diff options
| author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2018-08-24 17:49:07 +0100 |
| commit | 03979f2e0768e146d179c66f2d2e33afe61c1be3 (patch) | |
| tree | 624add62ece0fb72400966a483aa5af060fb0a77 /monitor_wrap.c | |
| parent | 84a7a1b1c767056c80add9f0e15c9f9ec23ec94d (diff) | |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2018-08-24
Patch-Name: selinux-role.patch
Diffstat (limited to 'monitor_wrap.c')
| -rw-r--r-- | monitor_wrap.c | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c index 1865a122a..fd4d7eb3b 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
| @@ -369,10 +369,10 @@ mm_auth2_read_banner(void) | |||
| 369 | return (banner); | 369 | return (banner); |
| 370 | } | 370 | } |
| 371 | 371 | ||
| 372 | /* Inform the privileged process about service and style */ | 372 | /* Inform the privileged process about service, style, and role */ |
| 373 | 373 | ||
| 374 | void | 374 | void |
| 375 | mm_inform_authserv(char *service, char *style) | 375 | mm_inform_authserv(char *service, char *style, char *role) |
| 376 | { | 376 | { |
| 377 | struct sshbuf *m; | 377 | struct sshbuf *m; |
| 378 | int r; | 378 | int r; |
| @@ -382,7 +382,8 @@ mm_inform_authserv(char *service, char *style) | |||
| 382 | if ((m = sshbuf_new()) == NULL) | 382 | if ((m = sshbuf_new()) == NULL) |
| 383 | fatal("%s: sshbuf_new failed", __func__); | 383 | fatal("%s: sshbuf_new failed", __func__); |
| 384 | if ((r = sshbuf_put_cstring(m, service)) != 0 || | 384 | if ((r = sshbuf_put_cstring(m, service)) != 0 || |
| 385 | (r = sshbuf_put_cstring(m, style ? style : "")) != 0) | 385 | (r = sshbuf_put_cstring(m, style ? style : "")) != 0 || |
| 386 | (r = sshbuf_put_cstring(m, role ? role : "")) != 0) | ||
| 386 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 387 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| 387 | 388 | ||
| 388 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); | 389 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); |
| @@ -390,6 +391,26 @@ mm_inform_authserv(char *service, char *style) | |||
| 390 | sshbuf_free(m); | 391 | sshbuf_free(m); |
| 391 | } | 392 | } |
| 392 | 393 | ||
| 394 | /* Inform the privileged process about role */ | ||
| 395 | |||
| 396 | void | ||
| 397 | mm_inform_authrole(char *role) | ||
| 398 | { | ||
| 399 | struct sshbuf *m; | ||
| 400 | int r; | ||
| 401 | |||
| 402 | debug3("%s entering", __func__); | ||
| 403 | |||
| 404 | if ((m = sshbuf_new()) == NULL) | ||
| 405 | fatal("%s: sshbuf_new failed", __func__); | ||
| 406 | if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0) | ||
| 407 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
| 408 | |||
| 409 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m); | ||
| 410 | |||
| 411 | sshbuf_free(m); | ||
| 412 | } | ||
| 413 | |||
| 393 | /* Do the password authentication */ | 414 | /* Do the password authentication */ |
| 394 | int | 415 | int |
| 395 | mm_auth_password(struct ssh *ssh, char *password) | 416 | mm_auth_password(struct ssh *ssh, char *password) |