summaryrefslogtreecommitdiff
path: root/session.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2016-08-07 12:18:42 +0100
commit7a7851c903e5dbb58a85014deb2c88cb718068c9 (patch)
tree3c558bbeaf0e964e6b9c55128f0f8007113c47ef /session.c
parentc027de5eb3e6cb1718990841c2a9cbc89fd53151 (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2015-08-19 Patch-Name: selinux-role.patch
Diffstat (limited to 'session.c')
-rw-r--r--session.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/session.c b/session.c
index 2235f26ac..6dfcf842f 100644
--- a/session.c
+++ b/session.c
@@ -1517,7 +1517,7 @@ safely_chroot(const char *path, uid_t uid)
1517 1517
1518/* Set login name, uid, gid, and groups. */ 1518/* Set login name, uid, gid, and groups. */
1519void 1519void
1520do_setusercontext(struct passwd *pw) 1520do_setusercontext(struct passwd *pw, const char *role)
1521{ 1521{
1522 char *chroot_path, *tmp; 1522 char *chroot_path, *tmp;
1523 1523
@@ -1545,7 +1545,7 @@ do_setusercontext(struct passwd *pw)
1545 endgrent(); 1545 endgrent();
1546#endif 1546#endif
1547 1547
1548 platform_setusercontext_post_groups(pw); 1548 platform_setusercontext_post_groups(pw, role);
1549 1549
1550 if (!in_chroot && options.chroot_directory != NULL && 1550 if (!in_chroot && options.chroot_directory != NULL &&
1551 strcasecmp(options.chroot_directory, "none") != 0) { 1551 strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1703,7 +1703,7 @@ do_child(Session *s, const char *command)
1703 1703
1704 /* Force a password change */ 1704 /* Force a password change */
1705 if (s->authctxt->force_pwchange) { 1705 if (s->authctxt->force_pwchange) {
1706 do_setusercontext(pw); 1706 do_setusercontext(pw, s->authctxt->role);
1707 child_close_fds(); 1707 child_close_fds();
1708 do_pwchange(s); 1708 do_pwchange(s);
1709 exit(1); 1709 exit(1);
@@ -1730,7 +1730,7 @@ do_child(Session *s, const char *command)
1730 /* When PAM is enabled we rely on it to do the nologin check */ 1730 /* When PAM is enabled we rely on it to do the nologin check */
1731 if (!options.use_pam) 1731 if (!options.use_pam)
1732 do_nologin(pw); 1732 do_nologin(pw);
1733 do_setusercontext(pw); 1733 do_setusercontext(pw, s->authctxt->role);
1734 /* 1734 /*
1735 * PAM session modules in do_setusercontext may have 1735 * PAM session modules in do_setusercontext may have
1736 * generated messages, so if this in an interactive 1736 * generated messages, so if this in an interactive
@@ -2141,7 +2141,7 @@ session_pty_req(Session *s)
2141 tty_parse_modes(s->ttyfd, &n_bytes); 2141 tty_parse_modes(s->ttyfd, &n_bytes);
2142 2142
2143 if (!use_privsep) 2143 if (!use_privsep)
2144 pty_setowner(s->pw, s->tty); 2144 pty_setowner(s->pw, s->tty, s->authctxt->role);
2145 2145
2146 /* Set window size from the packet. */ 2146 /* Set window size from the packet. */
2147 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 2147 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);