summaryrefslogtreecommitdiff
path: root/session.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2020-02-21 12:03:50 +0000
commitb108c6bbe4b3691600a272b27fa24d9080018db7 (patch)
tree1a39cd8b5f41790f369ea635f889675367c09c5b /session.c
parent31d42cd8624f29508f772447e617ab043a6487d9 (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2020-02-21 Patch-Name: selinux-role.patch
Diffstat (limited to 'session.c')
-rw-r--r--session.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/session.c b/session.c
index 06a33442a..871799590 100644
--- a/session.c
+++ b/session.c
@@ -1360,7 +1360,7 @@ safely_chroot(const char *path, uid_t uid)
1360 1360
1361/* Set login name, uid, gid, and groups. */ 1361/* Set login name, uid, gid, and groups. */
1362void 1362void
1363do_setusercontext(struct passwd *pw) 1363do_setusercontext(struct passwd *pw, const char *role)
1364{ 1364{
1365 char uidstr[32], *chroot_path, *tmp; 1365 char uidstr[32], *chroot_path, *tmp;
1366 1366
@@ -1388,7 +1388,7 @@ do_setusercontext(struct passwd *pw)
1388 endgrent(); 1388 endgrent();
1389#endif 1389#endif
1390 1390
1391 platform_setusercontext_post_groups(pw); 1391 platform_setusercontext_post_groups(pw, role);
1392 1392
1393 if (!in_chroot && options.chroot_directory != NULL && 1393 if (!in_chroot && options.chroot_directory != NULL &&
1394 strcasecmp(options.chroot_directory, "none") != 0) { 1394 strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1529,7 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
1529 1529
1530 /* Force a password change */ 1530 /* Force a password change */
1531 if (s->authctxt->force_pwchange) { 1531 if (s->authctxt->force_pwchange) {
1532 do_setusercontext(pw); 1532 do_setusercontext(pw, s->authctxt->role);
1533 child_close_fds(ssh); 1533 child_close_fds(ssh);
1534 do_pwchange(s); 1534 do_pwchange(s);
1535 exit(1); 1535 exit(1);
@@ -1547,7 +1547,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
1547 /* When PAM is enabled we rely on it to do the nologin check */ 1547 /* When PAM is enabled we rely on it to do the nologin check */
1548 if (!options.use_pam) 1548 if (!options.use_pam)
1549 do_nologin(pw); 1549 do_nologin(pw);
1550 do_setusercontext(pw); 1550 do_setusercontext(pw, s->authctxt->role);
1551 /* 1551 /*
1552 * PAM session modules in do_setusercontext may have 1552 * PAM session modules in do_setusercontext may have
1553 * generated messages, so if this in an interactive 1553 * generated messages, so if this in an interactive
@@ -1946,7 +1946,7 @@ session_pty_req(struct ssh *ssh, Session *s)
1946 sshpkt_fatal(ssh, r, "%s: parse packet", __func__); 1946 sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
1947 1947
1948 if (!use_privsep) 1948 if (!use_privsep)
1949 pty_setowner(s->pw, s->tty); 1949 pty_setowner(s->pw, s->tty, s->authctxt->role);
1950 1950
1951 /* Set window size from the packet. */ 1951 /* Set window size from the packet. */
1952 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 1952 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);