diff options
author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:17:20 +0000 |
commit | 07f2a771c490bd68cd5c5ea9c535705e93bd94f3 (patch) | |
tree | 3e2ead17b4c91699c13b0417d46bfd750a04e0b8 /monitor_wrap.c | |
parent | 950be7e1b1a01ee9b25e2a72726a6370b8acacb6 (diff) |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2013-09-14
Patch-Name: selinux-role.patch
Diffstat (limited to 'monitor_wrap.c')
-rw-r--r-- | monitor_wrap.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c index 44019f32a..69bc324b5 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -320,10 +320,10 @@ mm_auth2_read_banner(void) | |||
320 | return (banner); | 320 | return (banner); |
321 | } | 321 | } |
322 | 322 | ||
323 | /* Inform the privileged process about service and style */ | 323 | /* Inform the privileged process about service, style, and role */ |
324 | 324 | ||
325 | void | 325 | void |
326 | mm_inform_authserv(char *service, char *style) | 326 | mm_inform_authserv(char *service, char *style, char *role) |
327 | { | 327 | { |
328 | Buffer m; | 328 | Buffer m; |
329 | 329 | ||
@@ -332,12 +332,30 @@ mm_inform_authserv(char *service, char *style) | |||
332 | buffer_init(&m); | 332 | buffer_init(&m); |
333 | buffer_put_cstring(&m, service); | 333 | buffer_put_cstring(&m, service); |
334 | buffer_put_cstring(&m, style ? style : ""); | 334 | buffer_put_cstring(&m, style ? style : ""); |
335 | buffer_put_cstring(&m, role ? role : ""); | ||
335 | 336 | ||
336 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); | 337 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); |
337 | 338 | ||
338 | buffer_free(&m); | 339 | buffer_free(&m); |
339 | } | 340 | } |
340 | 341 | ||
342 | /* Inform the privileged process about role */ | ||
343 | |||
344 | void | ||
345 | mm_inform_authrole(char *role) | ||
346 | { | ||
347 | Buffer m; | ||
348 | |||
349 | debug3("%s entering", __func__); | ||
350 | |||
351 | buffer_init(&m); | ||
352 | buffer_put_cstring(&m, role ? role : ""); | ||
353 | |||
354 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); | ||
355 | |||
356 | buffer_free(&m); | ||
357 | } | ||
358 | |||
341 | /* Do the password authentication */ | 359 | /* Do the password authentication */ |
342 | int | 360 | int |
343 | mm_auth_password(Authctxt *authctxt, char *password) | 361 | mm_auth_password(Authctxt *authctxt, char *password) |