diff options
author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-10-07 14:26:47 +0100 |
commit | c9638aa44d787849cea1ae273f0908c6313fd19b (patch) | |
tree | 6b8681822821aad0dcc92575411f0e6fdfb994bf /monitor_wrap.c | |
parent | b25d6dd3b6b5a2cb93723586c56d6fa0277ea56a (diff) |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2013-09-14
Patch-Name: selinux-role.patch
Diffstat (limited to 'monitor_wrap.c')
-rw-r--r-- | monitor_wrap.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c index e476f0dbc..6dc890a77 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -324,10 +324,10 @@ mm_auth2_read_banner(void) | |||
324 | return (banner); | 324 | return (banner); |
325 | } | 325 | } |
326 | 326 | ||
327 | /* Inform the privileged process about service and style */ | 327 | /* Inform the privileged process about service, style, and role */ |
328 | 328 | ||
329 | void | 329 | void |
330 | mm_inform_authserv(char *service, char *style) | 330 | mm_inform_authserv(char *service, char *style, char *role) |
331 | { | 331 | { |
332 | Buffer m; | 332 | Buffer m; |
333 | 333 | ||
@@ -336,12 +336,30 @@ mm_inform_authserv(char *service, char *style) | |||
336 | buffer_init(&m); | 336 | buffer_init(&m); |
337 | buffer_put_cstring(&m, service); | 337 | buffer_put_cstring(&m, service); |
338 | buffer_put_cstring(&m, style ? style : ""); | 338 | buffer_put_cstring(&m, style ? style : ""); |
339 | buffer_put_cstring(&m, role ? role : ""); | ||
339 | 340 | ||
340 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); | 341 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); |
341 | 342 | ||
342 | buffer_free(&m); | 343 | buffer_free(&m); |
343 | } | 344 | } |
344 | 345 | ||
346 | /* Inform the privileged process about role */ | ||
347 | |||
348 | void | ||
349 | mm_inform_authrole(char *role) | ||
350 | { | ||
351 | Buffer m; | ||
352 | |||
353 | debug3("%s entering", __func__); | ||
354 | |||
355 | buffer_init(&m); | ||
356 | buffer_put_cstring(&m, role ? role : ""); | ||
357 | |||
358 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); | ||
359 | |||
360 | buffer_free(&m); | ||
361 | } | ||
362 | |||
345 | /* Do the password authentication */ | 363 | /* Do the password authentication */ |
346 | int | 364 | int |
347 | mm_auth_password(Authctxt *authctxt, char *password) | 365 | mm_auth_password(Authctxt *authctxt, char *password) |