summaryrefslogtreecommitdiff
path: root/session.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2016-03-10 13:00:39 +0000
commit16caff9bcfbc638ed7d2e01a338db678f138faa5 (patch)
tree4dc7fd839271789949e30e2c3edf255cf2f17a31 /session.c
parent1b820bd5376b5b04403f0489b2e135566cedd4e6 (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2015-08-19 Patch-Name: selinux-role.patch
Diffstat (limited to 'session.c')
-rw-r--r--session.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/session.c b/session.c
index 87fddfc3d..f246b8a62 100644
--- a/session.c
+++ b/session.c
@@ -1511,7 +1511,7 @@ safely_chroot(const char *path, uid_t uid)
1511 1511
1512/* Set login name, uid, gid, and groups. */ 1512/* Set login name, uid, gid, and groups. */
1513void 1513void
1514do_setusercontext(struct passwd *pw) 1514do_setusercontext(struct passwd *pw, const char *role)
1515{ 1515{
1516 char *chroot_path, *tmp; 1516 char *chroot_path, *tmp;
1517 1517
@@ -1539,7 +1539,7 @@ do_setusercontext(struct passwd *pw)
1539 endgrent(); 1539 endgrent();
1540#endif 1540#endif
1541 1541
1542 platform_setusercontext_post_groups(pw); 1542 platform_setusercontext_post_groups(pw, role);
1543 1543
1544 if (!in_chroot && options.chroot_directory != NULL && 1544 if (!in_chroot && options.chroot_directory != NULL &&
1545 strcasecmp(options.chroot_directory, "none") != 0) { 1545 strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1696,7 +1696,7 @@ do_child(Session *s, const char *command)
1696 1696
1697 /* Force a password change */ 1697 /* Force a password change */
1698 if (s->authctxt->force_pwchange) { 1698 if (s->authctxt->force_pwchange) {
1699 do_setusercontext(pw); 1699 do_setusercontext(pw, s->authctxt->role);
1700 child_close_fds(); 1700 child_close_fds();
1701 do_pwchange(s); 1701 do_pwchange(s);
1702 exit(1); 1702 exit(1);
@@ -1723,7 +1723,7 @@ do_child(Session *s, const char *command)
1723 /* When PAM is enabled we rely on it to do the nologin check */ 1723 /* When PAM is enabled we rely on it to do the nologin check */
1724 if (!options.use_pam) 1724 if (!options.use_pam)
1725 do_nologin(pw); 1725 do_nologin(pw);
1726 do_setusercontext(pw); 1726 do_setusercontext(pw, s->authctxt->role);
1727 /* 1727 /*
1728 * PAM session modules in do_setusercontext may have 1728 * PAM session modules in do_setusercontext may have
1729 * generated messages, so if this in an interactive 1729 * generated messages, so if this in an interactive
@@ -2134,7 +2134,7 @@ session_pty_req(Session *s)
2134 tty_parse_modes(s->ttyfd, &n_bytes); 2134 tty_parse_modes(s->ttyfd, &n_bytes);
2135 2135
2136 if (!use_privsep) 2136 if (!use_privsep)
2137 pty_setowner(s->pw, s->tty); 2137 pty_setowner(s->pw, s->tty, s->authctxt->role);
2138 2138
2139 /* Set window size from the packet. */ 2139 /* Set window size from the packet. */
2140 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 2140 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);