diff options
author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2019-06-05 13:11:52 +0100 |
commit | 21e3ff3ab4791d3c94bd775da66cde29797fcb36 (patch) | |
tree | c218b12d60175ae0572c0236f2390d9e26de5bc9 /monitor_wrap.c | |
parent | 0f9f44654708e4fde2f52c52f717d061b5e458fa (diff) |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2019-06-05
Patch-Name: selinux-role.patch
Diffstat (limited to 'monitor_wrap.c')
-rw-r--r-- | monitor_wrap.c | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c index 8e4c1c1f8..6b3a6251c 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -364,10 +364,10 @@ mm_auth2_read_banner(void) | |||
364 | return (banner); | 364 | return (banner); |
365 | } | 365 | } |
366 | 366 | ||
367 | /* Inform the privileged process about service and style */ | 367 | /* Inform the privileged process about service, style, and role */ |
368 | 368 | ||
369 | void | 369 | void |
370 | mm_inform_authserv(char *service, char *style) | 370 | mm_inform_authserv(char *service, char *style, char *role) |
371 | { | 371 | { |
372 | struct sshbuf *m; | 372 | struct sshbuf *m; |
373 | int r; | 373 | int r; |
@@ -377,7 +377,8 @@ mm_inform_authserv(char *service, char *style) | |||
377 | if ((m = sshbuf_new()) == NULL) | 377 | if ((m = sshbuf_new()) == NULL) |
378 | fatal("%s: sshbuf_new failed", __func__); | 378 | fatal("%s: sshbuf_new failed", __func__); |
379 | if ((r = sshbuf_put_cstring(m, service)) != 0 || | 379 | if ((r = sshbuf_put_cstring(m, service)) != 0 || |
380 | (r = sshbuf_put_cstring(m, style ? style : "")) != 0) | 380 | (r = sshbuf_put_cstring(m, style ? style : "")) != 0 || |
381 | (r = sshbuf_put_cstring(m, role ? role : "")) != 0) | ||
381 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 382 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
382 | 383 | ||
383 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); | 384 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); |
@@ -385,6 +386,26 @@ mm_inform_authserv(char *service, char *style) | |||
385 | sshbuf_free(m); | 386 | sshbuf_free(m); |
386 | } | 387 | } |
387 | 388 | ||
389 | /* Inform the privileged process about role */ | ||
390 | |||
391 | void | ||
392 | mm_inform_authrole(char *role) | ||
393 | { | ||
394 | struct sshbuf *m; | ||
395 | int r; | ||
396 | |||
397 | debug3("%s entering", __func__); | ||
398 | |||
399 | if ((m = sshbuf_new()) == NULL) | ||
400 | fatal("%s: sshbuf_new failed", __func__); | ||
401 | if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0) | ||
402 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
403 | |||
404 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m); | ||
405 | |||
406 | sshbuf_free(m); | ||
407 | } | ||
408 | |||
388 | /* Do the password authentication */ | 409 | /* Do the password authentication */ |
389 | int | 410 | int |
390 | mm_auth_password(struct ssh *ssh, char *password) | 411 | mm_auth_password(struct ssh *ssh, char *password) |