diff options
-rw-r--r-- | auth.h | 1 | ||||
-rw-r--r-- | auth2.c | 10 | ||||
-rw-r--r-- | monitor.c | 37 | ||||
-rw-r--r-- | monitor.h | 2 | ||||
-rw-r--r-- | monitor_wrap.c | 27 | ||||
-rw-r--r-- | monitor_wrap.h | 3 | ||||
-rw-r--r-- | openbsd-compat/port-linux.c | 21 | ||||
-rw-r--r-- | openbsd-compat/port-linux.h | 4 | ||||
-rw-r--r-- | platform.c | 4 | ||||
-rw-r--r-- | platform.h | 2 | ||||
-rw-r--r-- | session.c | 10 | ||||
-rw-r--r-- | session.h | 2 | ||||
-rw-r--r-- | sshd.c | 2 | ||||
-rw-r--r-- | sshpty.c | 4 | ||||
-rw-r--r-- | sshpty.h | 2 |
15 files changed, 99 insertions, 32 deletions
@@ -65,6 +65,7 @@ struct Authctxt { | |||
65 | char *service; | 65 | char *service; |
66 | struct passwd *pw; /* set if 'valid' */ | 66 | struct passwd *pw; /* set if 'valid' */ |
67 | char *style; | 67 | char *style; |
68 | char *role; | ||
68 | 69 | ||
69 | /* Method lists for multiple authentication */ | 70 | /* Method lists for multiple authentication */ |
70 | char **auth_methods; /* modified from server config */ | 71 | char **auth_methods; /* modified from server config */ |
@@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | |||
257 | { | 257 | { |
258 | Authctxt *authctxt = ssh->authctxt; | 258 | Authctxt *authctxt = ssh->authctxt; |
259 | Authmethod *m = NULL; | 259 | Authmethod *m = NULL; |
260 | char *user, *service, *method, *style = NULL; | 260 | char *user, *service, *method, *style = NULL, *role = NULL; |
261 | int authenticated = 0; | 261 | int authenticated = 0; |
262 | double tstart = monotime_double(); | 262 | double tstart = monotime_double(); |
263 | 263 | ||
@@ -270,8 +270,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | |||
270 | debug("userauth-request for user %s service %s method %s", user, service, method); | 270 | debug("userauth-request for user %s service %s method %s", user, service, method); |
271 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 271 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
272 | 272 | ||
273 | if ((role = strchr(user, '/')) != NULL) | ||
274 | *role++ = 0; | ||
275 | |||
273 | if ((style = strchr(user, ':')) != NULL) | 276 | if ((style = strchr(user, ':')) != NULL) |
274 | *style++ = 0; | 277 | *style++ = 0; |
278 | else if (role && (style = strchr(role, ':')) != NULL) | ||
279 | *style++ = '\0'; | ||
275 | 280 | ||
276 | if (authctxt->attempt++ == 0) { | 281 | if (authctxt->attempt++ == 0) { |
277 | /* setup auth context */ | 282 | /* setup auth context */ |
@@ -298,8 +303,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | |||
298 | use_privsep ? " [net]" : ""); | 303 | use_privsep ? " [net]" : ""); |
299 | authctxt->service = xstrdup(service); | 304 | authctxt->service = xstrdup(service); |
300 | authctxt->style = style ? xstrdup(style) : NULL; | 305 | authctxt->style = style ? xstrdup(style) : NULL; |
306 | authctxt->role = role ? xstrdup(role) : NULL; | ||
301 | if (use_privsep) | 307 | if (use_privsep) |
302 | mm_inform_authserv(service, style); | 308 | mm_inform_authserv(service, style, role); |
303 | userauth_banner(); | 309 | userauth_banner(); |
304 | if (auth2_setup_methods_lists(authctxt) != 0) | 310 | if (auth2_setup_methods_lists(authctxt) != 0) |
305 | packet_disconnect("no authentication methods enabled"); | 311 | packet_disconnect("no authentication methods enabled"); |
@@ -117,6 +117,7 @@ int mm_answer_sign(int, struct sshbuf *); | |||
117 | int mm_answer_pwnamallow(int, struct sshbuf *); | 117 | int mm_answer_pwnamallow(int, struct sshbuf *); |
118 | int mm_answer_auth2_read_banner(int, struct sshbuf *); | 118 | int mm_answer_auth2_read_banner(int, struct sshbuf *); |
119 | int mm_answer_authserv(int, struct sshbuf *); | 119 | int mm_answer_authserv(int, struct sshbuf *); |
120 | int mm_answer_authrole(int, struct sshbuf *); | ||
120 | int mm_answer_authpassword(int, struct sshbuf *); | 121 | int mm_answer_authpassword(int, struct sshbuf *); |
121 | int mm_answer_bsdauthquery(int, struct sshbuf *); | 122 | int mm_answer_bsdauthquery(int, struct sshbuf *); |
122 | int mm_answer_bsdauthrespond(int, struct sshbuf *); | 123 | int mm_answer_bsdauthrespond(int, struct sshbuf *); |
@@ -193,6 +194,7 @@ struct mon_table mon_dispatch_proto20[] = { | |||
193 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 194 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
194 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 195 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
195 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 196 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
197 | {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, | ||
196 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 198 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
197 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 199 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
198 | #ifdef USE_PAM | 200 | #ifdef USE_PAM |
@@ -817,6 +819,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) | |||
817 | 819 | ||
818 | /* Allow service/style information on the auth context */ | 820 | /* Allow service/style information on the auth context */ |
819 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 821 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
822 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); | ||
820 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 823 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
821 | 824 | ||
822 | #ifdef USE_PAM | 825 | #ifdef USE_PAM |
@@ -850,16 +853,42 @@ mm_answer_authserv(int sock, struct sshbuf *m) | |||
850 | monitor_permit_authentications(1); | 853 | monitor_permit_authentications(1); |
851 | 854 | ||
852 | if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || | 855 | if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || |
853 | (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0) | 856 | (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0 || |
857 | (r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0) | ||
854 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 858 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
855 | debug3("%s: service=%s, style=%s", | 859 | debug3("%s: service=%s, style=%s, role=%s", |
856 | __func__, authctxt->service, authctxt->style); | 860 | __func__, authctxt->service, authctxt->style, authctxt->role); |
857 | 861 | ||
858 | if (strlen(authctxt->style) == 0) { | 862 | if (strlen(authctxt->style) == 0) { |
859 | free(authctxt->style); | 863 | free(authctxt->style); |
860 | authctxt->style = NULL; | 864 | authctxt->style = NULL; |
861 | } | 865 | } |
862 | 866 | ||
867 | if (strlen(authctxt->role) == 0) { | ||
868 | free(authctxt->role); | ||
869 | authctxt->role = NULL; | ||
870 | } | ||
871 | |||
872 | return (0); | ||
873 | } | ||
874 | |||
875 | int | ||
876 | mm_answer_authrole(int sock, struct sshbuf *m) | ||
877 | { | ||
878 | int r; | ||
879 | |||
880 | monitor_permit_authentications(1); | ||
881 | |||
882 | if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0) | ||
883 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
884 | debug3("%s: role=%s", | ||
885 | __func__, authctxt->role); | ||
886 | |||
887 | if (strlen(authctxt->role) == 0) { | ||
888 | free(authctxt->role); | ||
889 | authctxt->role = NULL; | ||
890 | } | ||
891 | |||
863 | return (0); | 892 | return (0); |
864 | } | 893 | } |
865 | 894 | ||
@@ -1501,7 +1530,7 @@ mm_answer_pty(int sock, struct sshbuf *m) | |||
1501 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 1530 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
1502 | if (res == 0) | 1531 | if (res == 0) |
1503 | goto error; | 1532 | goto error; |
1504 | pty_setowner(authctxt->pw, s->tty); | 1533 | pty_setowner(authctxt->pw, s->tty, authctxt->role); |
1505 | 1534 | ||
1506 | if ((r = sshbuf_put_u32(m, 1)) != 0 || | 1535 | if ((r = sshbuf_put_u32(m, 1)) != 0 || |
1507 | (r = sshbuf_put_cstring(m, s->tty)) != 0) | 1536 | (r = sshbuf_put_cstring(m, s->tty)) != 0) |
@@ -66,6 +66,8 @@ enum monitor_reqtype { | |||
66 | MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, | 66 | MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, |
67 | MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, | 67 | MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, |
68 | 68 | ||
69 | MONITOR_REQ_AUTHROLE = 154, | ||
70 | |||
69 | }; | 71 | }; |
70 | 72 | ||
71 | struct monitor { | 73 | struct monitor { |
diff --git a/monitor_wrap.c b/monitor_wrap.c index 1865a122a..fd4d7eb3b 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -369,10 +369,10 @@ mm_auth2_read_banner(void) | |||
369 | return (banner); | 369 | return (banner); |
370 | } | 370 | } |
371 | 371 | ||
372 | /* Inform the privileged process about service and style */ | 372 | /* Inform the privileged process about service, style, and role */ |
373 | 373 | ||
374 | void | 374 | void |
375 | mm_inform_authserv(char *service, char *style) | 375 | mm_inform_authserv(char *service, char *style, char *role) |
376 | { | 376 | { |
377 | struct sshbuf *m; | 377 | struct sshbuf *m; |
378 | int r; | 378 | int r; |
@@ -382,7 +382,8 @@ mm_inform_authserv(char *service, char *style) | |||
382 | if ((m = sshbuf_new()) == NULL) | 382 | if ((m = sshbuf_new()) == NULL) |
383 | fatal("%s: sshbuf_new failed", __func__); | 383 | fatal("%s: sshbuf_new failed", __func__); |
384 | if ((r = sshbuf_put_cstring(m, service)) != 0 || | 384 | if ((r = sshbuf_put_cstring(m, service)) != 0 || |
385 | (r = sshbuf_put_cstring(m, style ? style : "")) != 0) | 385 | (r = sshbuf_put_cstring(m, style ? style : "")) != 0 || |
386 | (r = sshbuf_put_cstring(m, role ? role : "")) != 0) | ||
386 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 387 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
387 | 388 | ||
388 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); | 389 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); |
@@ -390,6 +391,26 @@ mm_inform_authserv(char *service, char *style) | |||
390 | sshbuf_free(m); | 391 | sshbuf_free(m); |
391 | } | 392 | } |
392 | 393 | ||
394 | /* Inform the privileged process about role */ | ||
395 | |||
396 | void | ||
397 | mm_inform_authrole(char *role) | ||
398 | { | ||
399 | struct sshbuf *m; | ||
400 | int r; | ||
401 | |||
402 | debug3("%s entering", __func__); | ||
403 | |||
404 | if ((m = sshbuf_new()) == NULL) | ||
405 | fatal("%s: sshbuf_new failed", __func__); | ||
406 | if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0) | ||
407 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
408 | |||
409 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m); | ||
410 | |||
411 | sshbuf_free(m); | ||
412 | } | ||
413 | |||
393 | /* Do the password authentication */ | 414 | /* Do the password authentication */ |
394 | int | 415 | int |
395 | mm_auth_password(struct ssh *ssh, char *password) | 416 | mm_auth_password(struct ssh *ssh, char *password) |
diff --git a/monitor_wrap.h b/monitor_wrap.h index 7f93144ff..79e78cc90 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h | |||
@@ -43,7 +43,8 @@ int mm_is_monitor(void); | |||
43 | DH *mm_choose_dh(int, int, int); | 43 | DH *mm_choose_dh(int, int, int); |
44 | int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t, | 44 | int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t, |
45 | const char *, u_int compat); | 45 | const char *, u_int compat); |
46 | void mm_inform_authserv(char *, char *); | 46 | void mm_inform_authserv(char *, char *, char *); |
47 | void mm_inform_authrole(char *); | ||
47 | struct passwd *mm_getpwnamallow(const char *); | 48 | struct passwd *mm_getpwnamallow(const char *); |
48 | char *mm_auth2_read_banner(void); | 49 | char *mm_auth2_read_banner(void); |
49 | int mm_auth_password(struct ssh *, char *); | 50 | int mm_auth_password(struct ssh *, char *); |
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index 622988822..3e6e07670 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c | |||
@@ -56,7 +56,7 @@ ssh_selinux_enabled(void) | |||
56 | 56 | ||
57 | /* Return the default security context for the given username */ | 57 | /* Return the default security context for the given username */ |
58 | static security_context_t | 58 | static security_context_t |
59 | ssh_selinux_getctxbyname(char *pwname) | 59 | ssh_selinux_getctxbyname(char *pwname, const char *role) |
60 | { | 60 | { |
61 | security_context_t sc = NULL; | 61 | security_context_t sc = NULL; |
62 | char *sename = NULL, *lvl = NULL; | 62 | char *sename = NULL, *lvl = NULL; |
@@ -71,9 +71,16 @@ ssh_selinux_getctxbyname(char *pwname) | |||
71 | #endif | 71 | #endif |
72 | 72 | ||
73 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 73 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
74 | r = get_default_context_with_level(sename, lvl, NULL, &sc); | 74 | if (role != NULL && role[0]) |
75 | r = get_default_context_with_rolelevel(sename, role, lvl, NULL, | ||
76 | &sc); | ||
77 | else | ||
78 | r = get_default_context_with_level(sename, lvl, NULL, &sc); | ||
75 | #else | 79 | #else |
76 | r = get_default_context(sename, NULL, &sc); | 80 | if (role != NULL && role[0]) |
81 | r = get_default_context_with_role(sename, role, NULL, &sc); | ||
82 | else | ||
83 | r = get_default_context(sename, NULL, &sc); | ||
77 | #endif | 84 | #endif |
78 | 85 | ||
79 | if (r != 0) { | 86 | if (r != 0) { |
@@ -103,7 +110,7 @@ ssh_selinux_getctxbyname(char *pwname) | |||
103 | 110 | ||
104 | /* Set the execution context to the default for the specified user */ | 111 | /* Set the execution context to the default for the specified user */ |
105 | void | 112 | void |
106 | ssh_selinux_setup_exec_context(char *pwname) | 113 | ssh_selinux_setup_exec_context(char *pwname, const char *role) |
107 | { | 114 | { |
108 | security_context_t user_ctx = NULL; | 115 | security_context_t user_ctx = NULL; |
109 | 116 | ||
@@ -112,7 +119,7 @@ ssh_selinux_setup_exec_context(char *pwname) | |||
112 | 119 | ||
113 | debug3("%s: setting execution context", __func__); | 120 | debug3("%s: setting execution context", __func__); |
114 | 121 | ||
115 | user_ctx = ssh_selinux_getctxbyname(pwname); | 122 | user_ctx = ssh_selinux_getctxbyname(pwname, role); |
116 | if (setexeccon(user_ctx) != 0) { | 123 | if (setexeccon(user_ctx) != 0) { |
117 | switch (security_getenforce()) { | 124 | switch (security_getenforce()) { |
118 | case -1: | 125 | case -1: |
@@ -134,7 +141,7 @@ ssh_selinux_setup_exec_context(char *pwname) | |||
134 | 141 | ||
135 | /* Set the TTY context for the specified user */ | 142 | /* Set the TTY context for the specified user */ |
136 | void | 143 | void |
137 | ssh_selinux_setup_pty(char *pwname, const char *tty) | 144 | ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role) |
138 | { | 145 | { |
139 | security_context_t new_tty_ctx = NULL; | 146 | security_context_t new_tty_ctx = NULL; |
140 | security_context_t user_ctx = NULL; | 147 | security_context_t user_ctx = NULL; |
@@ -146,7 +153,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) | |||
146 | 153 | ||
147 | debug3("%s: setting TTY context on %s", __func__, tty); | 154 | debug3("%s: setting TTY context on %s", __func__, tty); |
148 | 155 | ||
149 | user_ctx = ssh_selinux_getctxbyname(pwname); | 156 | user_ctx = ssh_selinux_getctxbyname(pwname, role); |
150 | 157 | ||
151 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ | 158 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ |
152 | 159 | ||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h index 3c22a854d..c88129428 100644 --- a/openbsd-compat/port-linux.h +++ b/openbsd-compat/port-linux.h | |||
@@ -19,8 +19,8 @@ | |||
19 | 19 | ||
20 | #ifdef WITH_SELINUX | 20 | #ifdef WITH_SELINUX |
21 | int ssh_selinux_enabled(void); | 21 | int ssh_selinux_enabled(void); |
22 | void ssh_selinux_setup_pty(char *, const char *); | 22 | void ssh_selinux_setup_pty(char *, const char *, const char *); |
23 | void ssh_selinux_setup_exec_context(char *); | 23 | void ssh_selinux_setup_exec_context(char *, const char *); |
24 | void ssh_selinux_change_context(const char *); | 24 | void ssh_selinux_change_context(const char *); |
25 | void ssh_selinux_setfscreatecon(const char *); | 25 | void ssh_selinux_setfscreatecon(const char *); |
26 | #endif | 26 | #endif |
diff --git a/platform.c b/platform.c index 41acc9370..35654ea51 100644 --- a/platform.c +++ b/platform.c | |||
@@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw) | |||
142 | * called if sshd is running as root. | 142 | * called if sshd is running as root. |
143 | */ | 143 | */ |
144 | void | 144 | void |
145 | platform_setusercontext_post_groups(struct passwd *pw) | 145 | platform_setusercontext_post_groups(struct passwd *pw, const char *role) |
146 | { | 146 | { |
147 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) | 147 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) |
148 | /* | 148 | /* |
@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw) | |||
183 | } | 183 | } |
184 | #endif /* HAVE_SETPCRED */ | 184 | #endif /* HAVE_SETPCRED */ |
185 | #ifdef WITH_SELINUX | 185 | #ifdef WITH_SELINUX |
186 | ssh_selinux_setup_exec_context(pw->pw_name); | 186 | ssh_selinux_setup_exec_context(pw->pw_name, role); |
187 | #endif | 187 | #endif |
188 | } | 188 | } |
189 | 189 | ||
diff --git a/platform.h b/platform.h index ea4f9c584..60d72ffe7 100644 --- a/platform.h +++ b/platform.h | |||
@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid); | |||
25 | void platform_post_fork_child(void); | 25 | void platform_post_fork_child(void); |
26 | int platform_privileged_uidswap(void); | 26 | int platform_privileged_uidswap(void); |
27 | void platform_setusercontext(struct passwd *); | 27 | void platform_setusercontext(struct passwd *); |
28 | void platform_setusercontext_post_groups(struct passwd *); | 28 | void platform_setusercontext_post_groups(struct passwd *, const char *); |
29 | char *platform_get_krb5_client(const char *); | 29 | char *platform_get_krb5_client(const char *); |
30 | char *platform_krb5_get_principal_name(const char *); | 30 | char *platform_krb5_get_principal_name(const char *); |
31 | int platform_sys_dir_uid(uid_t); | 31 | int platform_sys_dir_uid(uid_t); |
@@ -1380,7 +1380,7 @@ safely_chroot(const char *path, uid_t uid) | |||
1380 | 1380 | ||
1381 | /* Set login name, uid, gid, and groups. */ | 1381 | /* Set login name, uid, gid, and groups. */ |
1382 | void | 1382 | void |
1383 | do_setusercontext(struct passwd *pw) | 1383 | do_setusercontext(struct passwd *pw, const char *role) |
1384 | { | 1384 | { |
1385 | char uidstr[32], *chroot_path, *tmp; | 1385 | char uidstr[32], *chroot_path, *tmp; |
1386 | 1386 | ||
@@ -1408,7 +1408,7 @@ do_setusercontext(struct passwd *pw) | |||
1408 | endgrent(); | 1408 | endgrent(); |
1409 | #endif | 1409 | #endif |
1410 | 1410 | ||
1411 | platform_setusercontext_post_groups(pw); | 1411 | platform_setusercontext_post_groups(pw, role); |
1412 | 1412 | ||
1413 | if (!in_chroot && options.chroot_directory != NULL && | 1413 | if (!in_chroot && options.chroot_directory != NULL && |
1414 | strcasecmp(options.chroot_directory, "none") != 0) { | 1414 | strcasecmp(options.chroot_directory, "none") != 0) { |
@@ -1547,7 +1547,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) | |||
1547 | 1547 | ||
1548 | /* Force a password change */ | 1548 | /* Force a password change */ |
1549 | if (s->authctxt->force_pwchange) { | 1549 | if (s->authctxt->force_pwchange) { |
1550 | do_setusercontext(pw); | 1550 | do_setusercontext(pw, s->authctxt->role); |
1551 | child_close_fds(ssh); | 1551 | child_close_fds(ssh); |
1552 | do_pwchange(s); | 1552 | do_pwchange(s); |
1553 | exit(1); | 1553 | exit(1); |
@@ -1565,7 +1565,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) | |||
1565 | /* When PAM is enabled we rely on it to do the nologin check */ | 1565 | /* When PAM is enabled we rely on it to do the nologin check */ |
1566 | if (!options.use_pam) | 1566 | if (!options.use_pam) |
1567 | do_nologin(pw); | 1567 | do_nologin(pw); |
1568 | do_setusercontext(pw); | 1568 | do_setusercontext(pw, s->authctxt->role); |
1569 | /* | 1569 | /* |
1570 | * PAM session modules in do_setusercontext may have | 1570 | * PAM session modules in do_setusercontext may have |
1571 | * generated messages, so if this in an interactive | 1571 | * generated messages, so if this in an interactive |
@@ -1955,7 +1955,7 @@ session_pty_req(struct ssh *ssh, Session *s) | |||
1955 | ssh_tty_parse_modes(ssh, s->ttyfd); | 1955 | ssh_tty_parse_modes(ssh, s->ttyfd); |
1956 | 1956 | ||
1957 | if (!use_privsep) | 1957 | if (!use_privsep) |
1958 | pty_setowner(s->pw, s->tty); | 1958 | pty_setowner(s->pw, s->tty, s->authctxt->role); |
1959 | 1959 | ||
1960 | /* Set window size from the packet. */ | 1960 | /* Set window size from the packet. */ |
1961 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); | 1961 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); |
@@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *); | |||
77 | Session *session_new(void); | 77 | Session *session_new(void); |
78 | Session *session_by_tty(char *); | 78 | Session *session_by_tty(char *); |
79 | void session_close(struct ssh *, Session *); | 79 | void session_close(struct ssh *, Session *); |
80 | void do_setusercontext(struct passwd *); | 80 | void do_setusercontext(struct passwd *, const char *); |
81 | 81 | ||
82 | const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); | 82 | const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); |
83 | 83 | ||
@@ -683,7 +683,7 @@ privsep_postauth(Authctxt *authctxt) | |||
683 | reseed_prngs(); | 683 | reseed_prngs(); |
684 | 684 | ||
685 | /* Drop privileges */ | 685 | /* Drop privileges */ |
686 | do_setusercontext(authctxt->pw); | 686 | do_setusercontext(authctxt->pw, authctxt->role); |
687 | 687 | ||
688 | skip: | 688 | skip: |
689 | /* It is safe now to apply the key state */ | 689 | /* It is safe now to apply the key state */ |
@@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, | |||
162 | } | 162 | } |
163 | 163 | ||
164 | void | 164 | void |
165 | pty_setowner(struct passwd *pw, const char *tty) | 165 | pty_setowner(struct passwd *pw, const char *tty, const char *role) |
166 | { | 166 | { |
167 | struct group *grp; | 167 | struct group *grp; |
168 | gid_t gid; | 168 | gid_t gid; |
@@ -184,7 +184,7 @@ pty_setowner(struct passwd *pw, const char *tty) | |||
184 | strerror(errno)); | 184 | strerror(errno)); |
185 | 185 | ||
186 | #ifdef WITH_SELINUX | 186 | #ifdef WITH_SELINUX |
187 | ssh_selinux_setup_pty(pw->pw_name, tty); | 187 | ssh_selinux_setup_pty(pw->pw_name, tty, role); |
188 | #endif | 188 | #endif |
189 | 189 | ||
190 | if (st.st_uid != pw->pw_uid || st.st_gid != gid) { | 190 | if (st.st_uid != pw->pw_uid || st.st_gid != gid) { |
@@ -24,5 +24,5 @@ int pty_allocate(int *, int *, char *, size_t); | |||
24 | void pty_release(const char *); | 24 | void pty_release(const char *); |
25 | void pty_make_controlling_tty(int *, const char *); | 25 | void pty_make_controlling_tty(int *, const char *); |
26 | void pty_change_window_size(int, u_int, u_int, u_int, u_int); | 26 | void pty_change_window_size(int, u_int, u_int, u_int, u_int); |
27 | void pty_setowner(struct passwd *, const char *); | 27 | void pty_setowner(struct passwd *, const char *, const char *); |
28 | void disconnect_controlling_tty(void); | 28 | void disconnect_controlling_tty(void); |