diff options
| author | Colin Watson <cjwatson@debian.org> | 2013-05-22 02:08:11 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2013-05-22 02:08:11 +0100 |
| commit | b6e18c553fbbdc087b806a5839a516dfba0054a8 (patch) | |
| tree | e605cc08b86ab873cef84d178ac945c066401a43 | |
| parent | c961c7505700c1bb963909adcf994941045c2dac (diff) | |
Bracket our session stack with calls to pam_selinux close/open (thanks,
Laurent Bigonville; closes: #679458).
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | debian/openssh-server.sshd.pam | 13 |
2 files changed, 12 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog index 394096d41..27290431d 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -36,6 +36,8 @@ openssh (1:6.2p2-2) UNRELEASED; urgency=low | |||
| 36 | * This removes the last of our uses of debconf (closes: #221531). | 36 | * This removes the last of our uses of debconf (closes: #221531). |
| 37 | * Use the pam_loginuid session module (thanks, Laurent Bigonville; closes: | 37 | * Use the pam_loginuid session module (thanks, Laurent Bigonville; closes: |
| 38 | #677440, LP: #1067779). | 38 | #677440, LP: #1067779). |
| 39 | * Bracket our session stack with calls to pam_selinux close/open (thanks, | ||
| 40 | Laurent Bigonville; closes: #679458). | ||
| 39 | 41 | ||
| 40 | -- Colin Watson <cjwatson@debian.org> Tue, 21 May 2013 17:49:35 +0100 | 42 | -- Colin Watson <cjwatson@debian.org> Tue, 21 May 2013 17:49:35 +0100 |
| 41 | 43 | ||
diff --git a/debian/openssh-server.sshd.pam b/debian/openssh-server.sshd.pam index e61d67777..5f7ab2f60 100644 --- a/debian/openssh-server.sshd.pam +++ b/debian/openssh-server.sshd.pam | |||
| @@ -13,6 +13,11 @@ account required pam_nologin.so | |||
| 13 | # Standard Un*x authorization. | 13 | # Standard Un*x authorization. |
| 14 | @include common-account | 14 | @include common-account |
| 15 | 15 | ||
| 16 | # SELinux needs to be the first session rule. This ensures that any | ||
| 17 | # lingering context has been cleared. Without this it is possible that a | ||
| 18 | # module could execute code in the wrong domain. | ||
| 19 | session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close | ||
| 20 | |||
| 16 | # Set the loginuid process attribute. | 21 | # Set the loginuid process attribute. |
| 17 | session required pam_loginuid.so | 22 | session required pam_loginuid.so |
| 18 | 23 | ||
| @@ -31,9 +36,6 @@ session optional pam_mail.so standard noenv # [1] | |||
| 31 | # Set up user limits from /etc/security/limits.conf. | 36 | # Set up user limits from /etc/security/limits.conf. |
| 32 | session required pam_limits.so | 37 | session required pam_limits.so |
| 33 | 38 | ||
| 34 | # Set up SELinux capabilities (need modified pam) | ||
| 35 | # session required pam_selinux.so multiple | ||
| 36 | |||
| 37 | # Read environment variables from /etc/environment and | 39 | # Read environment variables from /etc/environment and |
| 38 | # /etc/security/pam_env.conf. | 40 | # /etc/security/pam_env.conf. |
| 39 | session required pam_env.so # [1] | 41 | session required pam_env.so # [1] |
| @@ -41,5 +43,10 @@ session required pam_env.so # [1] | |||
| 41 | # /etc/default/locale, so read that as well. | 43 | # /etc/default/locale, so read that as well. |
| 42 | session required pam_env.so user_readenv=1 envfile=/etc/default/locale | 44 | session required pam_env.so user_readenv=1 envfile=/etc/default/locale |
| 43 | 45 | ||
| 46 | # SELinux needs to intervene at login time to ensure that the process starts | ||
| 47 | # in the proper default security context. Only sessions which are intended | ||
| 48 | # to run in the user's context should be run after this. | ||
| 49 | session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open | ||
| 50 | |||
| 44 | # Standard Un*x password updating. | 51 | # Standard Un*x password updating. |
| 45 | @include common-password | 52 | @include common-password |