don't use chroot_user_t for chrooted users (#830237)
This commit is contained in:
parent
9fe1afc163
commit
581bf30d07
@ -1,35 +0,0 @@
|
||||
diff -up openssh-5.9p1/session.c.privsep-selinux openssh-5.9p1/session.c
|
||||
--- openssh-5.9p1/session.c.privsep-selinux 2012-08-01 15:36:33.397565915 +0200
|
||||
+++ openssh-5.9p1/session.c 2012-08-02 18:18:15.038094629 +0200
|
||||
@@ -1536,6 +1536,13 @@ do_setusercontext(struct passwd *pw)
|
||||
/* Permanently switch to the desired uid. */
|
||||
permanently_set_uid(pw);
|
||||
#endif
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (options.chroot_directory == NULL ||
|
||||
+ strcasecmp(options.chroot_directory, "none") == 0) {
|
||||
+ ssh_selinux_copy_context();
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
|
||||
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
|
||||
diff -up openssh-5.9p1/sshd.c.privsep-selinux openssh-5.9p1/sshd.c
|
||||
--- openssh-5.9p1/sshd.c.privsep-selinux 2012-08-01 16:09:22.949423356 +0200
|
||||
+++ openssh-5.9p1/sshd.c 2012-08-02 18:07:22.912225684 +0200
|
||||
@@ -790,6 +790,14 @@ privsep_postauth(Authctxt *authctxt)
|
||||
do_setusercontext(authctxt->pw);
|
||||
|
||||
skip:
|
||||
+#ifdef WITH_SELINUX
|
||||
+ /* switch SELinux content for root too */
|
||||
+ if (authctxt->pw->pw_uid == 0 && (options.chroot_directory == NULL ||
|
||||
+ strcasecmp(options.chroot_directory, "none") == 0)) {
|
||||
+ ssh_selinux_copy_context();
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/* It is safe now to apply the key state */
|
||||
monitor_apply_keystate(pmonitor);
|
||||
|
39
openssh-6.1p1-privsep-selinux.patch
Normal file
39
openssh-6.1p1-privsep-selinux.patch
Normal file
@ -0,0 +1,39 @@
|
||||
diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
|
||||
--- openssh-6.1p1/session.c.privsep-selinux 2012-09-15 13:45:26.079476022 +0200
|
||||
+++ openssh-6.1p1/session.c 2012-09-15 13:45:28.460522390 +0200
|
||||
@@ -1513,6 +1513,7 @@ do_setusercontext(struct passwd *pw)
|
||||
|
||||
platform_setusercontext_post_groups(pw);
|
||||
|
||||
+
|
||||
if (options.chroot_directory != NULL &&
|
||||
strcasecmp(options.chroot_directory, "none") != 0) {
|
||||
tmp = tilde_expand_filename(options.chroot_directory,
|
||||
@@ -1536,6 +1537,10 @@ do_setusercontext(struct passwd *pw)
|
||||
/* Permanently switch to the desired uid. */
|
||||
permanently_set_uid(pw);
|
||||
#endif
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+ ssh_selinux_copy_context();
|
||||
+#endif
|
||||
}
|
||||
|
||||
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
|
||||
diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c
|
||||
--- openssh-6.1p1/sshd.c.privsep-selinux 2012-09-15 13:45:26.062475676 +0200
|
||||
+++ openssh-6.1p1/sshd.c 2012-09-15 13:45:28.467522539 +0200
|
||||
@@ -794,6 +794,13 @@ privsep_postauth(Authctxt *authctxt)
|
||||
do_setusercontext(authctxt->pw);
|
||||
|
||||
skip:
|
||||
+#ifdef WITH_SELINUX
|
||||
+ /* switch SELinux content for root too */
|
||||
+ if (authctxt->pw->pw_uid == 0) {
|
||||
+ ssh_selinux_copy_context();
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/* It is safe now to apply the key state */
|
||||
monitor_apply_keystate(pmonitor);
|
||||
|
@ -147,7 +147,7 @@ Patch402: openssh-5.9p1-sftp-chroot.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1940
|
||||
#Patch403: openssh-5.9p1-sesandbox.patch
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
|
||||
Patch404: openssh-5.9p1-privsep-selinux.patch
|
||||
Patch404: openssh-6.1p1-privsep-selinux.patch
|
||||
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663
|
||||
Patch500: openssh-6.1p1-akc.patch
|
||||
|
Loading…
Reference in New Issue
Block a user