summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2016-12-28 20:05:04 +0000
commitef3ee35a1061c563f2c32ab13f77324b6372e8be (patch)
treeac3c0346a8f758bfec45ec562c5d164b2ae7c904 /monitor.c
parent10d7583287f2d589da0786819e62a0be5ec9847f (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2015-08-19 Patch-Name: selinux-role.patch
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c32
1 files changed, 29 insertions, 3 deletions
diff --git a/monitor.c b/monitor.c
index 76d9e346a..64286a128 100644
--- a/monitor.c
+++ b/monitor.c
@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
127int mm_answer_pwnamallow(int, Buffer *); 127int mm_answer_pwnamallow(int, Buffer *);
128int mm_answer_auth2_read_banner(int, Buffer *); 128int mm_answer_auth2_read_banner(int, Buffer *);
129int mm_answer_authserv(int, Buffer *); 129int mm_answer_authserv(int, Buffer *);
130int mm_answer_authrole(int, Buffer *);
130int mm_answer_authpassword(int, Buffer *); 131int mm_answer_authpassword(int, Buffer *);
131int mm_answer_bsdauthquery(int, Buffer *); 132int mm_answer_bsdauthquery(int, Buffer *);
132int mm_answer_bsdauthrespond(int, Buffer *); 133int mm_answer_bsdauthrespond(int, Buffer *);
@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[] = {
204 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 205 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
205 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 206 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
206 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 207 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
208 {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
207 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 209 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
208 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 210 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
209#ifdef USE_PAM 211#ifdef USE_PAM
@@ -786,6 +788,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
786 788
787 /* Allow service/style information on the auth context */ 789 /* Allow service/style information on the auth context */
788 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 790 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
791 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
789 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 792 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
790 793
791#ifdef USE_PAM 794#ifdef USE_PAM
@@ -816,14 +819,37 @@ mm_answer_authserv(int sock, Buffer *m)
816 819
817 authctxt->service = buffer_get_string(m, NULL); 820 authctxt->service = buffer_get_string(m, NULL);
818 authctxt->style = buffer_get_string(m, NULL); 821 authctxt->style = buffer_get_string(m, NULL);
819 debug3("%s: service=%s, style=%s", 822 authctxt->role = buffer_get_string(m, NULL);
820 __func__, authctxt->service, authctxt->style); 823 debug3("%s: service=%s, style=%s, role=%s",
824 __func__, authctxt->service, authctxt->style, authctxt->role);
821 825
822 if (strlen(authctxt->style) == 0) { 826 if (strlen(authctxt->style) == 0) {
823 free(authctxt->style); 827 free(authctxt->style);
824 authctxt->style = NULL; 828 authctxt->style = NULL;
825 } 829 }
826 830
831 if (strlen(authctxt->role) == 0) {
832 free(authctxt->role);
833 authctxt->role = NULL;
834 }
835
836 return (0);
837}
838
839int
840mm_answer_authrole(int sock, Buffer *m)
841{
842 monitor_permit_authentications(1);
843
844 authctxt->role = buffer_get_string(m, NULL);
845 debug3("%s: role=%s",
846 __func__, authctxt->role);
847
848 if (strlen(authctxt->role) == 0) {
849 free(authctxt->role);
850 authctxt->role = NULL;
851 }
852
827 return (0); 853 return (0);
828} 854}
829 855
@@ -1458,7 +1484,7 @@ mm_answer_pty(int sock, Buffer *m)
1458 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 1484 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
1459 if (res == 0) 1485 if (res == 0)
1460 goto error; 1486 goto error;
1461 pty_setowner(authctxt->pw, s->tty); 1487 pty_setowner(authctxt->pw, s->tty, authctxt->role);
1462 1488
1463 buffer_put_int(m, 1); 1489 buffer_put_int(m, 1);
1464 buffer_put_cstring(m, s->tty); 1490 buffer_put_cstring(m, s->tty);