rpms / openssh

Clone
Source Code
GIT

Files

  1.   8fe15092c391da933be594d1f07fad781c9c402e
  2.   openssh-5.8p1-sftpcontext.patch
Blob Blame History Raw 
diff -up openssh-5.8p1/session.c.sftpcontext openssh-5.8p1/session.c
--- openssh-5.8p1/session.c.sftpcontext	2011-03-17 06:20:41.651773603 +0100
+++ openssh-5.8p1/session.c	2011-03-17 06:39:11.947648737 +0100
@@ -1479,12 +1479,21 @@ safely_chroot(const char *path, uid_t ui
 
 /* Set login name, uid, gid, and groups. */
 void
+#ifdef WITH_SELINUX
+do_setusercontext(struct passwd *pw, const char *context)
+#else
 do_setusercontext(struct passwd *pw)
+#endif
 {
 	char *chroot_path, *tmp;
 
 	platform_setusercontext(pw);
 
+#ifdef WITH_SELINUX
+	if (context)
+		ssh_selinux_change_context(context);
+#endif
+
 	if (platform_privileged_uidswap()) {
 #ifdef HAVE_LOGIN_CAP
 		if (setusercontext(lc, pw, pw->pw_uid,
@@ -1633,7 +1642,11 @@ do_child(Session *s, const char *command
 
 	/* Force a password change */
 	if (s->authctxt->force_pwchange) {
+#ifdef WITH_SELINUX
+		do_setusercontext(pw, NULL); //should be passwd_t context set here?
+#else
 		do_setusercontext(pw);
+#endif
 		child_close_fds();
 		do_pwchange(s);
 		exit(1);
@@ -1660,7 +1673,11 @@ do_child(Session *s, const char *command
 		/* When PAM is enabled we rely on it to do the nologin check */
 		if (!options.use_pam)
 			do_nologin(pw);
+#ifdef WITH_SELINUX
+		do_setusercontext(pw, s->is_subsystem == SUBSYSTEM_INT_SFTP ? "sftpd_t" : NULL);
+#else
 		do_setusercontext(pw);
+#endif
 		/*
 		 * PAM session modules in do_setusercontext may have
 		 * generated messages, so if this in an interactive
@@ -1780,9 +1797,6 @@ do_child(Session *s, const char *command
 		argv[i] = NULL;
 		optind = optreset = 1;
 		__progname = argv[0];
-#ifdef WITH_SELINUX
-		ssh_selinux_change_context("sftpd_t");
-#endif
 		exit(sftp_server_main(i, argv, s->pw));
 	}
 
diff -up openssh-5.8p1/session.h.sftpcontext openssh-5.8p1/session.h
--- openssh-5.8p1/session.h.sftpcontext	2011-03-17 06:38:15.287648531 +0100
+++ openssh-5.8p1/session.h	2011-03-17 06:40:25.907648653 +0100
@@ -84,7 +84,11 @@ Session	*session_new(void);
 Session *session_by_id(int);
 Session	*session_by_tty(char *);
 void	 session_close(Session *);
+#ifdef WITH_SELINUX
+void	 do_setusercontext(struct passwd *, const char *);
+#else
 void	 do_setusercontext(struct passwd *);
+#endif
 void	 child_set_env(char ***envp, u_int *envsizep, const char *name,
 		       const char *value);
 
diff -up openssh-5.8p1/sshd.c.sftpcontext openssh-5.8p1/sshd.c
--- openssh-5.8p1/sshd.c.sftpcontext	2011-03-17 06:40:55.961663207 +0100
+++ openssh-5.8p1/sshd.c	2011-03-17 06:45:14.037735849 +0100
@@ -772,7 +772,11 @@ privsep_postauth(Authctxt *authctxt)
 	RAND_seed(rnd, sizeof(rnd));
 
 	/* Drop privileges */
-	do_setusercontext(authctxt->pw);
+#ifdef WITH_SELINUX
+	do_setusercontext(authctxt->pw, NULL);
+#else
+	do_setusercontext(authctxt->pw);
+#endif
 
  skip:
 	/* It is safe now to apply the key state */
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.