summaryrefslogtreecommitdiff
path: root/session.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2017-03-29 01:38:38 +0100
commite5d3ea2ca423a54b1d53d45252cb7173a15600eb (patch)
treef62cc47e5d58909724339ee922845c3c2b881cd6 /session.c
parent9d91ede3c03c99b6584038aa07d095d7c277ad3a (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2015-08-19 Patch-Name: selinux-role.patch
Diffstat (limited to 'session.c')
-rw-r--r--session.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/session.c b/session.c
index a08aa69d1..ea3871eb8 100644
--- a/session.c
+++ b/session.c
@@ -1325,7 +1325,7 @@ safely_chroot(const char *path, uid_t uid)
1325 1325
1326/* Set login name, uid, gid, and groups. */ 1326/* Set login name, uid, gid, and groups. */
1327void 1327void
1328do_setusercontext(struct passwd *pw) 1328do_setusercontext(struct passwd *pw, const char *role)
1329{ 1329{
1330 char *chroot_path, *tmp; 1330 char *chroot_path, *tmp;
1331 1331
@@ -1353,7 +1353,7 @@ do_setusercontext(struct passwd *pw)
1353 endgrent(); 1353 endgrent();
1354#endif 1354#endif
1355 1355
1356 platform_setusercontext_post_groups(pw); 1356 platform_setusercontext_post_groups(pw, role);
1357 1357
1358 if (!in_chroot && options.chroot_directory != NULL && 1358 if (!in_chroot && options.chroot_directory != NULL &&
1359 strcasecmp(options.chroot_directory, "none") != 0) { 1359 strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1489,7 +1489,7 @@ do_child(Session *s, const char *command)
1489 1489
1490 /* Force a password change */ 1490 /* Force a password change */
1491 if (s->authctxt->force_pwchange) { 1491 if (s->authctxt->force_pwchange) {
1492 do_setusercontext(pw); 1492 do_setusercontext(pw, s->authctxt->role);
1493 child_close_fds(); 1493 child_close_fds();
1494 do_pwchange(s); 1494 do_pwchange(s);
1495 exit(1); 1495 exit(1);
@@ -1511,7 +1511,7 @@ do_child(Session *s, const char *command)
1511 /* When PAM is enabled we rely on it to do the nologin check */ 1511 /* When PAM is enabled we rely on it to do the nologin check */
1512 if (!options.use_pam) 1512 if (!options.use_pam)
1513 do_nologin(pw); 1513 do_nologin(pw);
1514 do_setusercontext(pw); 1514 do_setusercontext(pw, s->authctxt->role);
1515 /* 1515 /*
1516 * PAM session modules in do_setusercontext may have 1516 * PAM session modules in do_setusercontext may have
1517 * generated messages, so if this in an interactive 1517 * generated messages, so if this in an interactive
@@ -1903,7 +1903,7 @@ session_pty_req(Session *s)
1903 tty_parse_modes(s->ttyfd, &n_bytes); 1903 tty_parse_modes(s->ttyfd, &n_bytes);
1904 1904
1905 if (!use_privsep) 1905 if (!use_privsep)
1906 pty_setowner(s->pw, s->tty); 1906 pty_setowner(s->pw, s->tty, s->authctxt->role);
1907 1907
1908 /* Set window size from the packet. */ 1908 /* Set window size from the packet. */
1909 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 1909 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);