rpms / openssh

Clone
Source Code
GIT

Blame openssh-4.7p1-selinux.patch

86_addmissingnb f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fix_f38_terrapin fix_f39_terrapin gsskexfix main master-future openssh85286 openssh96_rebase_combined openssh_96rebase openssh_rebase_90to93 openssh_rebase_90to93_cont openssh_rebase_90to93_fin private-controlpersist-4_3p2-9-branch private-master-vanilla private-openssh-4_5p1-6-controlpersist-branch rawhide sshkeysign_fix
  1.   c9833c96a49414065c7e0c0bafd276709bc83b62
  2.   openssh-4.7p1-selinux.patch
Blob History Raw
c9833c9 
diff -up openssh-4.7p1/configure.ac.selinux openssh-4.7p1/configure.ac
c9833c9 
--- openssh-4.7p1/configure.ac.selinux	2007-09-06 19:46:32.000000000 +0200
c9833c9 
+++ openssh-4.7p1/configure.ac	2007-09-06 19:52:23.000000000 +0200
c9833c9 
@@ -3211,6 +3211,7 @@ AC_ARG_WITH(selinux,
c9833c9 
 		AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
c9833c9 
 		    AC_MSG_ERROR(SELinux support requires libselinux library))
c9833c9 
 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
c9833c9 
+		LIBS="$LIBS $LIBSELINUX"
c9833c9 
 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
c9833c9 
 		LIBS="$save_LIBS"
c9833c9 
 	fi ]
c9833c9 
diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c
c9833c9 
--- openssh-4.7p1/auth1.c.selinux	2007-09-06 19:46:32.000000000 +0200
c9833c9 
+++ openssh-4.7p1/auth1.c	2007-09-06 19:46:32.000000000 +0200
c9833c9 
@@ -388,7 +388,7 @@ void
ad07b99 
 do_authentication(Authctxt *authctxt)
ad07b99 
 {
ad07b99 
 	u_int ulen;
ad07b99 
-	char *user, *style = NULL;
ad07b99 
+	char *user, *style = NULL, *role=NULL;
ad07b99
ad07b99 
 	/* Get the name of the user that we wish to log in as. */
ad07b99 
 	packet_read_expect(SSH_CMSG_USER);
c9833c9 
@@ -397,11 +397,19 @@ do_authentication(Authctxt *authctxt)
ad07b99 
 	user = packet_get_string(&ulen);
ad07b99 
 	packet_check_eom();
ad07b99
ad07b99 
+	if ((role = strchr(user, '/')) != NULL)
ad07b99 
+		*role++ = '\0';
ad07b99 
+
ad07b99 
 	if ((style = strchr(user, ':')) != NULL)
ad07b99 
 		*style++ = '\0';
ad07b99 
+	else
ad07b99 
+		if (role && (style = strchr(role, ':')) != NULL)
ad07b99 
+			*style++ = '\0';
ad07b99 
+
ad07b99
ad07b99 
 	authctxt->user = user;
ad07b99 
 	authctxt->style = style;
ad07b99 
+	authctxt->role = role;
ad07b99
ad07b99 
 	/* Verify that the user is a valid user. */
ad07b99 
 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
c9833c9 
diff -up openssh-4.7p1/monitor_wrap.h.selinux openssh-4.7p1/monitor_wrap.h
c9833c9 
--- openssh-4.7p1/monitor_wrap.h.selinux	2006-08-05 04:39:40.000000000 +0200
c9833c9 
+++ openssh-4.7p1/monitor_wrap.h	2007-09-06 19:46:32.000000000 +0200
c9833c9 
@@ -41,6 +41,7 @@ int mm_is_monitor(void);
c9833c9 
 DH *mm_choose_dh(int, int, int);
c9833c9 
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
c9833c9 
 void mm_inform_authserv(char *, char *);
c9833c9 
+void mm_inform_authrole(char *);
c9833c9 
 struct passwd *mm_getpwnamallow(const char *);
c9833c9 
 char *mm_auth2_read_banner(void);
c9833c9 
 int mm_auth_password(struct Authctxt *, char *);
c9833c9 
diff -up openssh-4.7p1/monitor.h.selinux openssh-4.7p1/monitor.h
c9833c9 
--- openssh-4.7p1/monitor.h.selinux	2006-03-26 05:30:02.000000000 +0200
c9833c9 
+++ openssh-4.7p1/monitor.h	2007-09-06 19:46:32.000000000 +0200
c9833c9 
@@ -30,7 +30,7 @@
ad07b99
c9833c9 
 enum monitor_reqtype {
c9833c9 
 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
c9833c9 
-	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
c9833c9 
+	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
c9833c9 
 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
c9833c9 
 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
c9833c9 
 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
c9833c9 
diff -up openssh-4.7p1/monitor_wrap.c.selinux openssh-4.7p1/monitor_wrap.c
c9833c9 
--- openssh-4.7p1/monitor_wrap.c.selinux	2007-06-11 06:01:42.000000000 +0200
c9833c9 
+++ openssh-4.7p1/monitor_wrap.c	2007-09-06 19:46:32.000000000 +0200
c9833c9 
@@ -294,6 +294,23 @@ mm_inform_authserv(char *service, char *
c9833c9 
 	buffer_free(&m);
ad07b99 
 }
ad07b99
c9833c9 
+/* Inform the privileged process about role */
c9833c9 
+
c9833c9 
+void
c9833c9 
+mm_inform_authrole(char *role)
ad07b99 
+{
c9833c9 
+	Buffer m;
ad07b99 
+
c9833c9 
+	debug3("%s entering", __func__);
ad07b99 
+
c9833c9 
+	buffer_init(&m);
c9833c9 
+	buffer_put_cstring(&m, role ? role : "");
ad07b99 
+
c9833c9 
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
c9833c9 
+
c9833c9 
+	buffer_free(&m);
ad07b99 
+}
ad07b99 
+
c9833c9 
 /* Do the password authentication */
c9833c9 
 int
c9833c9 
 mm_auth_password(Authctxt *authctxt, char *password)
c9833c9 
diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd-compat/port-linux.c
c9833c9 
--- openssh-4.7p1/openbsd-compat/port-linux.c.selinux	2007-06-28 00:48:03.000000000 +0200
c9833c9 
+++ openssh-4.7p1/openbsd-compat/port-linux.c	2007-09-06 19:46:32.000000000 +0200
ad07b99 
@@ -30,11 +30,16 @@
ad07b99 
 #ifdef WITH_SELINUX
ad07b99 
 #include "log.h"
ad07b99 
 #include "port-linux.h"
ad07b99 
+#include "key.h"
ad07b99 
+#include "hostfile.h"
ad07b99 
+#include "auth.h"
ad07b99
ad07b99 
 #include <selinux/selinux.h>
ad07b99 
 #include <selinux/flask.h>
ad07b99 
 #include <selinux/get_context_list.h>
ad07b99
ad07b99 
+extern Authctxt *the_authctxt;
ad07b99 
+
ad07b99 
 /* Wrapper around is_selinux_enabled() to log its return value once only */
ad07b99 
 static int
ad07b99 
 ssh_selinux_enabled(void)
c9833c9 
@@ -53,23 +58,36 @@ ssh_selinux_enabled(void)
ad07b99 
 static security_context_t
ad07b99 
 ssh_selinux_getctxbyname(char *pwname)
ad07b99 
 {
ad07b99 
-	security_context_t sc;
ad07b99 
-	char *sename = NULL, *lvl = NULL;
ad07b99 
-	int r;
ad07b99 
+	security_context_t sc = NULL;
ad07b99 
+	char *sename, *lvl;
ad07b99 
+	char *role = NULL;
ad07b99 
+	int r = 0;
ad07b99
ad07b99 
+	if (the_authctxt)
ad07b99 
+		role=the_authctxt->role;
ad07b99 
 #ifdef HAVE_GETSEUSERBYNAME
ad07b99 
-	if (getseuserbyname(pwname, &sename, &lvl) != 0)
ad07b99 
-		return NULL;
73a8557 
+	if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
ad07b99 
+		sename = NULL;
ad07b99 
+		lvl = NULL;
ad07b99 
+	}
ad07b99 
 #else
ad07b99 
 	sename = pwname;
ad07b99 
 	lvl = NULL;
ad07b99 
 #endif
ad07b99
ad07b99 
+	if (r == 0) {
ad07b99 
 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
ad07b99 
-	r = get_default_context_with_level(sename, lvl, NULL, &sc);
ad07b99 
+		if (role != NULL && role[0])
ad07b99 
+			r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
ad07b99 
+		else
ad07b99 
+			r = get_default_context_with_level(sename, lvl, NULL, &sc);
ad07b99 
 #else
ad07b99 
-	r = get_default_context(sename, NULL, &sc);
ad07b99 
+		if (role != NULL && role[0])
ad07b99 
+			r = get_default_context_with_role(sename, role, NULL, &sc);
ad07b99 
+		else
ad07b99 
+			r = get_default_context(sename, NULL, &sc);
ad07b99 
 #endif
ad07b99 
+	}
ad07b99
ad07b99 
 	if (r != 0) {
ad07b99 
 		switch (security_getenforce()) {
c9833c9 
diff -up openssh-4.7p1/auth.h.selinux openssh-4.7p1/auth.h
c9833c9 
--- openssh-4.7p1/auth.h.selinux	2006-08-18 16:32:46.000000000 +0200
c9833c9 
+++ openssh-4.7p1/auth.h	2007-09-06 19:46:32.000000000 +0200
c9833c9 
@@ -58,6 +58,7 @@ struct Authctxt {
c9833c9 
 	char		*service;
c9833c9 
 	struct passwd	*pw;		/* set if 'valid' */
c9833c9 
 	char		*style;
c9833c9 
+	char		*role;
c9833c9 
 	void		*kbdintctxt;
c9833c9 
 #ifdef BSD_AUTH
c9833c9 
 	auth_session_t	*as;
c9833c9 
diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c
c9833c9 
--- openssh-4.7p1/auth2.c.selinux	2007-05-20 06:58:41.000000000 +0200
c9833c9 
+++ openssh-4.7p1/auth2.c	2007-09-06 19:46:32.000000000 +0200
c9833c9 
@@ -141,7 +141,7 @@ input_userauth_request(int type, u_int32
ad07b99 
 {
ad07b99 
 	Authctxt *authctxt = ctxt;
ad07b99 
 	Authmethod *m = NULL;
ad07b99 
-	char *user, *service, *method, *style = NULL;
ad07b99 
+	char *user, *service, *method, *style = NULL, *role = NULL;
ad07b99 
 	int authenticated = 0;
ad07b99
ad07b99 
 	if (authctxt == NULL)
c9833c9 
@@ -153,6 +153,9 @@ input_userauth_request(int type, u_int32
ad07b99 
 	debug("userauth-request for user %s service %s method %s", user, service, method);
ad07b99 
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
ad07b99
ad07b99 
+	if ((role = strchr(user, '/')) != NULL)
ad07b99 
+		*role++ = 0;
ad07b99 
+
ad07b99 
 	if ((style = strchr(user, ':')) != NULL)
ad07b99 
 		*style++ = 0;
ad07b99
c9833c9 
@@ -178,8 +181,11 @@ input_userauth_request(int type, u_int32
ad07b99 
 		    use_privsep ? " [net]" : "");
ad07b99 
 		authctxt->service = xstrdup(service);
ad07b99 
 		authctxt->style = style ? xstrdup(style) : NULL;
ad07b99 
-		if (use_privsep)
ad07b99 
+		authctxt->role = role ? xstrdup(role) : NULL;
ad07b99 
+		if (use_privsep) {
ad07b99 
 			mm_inform_authserv(service, style);
ad07b99 
+			mm_inform_authrole(role);
ad07b99 
+		}
ad07b99 
 	} else if (strcmp(user, authctxt->user) != 0 ||
ad07b99 
 	    strcmp(service, authctxt->service) != 0) {
ad07b99 
 		packet_disconnect("Change of username or service not allowed: "
c9833c9 
diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c
c9833c9 
--- openssh-4.7p1/monitor.c.selinux	2007-05-20 07:10:16.000000000 +0200
c9833c9 
+++ openssh-4.7p1/monitor.c	2007-09-06 19:46:32.000000000 +0200
c9833c9 
@@ -133,6 +133,7 @@ int mm_answer_sign(int, Buffer *);
c9833c9 
 int mm_answer_pwnamallow(int, Buffer *);
c9833c9 
 int mm_answer_auth2_read_banner(int, Buffer *);
c9833c9 
 int mm_answer_authserv(int, Buffer *);
c9833c9 
+int mm_answer_authrole(int, Buffer *);
c9833c9 
 int mm_answer_authpassword(int, Buffer *);
c9833c9 
 int mm_answer_bsdauthquery(int, Buffer *);
c9833c9 
 int mm_answer_bsdauthrespond(int, Buffer *);
c9833c9 
@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[]
c9833c9 
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
c9833c9 
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
c9833c9 
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
c9833c9 
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
c9833c9 
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
c9833c9 
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
c9833c9 
 #ifdef USE_PAM
c9833c9 
@@ -657,6 +659,7 @@ mm_answer_pwnamallow(int sock, Buffer *m
c9833c9 
 	else {
c9833c9 
 		/* Allow service/style information on the auth context */
c9833c9 
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
c9833c9 
+		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
c9833c9 
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
c9833c9 
 	}
c9833c9
c9833c9 
@@ -702,6 +705,23 @@ mm_answer_authserv(int sock, Buffer *m)
ad07b99 
 }
ad07b99
c9833c9 
 int
c9833c9 
+mm_answer_authrole(int sock, Buffer *m)
ad07b99 
+{
c9833c9 
+	monitor_permit_authentications(1);
ad07b99 
+
c9833c9 
+	authctxt->role = buffer_get_string(m, NULL);
c9833c9 
+	debug3("%s: role=%s",
c9833c9 
+	    __func__, authctxt->role);
ad07b99 
+
c9833c9 
+	if (strlen(authctxt->role) == 0) {
c9833c9 
+		xfree(authctxt->role);
c9833c9 
+		authctxt->role = NULL;
c9833c9 
+	}
ad07b99 
+
c9833c9 
+	return (0);
ad07b99 
+}
ad07b99 
+
c9833c9 
+int
c9833c9 
 mm_answer_authpassword(int sock, Buffer *m)
c9833c9 
 {
c9833c9 
 	static int call_count;
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.