diff options
| author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:19 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:25:52 +0000 |
| commit | d26565af8589d88f824b26f31da493f1056efcf4 (patch) | |
| tree | ff5e3b9c0fbb553f4f4c6e8836070659f266108e /debian/patches/selinux-role.patch | |
| parent | 16fb149cbb42efe0cb13f3edbafcb1a21ecfe574 (diff) | |
| parent | bb5616c94d6d6b97890e90dd01a7ad07c663dc0b (diff) | |
Initialize git-dpm
Diffstat (limited to 'debian/patches/selinux-role.patch')
| -rw-r--r-- | debian/patches/selinux-role.patch | 171 |
1 files changed, 98 insertions, 73 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index f3376c20a..8aa8f614e 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
| @@ -1,17 +1,41 @@ | |||
| 1 | Description: Handle SELinux authorisation roles | 1 | From 07f2a771c490bd68cd5c5ea9c535705e93bd94f3 Mon Sep 17 00:00:00 2001 |
| 2 | Rejected upstream due to discomfort with magic usernames; a better approach | 2 | From: Manoj Srivastava <srivasta@debian.org> |
| 3 | will need an SSH protocol change. In the meantime, this came from Debian's | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
| 4 | SELinux maintainer, so we'll keep it until we have something better. | 4 | Subject: Handle SELinux authorisation roles |
| 5 | Author: Manoj Srivastava <srivasta@debian.org> | 5 | |
| 6 | Rejected upstream due to discomfort with magic usernames; a better approach | ||
| 7 | will need an SSH protocol change. In the meantime, this came from Debian's | ||
| 8 | SELinux maintainer, so we'll keep it until we have something better. | ||
| 9 | |||
| 6 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 | 10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 |
| 7 | Bug-Debian: http://bugs.debian.org/394795 | 11 | Bug-Debian: http://bugs.debian.org/394795 |
| 8 | Last-Update: 2013-09-14 | 12 | Last-Update: 2013-09-14 |
| 9 | 13 | ||
| 10 | Index: b/auth.h | 14 | Patch-Name: selinux-role.patch |
| 11 | =================================================================== | 15 | --- |
| 16 | auth.h | 1 + | ||
| 17 | auth1.c | 8 +++++++- | ||
| 18 | auth2.c | 10 ++++++++-- | ||
| 19 | monitor.c | 32 +++++++++++++++++++++++++++++--- | ||
| 20 | monitor.h | 2 ++ | ||
| 21 | monitor_wrap.c | 22 ++++++++++++++++++++-- | ||
| 22 | monitor_wrap.h | 3 ++- | ||
| 23 | openbsd-compat/port-linux.c | 27 ++++++++++++++++++++------- | ||
| 24 | openbsd-compat/port-linux.h | 4 ++-- | ||
| 25 | platform.c | 4 ++-- | ||
| 26 | platform.h | 2 +- | ||
| 27 | session.c | 10 +++++----- | ||
| 28 | session.h | 2 +- | ||
| 29 | sshd.c | 2 +- | ||
| 30 | sshpty.c | 4 ++-- | ||
| 31 | sshpty.h | 2 +- | ||
| 32 | 16 files changed, 104 insertions(+), 31 deletions(-) | ||
| 33 | |||
| 34 | diff --git a/auth.h b/auth.h | ||
| 35 | index 80f0898..5b6824f 100644 | ||
| 12 | --- a/auth.h | 36 | --- a/auth.h |
| 13 | +++ b/auth.h | 37 | +++ b/auth.h |
| 14 | @@ -59,6 +59,7 @@ | 38 | @@ -59,6 +59,7 @@ struct Authctxt { |
| 15 | char *service; | 39 | char *service; |
| 16 | struct passwd *pw; /* set if 'valid' */ | 40 | struct passwd *pw; /* set if 'valid' */ |
| 17 | char *style; | 41 | char *style; |
| @@ -19,11 +43,11 @@ Index: b/auth.h | |||
| 19 | void *kbdintctxt; | 43 | void *kbdintctxt; |
| 20 | char *info; /* Extra info for next auth_log */ | 44 | char *info; /* Extra info for next auth_log */ |
| 21 | void *jpake_ctx; | 45 | void *jpake_ctx; |
| 22 | Index: b/auth1.c | 46 | diff --git a/auth1.c b/auth1.c |
| 23 | =================================================================== | 47 | index f1ac598..2803a3c 100644 |
| 24 | --- a/auth1.c | 48 | --- a/auth1.c |
| 25 | +++ b/auth1.c | 49 | +++ b/auth1.c |
| 26 | @@ -380,7 +380,7 @@ | 50 | @@ -380,7 +380,7 @@ void |
| 27 | do_authentication(Authctxt *authctxt) | 51 | do_authentication(Authctxt *authctxt) |
| 28 | { | 52 | { |
| 29 | u_int ulen; | 53 | u_int ulen; |
| @@ -32,7 +56,7 @@ Index: b/auth1.c | |||
| 32 | 56 | ||
| 33 | /* Get the name of the user that we wish to log in as. */ | 57 | /* Get the name of the user that we wish to log in as. */ |
| 34 | packet_read_expect(SSH_CMSG_USER); | 58 | packet_read_expect(SSH_CMSG_USER); |
| 35 | @@ -389,11 +389,17 @@ | 59 | @@ -389,11 +389,17 @@ do_authentication(Authctxt *authctxt) |
| 36 | user = packet_get_cstring(&ulen); | 60 | user = packet_get_cstring(&ulen); |
| 37 | packet_check_eom(); | 61 | packet_check_eom(); |
| 38 | 62 | ||
| @@ -50,11 +74,11 @@ Index: b/auth1.c | |||
| 50 | 74 | ||
| 51 | /* Verify that the user is a valid user. */ | 75 | /* Verify that the user is a valid user. */ |
| 52 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) | 76 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) |
| 53 | Index: b/auth2.c | 77 | diff --git a/auth2.c b/auth2.c |
| 54 | =================================================================== | 78 | index 6ed8f04..b55bbcd 100644 |
| 55 | --- a/auth2.c | 79 | --- a/auth2.c |
| 56 | +++ b/auth2.c | 80 | +++ b/auth2.c |
| 57 | @@ -222,7 +222,7 @@ | 81 | @@ -222,7 +222,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) |
| 58 | { | 82 | { |
| 59 | Authctxt *authctxt = ctxt; | 83 | Authctxt *authctxt = ctxt; |
| 60 | Authmethod *m = NULL; | 84 | Authmethod *m = NULL; |
| @@ -63,7 +87,7 @@ Index: b/auth2.c | |||
| 63 | int authenticated = 0; | 87 | int authenticated = 0; |
| 64 | 88 | ||
| 65 | if (authctxt == NULL) | 89 | if (authctxt == NULL) |
| 66 | @@ -234,8 +234,13 @@ | 90 | @@ -234,8 +234,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) |
| 67 | debug("userauth-request for user %s service %s method %s", user, service, method); | 91 | debug("userauth-request for user %s service %s method %s", user, service, method); |
| 68 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 92 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
| 69 | 93 | ||
| @@ -77,7 +101,7 @@ Index: b/auth2.c | |||
| 77 | 101 | ||
| 78 | if (authctxt->attempt++ == 0) { | 102 | if (authctxt->attempt++ == 0) { |
| 79 | /* setup auth context */ | 103 | /* setup auth context */ |
| 80 | @@ -259,8 +264,9 @@ | 104 | @@ -259,8 +264,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) |
| 81 | use_privsep ? " [net]" : ""); | 105 | use_privsep ? " [net]" : ""); |
| 82 | authctxt->service = xstrdup(service); | 106 | authctxt->service = xstrdup(service); |
| 83 | authctxt->style = style ? xstrdup(style) : NULL; | 107 | authctxt->style = style ? xstrdup(style) : NULL; |
| @@ -88,11 +112,11 @@ Index: b/auth2.c | |||
| 88 | userauth_banner(); | 112 | userauth_banner(); |
| 89 | if (auth2_setup_methods_lists(authctxt) != 0) | 113 | if (auth2_setup_methods_lists(authctxt) != 0) |
| 90 | packet_disconnect("no authentication methods enabled"); | 114 | packet_disconnect("no authentication methods enabled"); |
| 91 | Index: b/monitor.c | 115 | diff --git a/monitor.c b/monitor.c |
| 92 | =================================================================== | 116 | index 9079c97..e8d63eb 100644 |
| 93 | --- a/monitor.c | 117 | --- a/monitor.c |
| 94 | +++ b/monitor.c | 118 | +++ b/monitor.c |
| 95 | @@ -146,6 +146,7 @@ | 119 | @@ -146,6 +146,7 @@ int mm_answer_sign(int, Buffer *); |
| 96 | int mm_answer_pwnamallow(int, Buffer *); | 120 | int mm_answer_pwnamallow(int, Buffer *); |
| 97 | int mm_answer_auth2_read_banner(int, Buffer *); | 121 | int mm_answer_auth2_read_banner(int, Buffer *); |
| 98 | int mm_answer_authserv(int, Buffer *); | 122 | int mm_answer_authserv(int, Buffer *); |
| @@ -100,7 +124,7 @@ Index: b/monitor.c | |||
| 100 | int mm_answer_authpassword(int, Buffer *); | 124 | int mm_answer_authpassword(int, Buffer *); |
| 101 | int mm_answer_bsdauthquery(int, Buffer *); | 125 | int mm_answer_bsdauthquery(int, Buffer *); |
| 102 | int mm_answer_bsdauthrespond(int, Buffer *); | 126 | int mm_answer_bsdauthrespond(int, Buffer *); |
| 103 | @@ -227,6 +228,7 @@ | 127 | @@ -227,6 +228,7 @@ struct mon_table mon_dispatch_proto20[] = { |
| 104 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 128 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
| 105 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 129 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
| 106 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 130 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
| @@ -108,7 +132,7 @@ Index: b/monitor.c | |||
| 108 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 132 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
| 109 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 133 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
| 110 | #ifdef USE_PAM | 134 | #ifdef USE_PAM |
| 111 | @@ -844,6 +846,7 @@ | 135 | @@ -844,6 +846,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) |
| 112 | else { | 136 | else { |
| 113 | /* Allow service/style information on the auth context */ | 137 | /* Allow service/style information on the auth context */ |
| 114 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 138 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
| @@ -116,7 +140,7 @@ Index: b/monitor.c | |||
| 116 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 140 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
| 117 | } | 141 | } |
| 118 | #ifdef USE_PAM | 142 | #ifdef USE_PAM |
| 119 | @@ -874,14 +877,37 @@ | 143 | @@ -874,14 +877,37 @@ mm_answer_authserv(int sock, Buffer *m) |
| 120 | 144 | ||
| 121 | authctxt->service = buffer_get_string(m, NULL); | 145 | authctxt->service = buffer_get_string(m, NULL); |
| 122 | authctxt->style = buffer_get_string(m, NULL); | 146 | authctxt->style = buffer_get_string(m, NULL); |
| @@ -156,7 +180,7 @@ Index: b/monitor.c | |||
| 156 | return (0); | 180 | return (0); |
| 157 | } | 181 | } |
| 158 | 182 | ||
| 159 | @@ -1486,7 +1512,7 @@ | 183 | @@ -1486,7 +1512,7 @@ mm_answer_pty(int sock, Buffer *m) |
| 160 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 184 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
| 161 | if (res == 0) | 185 | if (res == 0) |
| 162 | goto error; | 186 | goto error; |
| @@ -165,11 +189,11 @@ Index: b/monitor.c | |||
| 165 | 189 | ||
| 166 | buffer_put_int(m, 1); | 190 | buffer_put_int(m, 1); |
| 167 | buffer_put_cstring(m, s->tty); | 191 | buffer_put_cstring(m, s->tty); |
| 168 | Index: b/monitor.h | 192 | diff --git a/monitor.h b/monitor.h |
| 169 | =================================================================== | 193 | index 315ef99..3c13706 100644 |
| 170 | --- a/monitor.h | 194 | --- a/monitor.h |
| 171 | +++ b/monitor.h | 195 | +++ b/monitor.h |
| 172 | @@ -73,6 +73,8 @@ | 196 | @@ -73,6 +73,8 @@ enum monitor_reqtype { |
| 173 | MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, | 197 | MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, |
| 174 | MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, | 198 | MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, |
| 175 | 199 | ||
| @@ -178,11 +202,11 @@ Index: b/monitor.h | |||
| 178 | }; | 202 | }; |
| 179 | 203 | ||
| 180 | struct mm_master; | 204 | struct mm_master; |
| 181 | Index: b/monitor_wrap.c | 205 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
| 182 | =================================================================== | 206 | index 44019f3..69bc324 100644 |
| 183 | --- a/monitor_wrap.c | 207 | --- a/monitor_wrap.c |
| 184 | +++ b/monitor_wrap.c | 208 | +++ b/monitor_wrap.c |
| 185 | @@ -320,10 +320,10 @@ | 209 | @@ -320,10 +320,10 @@ mm_auth2_read_banner(void) |
| 186 | return (banner); | 210 | return (banner); |
| 187 | } | 211 | } |
| 188 | 212 | ||
| @@ -195,7 +219,7 @@ Index: b/monitor_wrap.c | |||
| 195 | { | 219 | { |
| 196 | Buffer m; | 220 | Buffer m; |
| 197 | 221 | ||
| 198 | @@ -332,11 +332,29 @@ | 222 | @@ -332,12 +332,30 @@ mm_inform_authserv(char *service, char *style) |
| 199 | buffer_init(&m); | 223 | buffer_init(&m); |
| 200 | buffer_put_cstring(&m, service); | 224 | buffer_put_cstring(&m, service); |
| 201 | buffer_put_cstring(&m, style ? style : ""); | 225 | buffer_put_cstring(&m, style ? style : ""); |
| @@ -205,7 +229,7 @@ Index: b/monitor_wrap.c | |||
| 205 | 229 | ||
| 206 | buffer_free(&m); | 230 | buffer_free(&m); |
| 207 | } | 231 | } |
| 208 | + | 232 | |
| 209 | +/* Inform the privileged process about role */ | 233 | +/* Inform the privileged process about role */ |
| 210 | + | 234 | + |
| 211 | +void | 235 | +void |
| @@ -222,14 +246,15 @@ Index: b/monitor_wrap.c | |||
| 222 | + | 246 | + |
| 223 | + buffer_free(&m); | 247 | + buffer_free(&m); |
| 224 | +} | 248 | +} |
| 225 | 249 | + | |
| 226 | /* Do the password authentication */ | 250 | /* Do the password authentication */ |
| 227 | int | 251 | int |
| 228 | Index: b/monitor_wrap.h | 252 | mm_auth_password(Authctxt *authctxt, char *password) |
| 229 | =================================================================== | 253 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
| 254 | index ec9b9b1..4d12e29 100644 | ||
| 230 | --- a/monitor_wrap.h | 255 | --- a/monitor_wrap.h |
| 231 | +++ b/monitor_wrap.h | 256 | +++ b/monitor_wrap.h |
| 232 | @@ -41,7 +41,8 @@ | 257 | @@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *); |
| 233 | int mm_is_monitor(void); | 258 | int mm_is_monitor(void); |
| 234 | DH *mm_choose_dh(int, int, int); | 259 | DH *mm_choose_dh(int, int, int); |
| 235 | int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); | 260 | int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); |
| @@ -239,8 +264,8 @@ Index: b/monitor_wrap.h | |||
| 239 | struct passwd *mm_getpwnamallow(const char *); | 264 | struct passwd *mm_getpwnamallow(const char *); |
| 240 | char *mm_auth2_read_banner(void); | 265 | char *mm_auth2_read_banner(void); |
| 241 | int mm_auth_password(struct Authctxt *, char *); | 266 | int mm_auth_password(struct Authctxt *, char *); |
| 242 | Index: b/openbsd-compat/port-linux.c | 267 | diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c |
| 243 | =================================================================== | 268 | index 4637a7a..de6ad3f 100644 |
| 244 | --- a/openbsd-compat/port-linux.c | 269 | --- a/openbsd-compat/port-linux.c |
| 245 | +++ b/openbsd-compat/port-linux.c | 270 | +++ b/openbsd-compat/port-linux.c |
| 246 | @@ -29,6 +29,12 @@ | 271 | @@ -29,6 +29,12 @@ |
| @@ -256,7 +281,7 @@ Index: b/openbsd-compat/port-linux.c | |||
| 256 | #include "log.h" | 281 | #include "log.h" |
| 257 | #include "xmalloc.h" | 282 | #include "xmalloc.h" |
| 258 | #include "port-linux.h" | 283 | #include "port-linux.h" |
| 259 | @@ -58,7 +64,7 @@ | 284 | @@ -58,7 +64,7 @@ ssh_selinux_enabled(void) |
| 260 | 285 | ||
| 261 | /* Return the default security context for the given username */ | 286 | /* Return the default security context for the given username */ |
| 262 | static security_context_t | 287 | static security_context_t |
| @@ -265,7 +290,7 @@ Index: b/openbsd-compat/port-linux.c | |||
| 265 | { | 290 | { |
| 266 | security_context_t sc = NULL; | 291 | security_context_t sc = NULL; |
| 267 | char *sename = NULL, *lvl = NULL; | 292 | char *sename = NULL, *lvl = NULL; |
| 268 | @@ -73,9 +79,16 @@ | 293 | @@ -73,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname) |
| 269 | #endif | 294 | #endif |
| 270 | 295 | ||
| 271 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 296 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
| @@ -284,7 +309,7 @@ Index: b/openbsd-compat/port-linux.c | |||
| 284 | #endif | 309 | #endif |
| 285 | 310 | ||
| 286 | if (r != 0) { | 311 | if (r != 0) { |
| 287 | @@ -105,7 +118,7 @@ | 312 | @@ -105,7 +118,7 @@ ssh_selinux_getctxbyname(char *pwname) |
| 288 | 313 | ||
| 289 | /* Set the execution context to the default for the specified user */ | 314 | /* Set the execution context to the default for the specified user */ |
| 290 | void | 315 | void |
| @@ -293,7 +318,7 @@ Index: b/openbsd-compat/port-linux.c | |||
| 293 | { | 318 | { |
| 294 | security_context_t user_ctx = NULL; | 319 | security_context_t user_ctx = NULL; |
| 295 | 320 | ||
| 296 | @@ -114,7 +127,7 @@ | 321 | @@ -114,7 +127,7 @@ ssh_selinux_setup_exec_context(char *pwname) |
| 297 | 322 | ||
| 298 | debug3("%s: setting execution context", __func__); | 323 | debug3("%s: setting execution context", __func__); |
| 299 | 324 | ||
| @@ -302,7 +327,7 @@ Index: b/openbsd-compat/port-linux.c | |||
| 302 | if (setexeccon(user_ctx) != 0) { | 327 | if (setexeccon(user_ctx) != 0) { |
| 303 | switch (security_getenforce()) { | 328 | switch (security_getenforce()) { |
| 304 | case -1: | 329 | case -1: |
| 305 | @@ -136,7 +149,7 @@ | 330 | @@ -136,7 +149,7 @@ ssh_selinux_setup_exec_context(char *pwname) |
| 306 | 331 | ||
| 307 | /* Set the TTY context for the specified user */ | 332 | /* Set the TTY context for the specified user */ |
| 308 | void | 333 | void |
| @@ -311,7 +336,7 @@ Index: b/openbsd-compat/port-linux.c | |||
| 311 | { | 336 | { |
| 312 | security_context_t new_tty_ctx = NULL; | 337 | security_context_t new_tty_ctx = NULL; |
| 313 | security_context_t user_ctx = NULL; | 338 | security_context_t user_ctx = NULL; |
| 314 | @@ -147,7 +160,7 @@ | 339 | @@ -147,7 +160,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) |
| 315 | 340 | ||
| 316 | debug3("%s: setting TTY context on %s", __func__, tty); | 341 | debug3("%s: setting TTY context on %s", __func__, tty); |
| 317 | 342 | ||
| @@ -320,8 +345,8 @@ Index: b/openbsd-compat/port-linux.c | |||
| 320 | 345 | ||
| 321 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ | 346 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ |
| 322 | 347 | ||
| 323 | Index: b/openbsd-compat/port-linux.h | 348 | diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h |
| 324 | =================================================================== | 349 | index e3d1004..80ce13a 100644 |
| 325 | --- a/openbsd-compat/port-linux.h | 350 | --- a/openbsd-compat/port-linux.h |
| 326 | +++ b/openbsd-compat/port-linux.h | 351 | +++ b/openbsd-compat/port-linux.h |
| 327 | @@ -21,8 +21,8 @@ | 352 | @@ -21,8 +21,8 @@ |
| @@ -335,11 +360,11 @@ Index: b/openbsd-compat/port-linux.h | |||
| 335 | void ssh_selinux_change_context(const char *); | 360 | void ssh_selinux_change_context(const char *); |
| 336 | void ssh_selinux_setfscreatecon(const char *); | 361 | void ssh_selinux_setfscreatecon(const char *); |
| 337 | #endif | 362 | #endif |
| 338 | Index: b/platform.c | 363 | diff --git a/platform.c b/platform.c |
| 339 | =================================================================== | 364 | index 3262b24..a962f15 100644 |
| 340 | --- a/platform.c | 365 | --- a/platform.c |
| 341 | +++ b/platform.c | 366 | +++ b/platform.c |
| 342 | @@ -134,7 +134,7 @@ | 367 | @@ -134,7 +134,7 @@ platform_setusercontext(struct passwd *pw) |
| 343 | * called if sshd is running as root. | 368 | * called if sshd is running as root. |
| 344 | */ | 369 | */ |
| 345 | void | 370 | void |
| @@ -348,7 +373,7 @@ Index: b/platform.c | |||
| 348 | { | 373 | { |
| 349 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) | 374 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) |
| 350 | /* | 375 | /* |
| 351 | @@ -181,7 +181,7 @@ | 376 | @@ -181,7 +181,7 @@ platform_setusercontext_post_groups(struct passwd *pw) |
| 352 | } | 377 | } |
| 353 | #endif /* HAVE_SETPCRED */ | 378 | #endif /* HAVE_SETPCRED */ |
| 354 | #ifdef WITH_SELINUX | 379 | #ifdef WITH_SELINUX |
| @@ -357,11 +382,11 @@ Index: b/platform.c | |||
| 357 | #endif | 382 | #endif |
| 358 | } | 383 | } |
| 359 | 384 | ||
| 360 | Index: b/platform.h | 385 | diff --git a/platform.h b/platform.h |
| 361 | =================================================================== | 386 | index 19f6bfd..3188a3d 100644 |
| 362 | --- a/platform.h | 387 | --- a/platform.h |
| 363 | +++ b/platform.h | 388 | +++ b/platform.h |
| 364 | @@ -26,7 +26,7 @@ | 389 | @@ -26,7 +26,7 @@ void platform_post_fork_parent(pid_t child_pid); |
| 365 | void platform_post_fork_child(void); | 390 | void platform_post_fork_child(void); |
| 366 | int platform_privileged_uidswap(void); | 391 | int platform_privileged_uidswap(void); |
| 367 | void platform_setusercontext(struct passwd *); | 392 | void platform_setusercontext(struct passwd *); |
| @@ -370,11 +395,11 @@ Index: b/platform.h | |||
| 370 | char *platform_get_krb5_client(const char *); | 395 | char *platform_get_krb5_client(const char *); |
| 371 | char *platform_krb5_get_principal_name(const char *); | 396 | char *platform_krb5_get_principal_name(const char *); |
| 372 | int platform_sys_dir_uid(uid_t); | 397 | int platform_sys_dir_uid(uid_t); |
| 373 | Index: b/session.c | 398 | diff --git a/session.c b/session.c |
| 374 | =================================================================== | 399 | index d4b57bd..b4d74d9 100644 |
| 375 | --- a/session.c | 400 | --- a/session.c |
| 376 | +++ b/session.c | 401 | +++ b/session.c |
| 377 | @@ -1474,7 +1474,7 @@ | 402 | @@ -1474,7 +1474,7 @@ safely_chroot(const char *path, uid_t uid) |
| 378 | 403 | ||
| 379 | /* Set login name, uid, gid, and groups. */ | 404 | /* Set login name, uid, gid, and groups. */ |
| 380 | void | 405 | void |
| @@ -383,7 +408,7 @@ Index: b/session.c | |||
| 383 | { | 408 | { |
| 384 | char *chroot_path, *tmp; | 409 | char *chroot_path, *tmp; |
| 385 | 410 | ||
| 386 | @@ -1502,7 +1502,7 @@ | 411 | @@ -1502,7 +1502,7 @@ do_setusercontext(struct passwd *pw) |
| 387 | endgrent(); | 412 | endgrent(); |
| 388 | #endif | 413 | #endif |
| 389 | 414 | ||
| @@ -392,7 +417,7 @@ Index: b/session.c | |||
| 392 | 417 | ||
| 393 | if (options.chroot_directory != NULL && | 418 | if (options.chroot_directory != NULL && |
| 394 | strcasecmp(options.chroot_directory, "none") != 0) { | 419 | strcasecmp(options.chroot_directory, "none") != 0) { |
| 395 | @@ -1646,7 +1646,7 @@ | 420 | @@ -1646,7 +1646,7 @@ do_child(Session *s, const char *command) |
| 396 | 421 | ||
| 397 | /* Force a password change */ | 422 | /* Force a password change */ |
| 398 | if (s->authctxt->force_pwchange) { | 423 | if (s->authctxt->force_pwchange) { |
| @@ -401,7 +426,7 @@ Index: b/session.c | |||
| 401 | child_close_fds(); | 426 | child_close_fds(); |
| 402 | do_pwchange(s); | 427 | do_pwchange(s); |
| 403 | exit(1); | 428 | exit(1); |
| 404 | @@ -1673,7 +1673,7 @@ | 429 | @@ -1673,7 +1673,7 @@ do_child(Session *s, const char *command) |
| 405 | /* When PAM is enabled we rely on it to do the nologin check */ | 430 | /* When PAM is enabled we rely on it to do the nologin check */ |
| 406 | if (!options.use_pam) | 431 | if (!options.use_pam) |
| 407 | do_nologin(pw); | 432 | do_nologin(pw); |
| @@ -410,7 +435,7 @@ Index: b/session.c | |||
| 410 | /* | 435 | /* |
| 411 | * PAM session modules in do_setusercontext may have | 436 | * PAM session modules in do_setusercontext may have |
| 412 | * generated messages, so if this in an interactive | 437 | * generated messages, so if this in an interactive |
| 413 | @@ -2084,7 +2084,7 @@ | 438 | @@ -2084,7 +2084,7 @@ session_pty_req(Session *s) |
| 414 | tty_parse_modes(s->ttyfd, &n_bytes); | 439 | tty_parse_modes(s->ttyfd, &n_bytes); |
| 415 | 440 | ||
| 416 | if (!use_privsep) | 441 | if (!use_privsep) |
| @@ -419,11 +444,11 @@ Index: b/session.c | |||
| 419 | 444 | ||
| 420 | /* Set window size from the packet. */ | 445 | /* Set window size from the packet. */ |
| 421 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); | 446 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); |
| 422 | Index: b/session.h | 447 | diff --git a/session.h b/session.h |
| 423 | =================================================================== | 448 | index cbb8e3a..cb4f196 100644 |
| 424 | --- a/session.h | 449 | --- a/session.h |
| 425 | +++ b/session.h | 450 | +++ b/session.h |
| 426 | @@ -76,7 +76,7 @@ | 451 | @@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *); |
| 427 | Session *session_new(void); | 452 | Session *session_new(void); |
| 428 | Session *session_by_tty(char *); | 453 | Session *session_by_tty(char *); |
| 429 | void session_close(Session *); | 454 | void session_close(Session *); |
| @@ -432,11 +457,11 @@ Index: b/session.h | |||
| 432 | void child_set_env(char ***envp, u_int *envsizep, const char *name, | 457 | void child_set_env(char ***envp, u_int *envsizep, const char *name, |
| 433 | const char *value); | 458 | const char *value); |
| 434 | 459 | ||
| 435 | Index: b/sshd.c | 460 | diff --git a/sshd.c b/sshd.c |
| 436 | =================================================================== | 461 | index 4eddeb8..e5c9835 100644 |
| 437 | --- a/sshd.c | 462 | --- a/sshd.c |
| 438 | +++ b/sshd.c | 463 | +++ b/sshd.c |
| 439 | @@ -753,7 +753,7 @@ | 464 | @@ -753,7 +753,7 @@ privsep_postauth(Authctxt *authctxt) |
| 440 | RAND_seed(rnd, sizeof(rnd)); | 465 | RAND_seed(rnd, sizeof(rnd)); |
| 441 | 466 | ||
| 442 | /* Drop privileges */ | 467 | /* Drop privileges */ |
| @@ -445,11 +470,11 @@ Index: b/sshd.c | |||
| 445 | 470 | ||
| 446 | skip: | 471 | skip: |
| 447 | /* It is safe now to apply the key state */ | 472 | /* It is safe now to apply the key state */ |
| 448 | Index: b/sshpty.c | 473 | diff --git a/sshpty.c b/sshpty.c |
| 449 | =================================================================== | 474 | index bbbc0fe..8cc26a2 100644 |
| 450 | --- a/sshpty.c | 475 | --- a/sshpty.c |
| 451 | +++ b/sshpty.c | 476 | +++ b/sshpty.c |
| 452 | @@ -200,7 +200,7 @@ | 477 | @@ -200,7 +200,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, |
| 453 | } | 478 | } |
| 454 | 479 | ||
| 455 | void | 480 | void |
| @@ -458,7 +483,7 @@ Index: b/sshpty.c | |||
| 458 | { | 483 | { |
| 459 | struct group *grp; | 484 | struct group *grp; |
| 460 | gid_t gid; | 485 | gid_t gid; |
| 461 | @@ -227,7 +227,7 @@ | 486 | @@ -227,7 +227,7 @@ pty_setowner(struct passwd *pw, const char *tty) |
| 462 | strerror(errno)); | 487 | strerror(errno)); |
| 463 | 488 | ||
| 464 | #ifdef WITH_SELINUX | 489 | #ifdef WITH_SELINUX |
| @@ -467,11 +492,11 @@ Index: b/sshpty.c | |||
| 467 | #endif | 492 | #endif |
| 468 | 493 | ||
| 469 | if (st.st_uid != pw->pw_uid || st.st_gid != gid) { | 494 | if (st.st_uid != pw->pw_uid || st.st_gid != gid) { |
| 470 | Index: b/sshpty.h | 495 | diff --git a/sshpty.h b/sshpty.h |
| 471 | =================================================================== | 496 | index cfa3224..edf2436 100644 |
| 472 | --- a/sshpty.h | 497 | --- a/sshpty.h |
| 473 | +++ b/sshpty.h | 498 | +++ b/sshpty.h |
| 474 | @@ -24,4 +24,4 @@ | 499 | @@ -24,4 +24,4 @@ int pty_allocate(int *, int *, char *, size_t); |
| 475 | void pty_release(const char *); | 500 | void pty_release(const char *); |
| 476 | void pty_make_controlling_tty(int *, const char *); | 501 | void pty_make_controlling_tty(int *, const char *); |
| 477 | void pty_change_window_size(int, u_int, u_int, u_int, u_int); | 502 | void pty_change_window_size(int, u_int, u_int, u_int, u_int); |