summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2013-05-22 02:08:11 +0100
committerColin Watson <cjwatson@debian.org>2013-05-22 02:08:11 +0100
commitb6e18c553fbbdc087b806a5839a516dfba0054a8 (patch)
treee605cc08b86ab873cef84d178ac945c066401a43
parentc961c7505700c1bb963909adcf994941045c2dac (diff)
Bracket our session stack with calls to pam_selinux close/open (thanks,
Laurent Bigonville; closes: #679458).
-rw-r--r--debian/changelog2
-rw-r--r--debian/openssh-server.sshd.pam13
2 files changed, 12 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog
index 394096d41..27290431d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -36,6 +36,8 @@ openssh (1:6.2p2-2) UNRELEASED; urgency=low
36 * This removes the last of our uses of debconf (closes: #221531). 36 * This removes the last of our uses of debconf (closes: #221531).
37 * Use the pam_loginuid session module (thanks, Laurent Bigonville; closes: 37 * Use the pam_loginuid session module (thanks, Laurent Bigonville; closes:
38 #677440, LP: #1067779). 38 #677440, LP: #1067779).
39 * Bracket our session stack with calls to pam_selinux close/open (thanks,
40 Laurent Bigonville; closes: #679458).
39 41
40 -- Colin Watson <cjwatson@debian.org> Tue, 21 May 2013 17:49:35 +0100 42 -- Colin Watson <cjwatson@debian.org> Tue, 21 May 2013 17:49:35 +0100
41 43
diff --git a/debian/openssh-server.sshd.pam b/debian/openssh-server.sshd.pam
index e61d67777..5f7ab2f60 100644
--- a/debian/openssh-server.sshd.pam
+++ b/debian/openssh-server.sshd.pam
@@ -13,6 +13,11 @@ account required pam_nologin.so
13# Standard Un*x authorization. 13# Standard Un*x authorization.
14@include common-account 14@include common-account
15 15
16# SELinux needs to be the first session rule. This ensures that any
17# lingering context has been cleared. Without this it is possible that a
18# module could execute code in the wrong domain.
19session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
20
16# Set the loginuid process attribute. 21# Set the loginuid process attribute.
17session required pam_loginuid.so 22session required pam_loginuid.so
18 23
@@ -31,9 +36,6 @@ session optional pam_mail.so standard noenv # [1]
31# Set up user limits from /etc/security/limits.conf. 36# Set up user limits from /etc/security/limits.conf.
32session required pam_limits.so 37session required pam_limits.so
33 38
34# Set up SELinux capabilities (need modified pam)
35# session required pam_selinux.so multiple
36
37# Read environment variables from /etc/environment and 39# Read environment variables from /etc/environment and
38# /etc/security/pam_env.conf. 40# /etc/security/pam_env.conf.
39session required pam_env.so # [1] 41session required pam_env.so # [1]
@@ -41,5 +43,10 @@ session required pam_env.so # [1]
41# /etc/default/locale, so read that as well. 43# /etc/default/locale, so read that as well.
42session required pam_env.so user_readenv=1 envfile=/etc/default/locale 44session required pam_env.so user_readenv=1 envfile=/etc/default/locale
43 45
46# SELinux needs to intervene at login time to ensure that the process starts
47# in the proper default security context. Only sessions which are intended
48# to run in the user's context should be run after this.
49session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
50
44# Standard Un*x password updating. 51# Standard Un*x password updating.
45@include common-password 52@include common-password