summaryrefslogtreecommitdiff
path: root/session.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2018-08-24 17:49:07 +0100
commit03979f2e0768e146d179c66f2d2e33afe61c1be3 (patch)
tree624add62ece0fb72400966a483aa5af060fb0a77 /session.c
parent84a7a1b1c767056c80add9f0e15c9f9ec23ec94d (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2018-08-24 Patch-Name: selinux-role.patch
Diffstat (limited to 'session.c')
-rw-r--r--session.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/session.c b/session.c
index f2cf52006..d5d2e94b0 100644
--- a/session.c
+++ b/session.c
@@ -1378,7 +1378,7 @@ safely_chroot(const char *path, uid_t uid)
1378 1378
1379/* Set login name, uid, gid, and groups. */ 1379/* Set login name, uid, gid, and groups. */
1380void 1380void
1381do_setusercontext(struct passwd *pw) 1381do_setusercontext(struct passwd *pw, const char *role)
1382{ 1382{
1383 char uidstr[32], *chroot_path, *tmp; 1383 char uidstr[32], *chroot_path, *tmp;
1384 1384
@@ -1406,7 +1406,7 @@ do_setusercontext(struct passwd *pw)
1406 endgrent(); 1406 endgrent();
1407#endif 1407#endif
1408 1408
1409 platform_setusercontext_post_groups(pw); 1409 platform_setusercontext_post_groups(pw, role);
1410 1410
1411 if (!in_chroot && options.chroot_directory != NULL && 1411 if (!in_chroot && options.chroot_directory != NULL &&
1412 strcasecmp(options.chroot_directory, "none") != 0) { 1412 strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1545,7 +1545,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
1545 1545
1546 /* Force a password change */ 1546 /* Force a password change */
1547 if (s->authctxt->force_pwchange) { 1547 if (s->authctxt->force_pwchange) {
1548 do_setusercontext(pw); 1548 do_setusercontext(pw, s->authctxt->role);
1549 child_close_fds(ssh); 1549 child_close_fds(ssh);
1550 do_pwchange(s); 1550 do_pwchange(s);
1551 exit(1); 1551 exit(1);
@@ -1563,7 +1563,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
1563 /* When PAM is enabled we rely on it to do the nologin check */ 1563 /* When PAM is enabled we rely on it to do the nologin check */
1564 if (!options.use_pam) 1564 if (!options.use_pam)
1565 do_nologin(pw); 1565 do_nologin(pw);
1566 do_setusercontext(pw); 1566 do_setusercontext(pw, s->authctxt->role);
1567 /* 1567 /*
1568 * PAM session modules in do_setusercontext may have 1568 * PAM session modules in do_setusercontext may have
1569 * generated messages, so if this in an interactive 1569 * generated messages, so if this in an interactive
@@ -1953,7 +1953,7 @@ session_pty_req(struct ssh *ssh, Session *s)
1953 ssh_tty_parse_modes(ssh, s->ttyfd); 1953 ssh_tty_parse_modes(ssh, s->ttyfd);
1954 1954
1955 if (!use_privsep) 1955 if (!use_privsep)
1956 pty_setowner(s->pw, s->tty); 1956 pty_setowner(s->pw, s->tty, s->authctxt->role);
1957 1957
1958 /* Set window size from the packet. */ 1958 /* Set window size from the packet. */
1959 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 1959 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);