diff options
| author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2020-06-07 10:25:35 +0100 |
| commit | 8641a3f57e67e087b4500beb9916e06c4d0ba94c (patch) | |
| tree | 13f2ec3473e6689b2d890f1a529a320a6f3cfa2a /monitor_wrap.c | |
| parent | 7e3de67f8447064d6963e8299653d8e01baaef1e (diff) | |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2020-02-21
Patch-Name: selinux-role.patch
Diffstat (limited to 'monitor_wrap.c')
| -rw-r--r-- | monitor_wrap.c | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c index 6edb509a3..b49c268d3 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
| @@ -364,10 +364,10 @@ mm_auth2_read_banner(void) | |||
| 364 | return (banner); | 364 | return (banner); |
| 365 | } | 365 | } |
| 366 | 366 | ||
| 367 | /* Inform the privileged process about service and style */ | 367 | /* Inform the privileged process about service, style, and role */ |
| 368 | 368 | ||
| 369 | void | 369 | void |
| 370 | mm_inform_authserv(char *service, char *style) | 370 | mm_inform_authserv(char *service, char *style, char *role) |
| 371 | { | 371 | { |
| 372 | struct sshbuf *m; | 372 | struct sshbuf *m; |
| 373 | int r; | 373 | int r; |
| @@ -377,7 +377,8 @@ mm_inform_authserv(char *service, char *style) | |||
| 377 | if ((m = sshbuf_new()) == NULL) | 377 | if ((m = sshbuf_new()) == NULL) |
| 378 | fatal("%s: sshbuf_new failed", __func__); | 378 | fatal("%s: sshbuf_new failed", __func__); |
| 379 | if ((r = sshbuf_put_cstring(m, service)) != 0 || | 379 | if ((r = sshbuf_put_cstring(m, service)) != 0 || |
| 380 | (r = sshbuf_put_cstring(m, style ? style : "")) != 0) | 380 | (r = sshbuf_put_cstring(m, style ? style : "")) != 0 || |
| 381 | (r = sshbuf_put_cstring(m, role ? role : "")) != 0) | ||
| 381 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 382 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| 382 | 383 | ||
| 383 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); | 384 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); |
| @@ -385,6 +386,26 @@ mm_inform_authserv(char *service, char *style) | |||
| 385 | sshbuf_free(m); | 386 | sshbuf_free(m); |
| 386 | } | 387 | } |
| 387 | 388 | ||
| 389 | /* Inform the privileged process about role */ | ||
| 390 | |||
| 391 | void | ||
| 392 | mm_inform_authrole(char *role) | ||
| 393 | { | ||
| 394 | struct sshbuf *m; | ||
| 395 | int r; | ||
| 396 | |||
| 397 | debug3("%s entering", __func__); | ||
| 398 | |||
| 399 | if ((m = sshbuf_new()) == NULL) | ||
| 400 | fatal("%s: sshbuf_new failed", __func__); | ||
| 401 | if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0) | ||
| 402 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
| 403 | |||
| 404 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m); | ||
| 405 | |||
| 406 | sshbuf_free(m); | ||
| 407 | } | ||
| 408 | |||
| 388 | /* Do the password authentication */ | 409 | /* Do the password authentication */ |
| 389 | int | 410 | int |
| 390 | mm_auth_password(struct ssh *ssh, char *password) | 411 | mm_auth_password(struct ssh *ssh, char *password) |