summaryrefslogtreecommitdiff
path: root/session.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2015-11-29 17:26:12 +0000
commit10dec1266aa5cf1ad906b1bef6f67edc322c00cb (patch)
treee7d77bfb62abe1038c7c0262b4cd7c97cb1076bf /session.c
parent206272ccede7e6fac5d7fda30ea305349b8ad781 (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2015-08-19 Patch-Name: selinux-role.patch
Diffstat (limited to 'session.c')
-rw-r--r--session.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/session.c b/session.c
index 5a64715e2..afac4a58f 100644
--- a/session.c
+++ b/session.c
@@ -1487,7 +1487,7 @@ safely_chroot(const char *path, uid_t uid)
1487 1487
1488/* Set login name, uid, gid, and groups. */ 1488/* Set login name, uid, gid, and groups. */
1489void 1489void
1490do_setusercontext(struct passwd *pw) 1490do_setusercontext(struct passwd *pw, const char *role)
1491{ 1491{
1492 char *chroot_path, *tmp; 1492 char *chroot_path, *tmp;
1493#ifdef USE_LIBIAF 1493#ifdef USE_LIBIAF
@@ -1518,7 +1518,7 @@ do_setusercontext(struct passwd *pw)
1518 endgrent(); 1518 endgrent();
1519#endif 1519#endif
1520 1520
1521 platform_setusercontext_post_groups(pw); 1521 platform_setusercontext_post_groups(pw, role);
1522 1522
1523 if (options.chroot_directory != NULL && 1523 if (options.chroot_directory != NULL &&
1524 strcasecmp(options.chroot_directory, "none") != 0) { 1524 strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1677,7 +1677,7 @@ do_child(Session *s, const char *command)
1677 1677
1678 /* Force a password change */ 1678 /* Force a password change */
1679 if (s->authctxt->force_pwchange) { 1679 if (s->authctxt->force_pwchange) {
1680 do_setusercontext(pw); 1680 do_setusercontext(pw, s->authctxt->role);
1681 child_close_fds(); 1681 child_close_fds();
1682 do_pwchange(s); 1682 do_pwchange(s);
1683 exit(1); 1683 exit(1);
@@ -1704,7 +1704,7 @@ do_child(Session *s, const char *command)
1704 /* When PAM is enabled we rely on it to do the nologin check */ 1704 /* When PAM is enabled we rely on it to do the nologin check */
1705 if (!options.use_pam) 1705 if (!options.use_pam)
1706 do_nologin(pw); 1706 do_nologin(pw);
1707 do_setusercontext(pw); 1707 do_setusercontext(pw, s->authctxt->role);
1708 /* 1708 /*
1709 * PAM session modules in do_setusercontext may have 1709 * PAM session modules in do_setusercontext may have
1710 * generated messages, so if this in an interactive 1710 * generated messages, so if this in an interactive
@@ -2115,7 +2115,7 @@ session_pty_req(Session *s)
2115 tty_parse_modes(s->ttyfd, &n_bytes); 2115 tty_parse_modes(s->ttyfd, &n_bytes);
2116 2116
2117 if (!use_privsep) 2117 if (!use_privsep)
2118 pty_setowner(s->pw, s->tty); 2118 pty_setowner(s->pw, s->tty, s->authctxt->role);
2119 2119
2120 /* Set window size from the packet. */ 2120 /* Set window size from the packet. */
2121 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 2121 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);