0)) {
+ ssh_selinux_copy_context();
+ }
+#endif
+
/* It is safe now to apply the key state */
monitor_apply_keystate(pmonitor);

39
openssh-6.1p1-privsep-selinux.patch Normal file
View File

@ -0,0 +1,39 @@
diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
--- openssh-6.1p1/session.c.privsep-selinux 2012-09-15 13:45:26.079476022 +0200
+++ openssh-6.1p1/session.c 2012-09-15 13:45:28.460522390 +0200
@@ -1513,6 +1513,7 @@ do_setusercontext(struct passwd *pw)
platform_setusercontext_post_groups(pw);
+
if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
tmp = tilde_expand_filename(options.chroot_directory,
@@ -1536,6 +1537,10 @@ do_setusercontext(struct passwd *pw)
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
+
+#ifdef WITH_SELINUX
+ ssh_selinux_copy_context();
+#endif
}
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c
--- openssh-6.1p1/sshd.c.privsep-selinux 2012-09-15 13:45:26.062475676 +0200
+++ openssh-6.1p1/sshd.c 2012-09-15 13:45:28.467522539 +0200
@@ -794,6 +794,13 @@ privsep_postauth(Authctxt *authctxt)
do_setusercontext(authctxt->pw);
skip:
+#ifdef WITH_SELINUX
+ /* switch SELinux content for root too */
+ if (authctxt->pw->pw_uid == 0) {
+ ssh_selinux_copy_context();
+ }
+#endif
+
/* It is safe now to apply the key state */
monitor_apply_keystate(pmonitor);

2
openssh.spec
View File

@ -147,7 +147,7 @@ Patch402: openssh-5.9p1-sftp-chroot.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1940
#Patch403: openssh-5.9p1-sesandbox.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
Patch404: openssh-5.9p1-privsep-selinux.patch
Patch404: openssh-6.1p1-privsep-selinux.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663
Patch500: openssh-6.1p1-akc.patch