diff options
author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2018-10-20 22:54:09 +0100 |
commit | cf3f6ac19812e4d32874304b3854b055831c2124 (patch) | |
tree | a9f141a9525561b4002b0677c109e9a8dd1b293f /monitor_wrap.c | |
parent | 389e16d0109d8c49a761cd7c267438b05c9ab984 (diff) |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2018-08-24
Patch-Name: selinux-role.patch
Diffstat (limited to 'monitor_wrap.c')
-rw-r--r-- | monitor_wrap.c | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c index 1865a122a..fd4d7eb3b 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -369,10 +369,10 @@ mm_auth2_read_banner(void) | |||
369 | return (banner); | 369 | return (banner); |
370 | } | 370 | } |
371 | 371 | ||
372 | /* Inform the privileged process about service and style */ | 372 | /* Inform the privileged process about service, style, and role */ |
373 | 373 | ||
374 | void | 374 | void |
375 | mm_inform_authserv(char *service, char *style) | 375 | mm_inform_authserv(char *service, char *style, char *role) |
376 | { | 376 | { |
377 | struct sshbuf *m; | 377 | struct sshbuf *m; |
378 | int r; | 378 | int r; |
@@ -382,7 +382,8 @@ mm_inform_authserv(char *service, char *style) | |||
382 | if ((m = sshbuf_new()) == NULL) | 382 | if ((m = sshbuf_new()) == NULL) |
383 | fatal("%s: sshbuf_new failed", __func__); | 383 | fatal("%s: sshbuf_new failed", __func__); |
384 | if ((r = sshbuf_put_cstring(m, service)) != 0 || | 384 | if ((r = sshbuf_put_cstring(m, service)) != 0 || |
385 | (r = sshbuf_put_cstring(m, style ? style : "")) != 0) | 385 | (r = sshbuf_put_cstring(m, style ? style : "")) != 0 || |
386 | (r = sshbuf_put_cstring(m, role ? role : "")) != 0) | ||
386 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 387 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
387 | 388 | ||
388 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); | 389 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); |
@@ -390,6 +391,26 @@ mm_inform_authserv(char *service, char *style) | |||
390 | sshbuf_free(m); | 391 | sshbuf_free(m); |
391 | } | 392 | } |
392 | 393 | ||
394 | /* Inform the privileged process about role */ | ||
395 | |||
396 | void | ||
397 | mm_inform_authrole(char *role) | ||
398 | { | ||
399 | struct sshbuf *m; | ||
400 | int r; | ||
401 | |||
402 | debug3("%s entering", __func__); | ||
403 | |||
404 | if ((m = sshbuf_new()) == NULL) | ||
405 | fatal("%s: sshbuf_new failed", __func__); | ||
406 | if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0) | ||
407 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
408 | |||
409 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m); | ||
410 | |||
411 | sshbuf_free(m); | ||
412 | } | ||
413 | |||
393 | /* Do the password authentication */ | 414 | /* Do the password authentication */ |
394 | int | 415 | int |
395 | mm_auth_password(struct ssh *ssh, char *password) | 416 | mm_auth_password(struct ssh *ssh, char *password) |