summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2014-10-07 14:26:47 +0100
commitc9638aa44d787849cea1ae273f0908c6313fd19b (patch)
tree6b8681822821aad0dcc92575411f0e6fdfb994bf /monitor.c
parentb25d6dd3b6b5a2cb93723586c56d6fa0277ea56a (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2013-09-14 Patch-Name: selinux-role.patch
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c32
1 files changed, 29 insertions, 3 deletions
diff --git a/monitor.c b/monitor.c
index b0896ef7f..94b194d56 100644
--- a/monitor.c
+++ b/monitor.c
@@ -148,6 +148,7 @@ int mm_answer_sign(int, Buffer *);
148int mm_answer_pwnamallow(int, Buffer *); 148int mm_answer_pwnamallow(int, Buffer *);
149int mm_answer_auth2_read_banner(int, Buffer *); 149int mm_answer_auth2_read_banner(int, Buffer *);
150int mm_answer_authserv(int, Buffer *); 150int mm_answer_authserv(int, Buffer *);
151int mm_answer_authrole(int, Buffer *);
151int mm_answer_authpassword(int, Buffer *); 152int mm_answer_authpassword(int, Buffer *);
152int mm_answer_bsdauthquery(int, Buffer *); 153int mm_answer_bsdauthquery(int, Buffer *);
153int mm_answer_bsdauthrespond(int, Buffer *); 154int mm_answer_bsdauthrespond(int, Buffer *);
@@ -229,6 +230,7 @@ struct mon_table mon_dispatch_proto20[] = {
229 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 230 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
230 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 231 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
231 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 232 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
233 {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
232 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 234 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
233 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 235 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
234#ifdef USE_PAM 236#ifdef USE_PAM
@@ -841,6 +843,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
841 else { 843 else {
842 /* Allow service/style information on the auth context */ 844 /* Allow service/style information on the auth context */
843 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 845 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
846 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
844 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 847 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
845 } 848 }
846#ifdef USE_PAM 849#ifdef USE_PAM
@@ -871,14 +874,37 @@ mm_answer_authserv(int sock, Buffer *m)
871 874
872 authctxt->service = buffer_get_string(m, NULL); 875 authctxt->service = buffer_get_string(m, NULL);
873 authctxt->style = buffer_get_string(m, NULL); 876 authctxt->style = buffer_get_string(m, NULL);
874 debug3("%s: service=%s, style=%s", 877 authctxt->role = buffer_get_string(m, NULL);
875 __func__, authctxt->service, authctxt->style); 878 debug3("%s: service=%s, style=%s, role=%s",
879 __func__, authctxt->service, authctxt->style, authctxt->role);
876 880
877 if (strlen(authctxt->style) == 0) { 881 if (strlen(authctxt->style) == 0) {
878 free(authctxt->style); 882 free(authctxt->style);
879 authctxt->style = NULL; 883 authctxt->style = NULL;
880 } 884 }
881 885
886 if (strlen(authctxt->role) == 0) {
887 free(authctxt->role);
888 authctxt->role = NULL;
889 }
890
891 return (0);
892}
893
894int
895mm_answer_authrole(int sock, Buffer *m)
896{
897 monitor_permit_authentications(1);
898
899 authctxt->role = buffer_get_string(m, NULL);
900 debug3("%s: role=%s",
901 __func__, authctxt->role);
902
903 if (strlen(authctxt->role) == 0) {
904 free(authctxt->role);
905 authctxt->role = NULL;
906 }
907
882 return (0); 908 return (0);
883} 909}
884 910
@@ -1485,7 +1511,7 @@ mm_answer_pty(int sock, Buffer *m)
1485 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 1511 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
1486 if (res == 0) 1512 if (res == 0)
1487 goto error; 1513 goto error;
1488 pty_setowner(authctxt->pw, s->tty); 1514 pty_setowner(authctxt->pw, s->tty, authctxt->role);
1489 1515
1490 buffer_put_int(m, 1); 1516 buffer_put_int(m, 1);
1491 buffer_put_cstring(m, s->tty); 1517 buffer_put_cstring(m, s->tty);