summaryrefslogtreecommitdiff
path: root/monitor_wrap.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2020-10-18 12:07:12 +0100
commitc574865182e2c5dfa183b577f49ac602d16df5c0 (patch)
treec7fd6cf87fe77b768b44a907a0e94efa1482a98e /monitor_wrap.c
parent6806b85f30244d186206004386a9faddc16b8738 (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2020-10-18 Patch-Name: selinux-role.patch
Diffstat (limited to 'monitor_wrap.c')
-rw-r--r--monitor_wrap.c27
1 files changed, 24 insertions, 3 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 0e78cd006..d41d3949d 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -364,10 +364,10 @@ mm_auth2_read_banner(void)
364 return (banner); 364 return (banner);
365} 365}
366 366
367/* Inform the privileged process about service and style */ 367/* Inform the privileged process about service, style, and role */
368 368
369void 369void
370mm_inform_authserv(char *service, char *style) 370mm_inform_authserv(char *service, char *style, char *role)
371{ 371{
372 struct sshbuf *m; 372 struct sshbuf *m;
373 int r; 373 int r;
@@ -377,7 +377,8 @@ mm_inform_authserv(char *service, char *style)
377 if ((m = sshbuf_new()) == NULL) 377 if ((m = sshbuf_new()) == NULL)
378 fatal("%s: sshbuf_new failed", __func__); 378 fatal("%s: sshbuf_new failed", __func__);
379 if ((r = sshbuf_put_cstring(m, service)) != 0 || 379 if ((r = sshbuf_put_cstring(m, service)) != 0 ||
380 (r = sshbuf_put_cstring(m, style ? style : "")) != 0) 380 (r = sshbuf_put_cstring(m, style ? style : "")) != 0 ||
381 (r = sshbuf_put_cstring(m, role ? role : "")) != 0)
381 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 382 fatal("%s: buffer error: %s", __func__, ssh_err(r));
382 383
383 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); 384 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m);
@@ -385,6 +386,26 @@ mm_inform_authserv(char *service, char *style)
385 sshbuf_free(m); 386 sshbuf_free(m);
386} 387}
387 388
389/* Inform the privileged process about role */
390
391void
392mm_inform_authrole(char *role)
393{
394 struct sshbuf *m;
395 int r;
396
397 debug3("%s entering", __func__);
398
399 if ((m = sshbuf_new()) == NULL)
400 fatal("%s: sshbuf_new failed", __func__);
401 if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
402 fatal("%s: buffer error: %s", __func__, ssh_err(r));
403
404 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
405
406 sshbuf_free(m);
407}
408
388/* Do the password authentication */ 409/* Do the password authentication */
389int 410int
390mm_auth_password(struct ssh *ssh, char *password) 411mm_auth_password(struct ssh *ssh, char *password)