summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2015-11-29 17:36:18 +0000
commitd55bc528ac450324522f02d90a2bdc4832d1eef8 (patch)
tree206c0995c85770f5a2ee00ce640cc4555ad6deb0 /monitor.c
parent2cd06c4a70dfb22fd1d54779173b5e086c52e08f (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2015-08-19 Patch-Name: selinux-role.patch
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c32
1 files changed, 29 insertions, 3 deletions
diff --git a/monitor.c b/monitor.c
index 2658aaa53..c063ad1a0 100644
--- a/monitor.c
+++ b/monitor.c
@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
127int mm_answer_pwnamallow(int, Buffer *); 127int mm_answer_pwnamallow(int, Buffer *);
128int mm_answer_auth2_read_banner(int, Buffer *); 128int mm_answer_auth2_read_banner(int, Buffer *);
129int mm_answer_authserv(int, Buffer *); 129int mm_answer_authserv(int, Buffer *);
130int mm_answer_authrole(int, Buffer *);
130int mm_answer_authpassword(int, Buffer *); 131int mm_answer_authpassword(int, Buffer *);
131int mm_answer_bsdauthquery(int, Buffer *); 132int mm_answer_bsdauthquery(int, Buffer *);
132int mm_answer_bsdauthrespond(int, Buffer *); 133int mm_answer_bsdauthrespond(int, Buffer *);
@@ -208,6 +209,7 @@ struct mon_table mon_dispatch_proto20[] = {
208 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 209 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
209 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 210 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
210 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 211 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
212 {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
211 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 213 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
212 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 214 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
213#ifdef USE_PAM 215#ifdef USE_PAM
@@ -879,6 +881,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
879 else { 881 else {
880 /* Allow service/style information on the auth context */ 882 /* Allow service/style information on the auth context */
881 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 883 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
884 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
882 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 885 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
883 } 886 }
884#ifdef USE_PAM 887#ifdef USE_PAM
@@ -909,14 +912,37 @@ mm_answer_authserv(int sock, Buffer *m)
909 912
910 authctxt->service = buffer_get_string(m, NULL); 913 authctxt->service = buffer_get_string(m, NULL);
911 authctxt->style = buffer_get_string(m, NULL); 914 authctxt->style = buffer_get_string(m, NULL);
912 debug3("%s: service=%s, style=%s", 915 authctxt->role = buffer_get_string(m, NULL);
913 __func__, authctxt->service, authctxt->style); 916 debug3("%s: service=%s, style=%s, role=%s",
917 __func__, authctxt->service, authctxt->style, authctxt->role);
914 918
915 if (strlen(authctxt->style) == 0) { 919 if (strlen(authctxt->style) == 0) {
916 free(authctxt->style); 920 free(authctxt->style);
917 authctxt->style = NULL; 921 authctxt->style = NULL;
918 } 922 }
919 923
924 if (strlen(authctxt->role) == 0) {
925 free(authctxt->role);
926 authctxt->role = NULL;
927 }
928
929 return (0);
930}
931
932int
933mm_answer_authrole(int sock, Buffer *m)
934{
935 monitor_permit_authentications(1);
936
937 authctxt->role = buffer_get_string(m, NULL);
938 debug3("%s: role=%s",
939 __func__, authctxt->role);
940
941 if (strlen(authctxt->role) == 0) {
942 free(authctxt->role);
943 authctxt->role = NULL;
944 }
945
920 return (0); 946 return (0);
921} 947}
922 948
@@ -1544,7 +1570,7 @@ mm_answer_pty(int sock, Buffer *m)
1544 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 1570 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
1545 if (res == 0) 1571 if (res == 0)
1546 goto error; 1572 goto error;
1547 pty_setowner(authctxt->pw, s->tty); 1573 pty_setowner(authctxt->pw, s->tty, authctxt->role);
1548 1574
1549 buffer_put_int(m, 1); 1575 buffer_put_int(m, 1);
1550 buffer_put_cstring(m, s->tty); 1576 buffer_put_cstring(m, s->tty);