1 files changed, 293 insertions, 0 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
new file mode 100644
index 000000000..8a7e7c687
--- /dev/null
+++ b/debian/patches/selinux-role.patch
@@ -0,0 +1,293 @@
+Description: Handle SELinux authorisation roles
+ Rejected upstream due to discomfort with magic usernames; a better approach
+ will need an SSH protocol change.  In the meantime, this came from Debian's
+ SELinux maintainer, so we'll keep it until we have something better.
+Author: Manoj Srivastava <srivasta@debian.org>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
+Bug-Debian: http://bugs.debian.org/394795
+Last-Update: 2010-02-27
+Index: b/auth.h
+===================================================================
+--- a/auth.h
+++ b/auth.h
+@@ -59,6 +59,7 @@
+        char            *service;
+        struct passwd   *pw;            /* set if 'valid' */
+        char            *style;
+       char            *role;
+        void            *kbdintctxt;
+        void            *jpake_ctx;
+ #ifdef BSD_AUTH
+Index: b/auth1.c
+===================================================================
+--- a/auth1.c
+++ b/auth1.c
+@@ -383,7 +383,7 @@
+ do_authentication(Authctxt *authctxt)
+ {
+        u_int ulen;
+-       char *user, *style = NULL;
+       char *user, *style = NULL, *role = NULL;
+ 
+        /* Get the name of the user that we wish to log in as. */
+        packet_read_expect(SSH_CMSG_USER);
+@@ -392,11 +392,17 @@
+        user = packet_get_string(&ulen);
+        packet_check_eom();
+ 
+       if ((role = strchr(user, '/')) != NULL)
+               *role++ = '\0';
+
+        if ((style = strchr(user, ':')) != NULL)
+                *style++ = '\0';
+       else if (role && (style = strchr(role, ':')) != NULL)
+               *style++ = '\0';
+ 
+        authctxt->user = user;
+        authctxt->style = style;
+       authctxt->role = role;
+ 
+        /* Verify that the user is a valid user. */
+        if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
+Index: b/auth2.c
+===================================================================
+--- a/auth2.c
+++ b/auth2.c
+@@ -217,7 +217,7 @@
+ {
+        Authctxt *authctxt = ctxt;
+        Authmethod *m = NULL;
+-       char *user, *service, *method, *style = NULL;
+       char *user, *service, *method, *style = NULL, *role = NULL;
+        int authenticated = 0;
+ 
+        if (authctxt == NULL)
+@@ -229,8 +229,13 @@
+        debug("userauth-request for user %s service %s method %s", user, service, method);
+        debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ 
+       if ((role = strchr(user, '/')) != NULL)
+               *role++ = 0;
+
+        if ((style = strchr(user, ':')) != NULL)
+                *style++ = 0;
+       else if (role && (style = strchr(role, ':')) != NULL)
+               *style++ = '\0';
+ 
+        if (authctxt->attempt++ == 0) {
+                /* setup auth context */
+@@ -254,8 +259,9 @@
+                    use_privsep ? " [net]" : "");
+                authctxt->service = xstrdup(service);
+                authctxt->style = style ? xstrdup(style) : NULL;
+               authctxt->role = role ? xstrdup(role) : NULL;
+                if (use_privsep)
+-                       mm_inform_authserv(service, style);
+                       mm_inform_authserv(service, style, role);
+                userauth_banner();
+        } else if (strcmp(user, authctxt->user) != 0 ||
+            strcmp(service, authctxt->service) != 0) {
+Index: b/monitor.c
+===================================================================
+--- a/monitor.c
+++ b/monitor.c
+@@ -137,6 +137,7 @@
+ int mm_answer_pwnamallow(int, Buffer *);
+ int mm_answer_auth2_read_banner(int, Buffer *);
+ int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
+ int mm_answer_authpassword(int, Buffer *);
+ int mm_answer_bsdauthquery(int, Buffer *);
+ int mm_answer_bsdauthrespond(int, Buffer *);
+@@ -215,6 +216,7 @@
+     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
+     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
+     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
+     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+ #ifdef USE_PAM
+@@ -699,6 +701,7 @@
+        else {
+                /* Allow service/style information on the auth context */
+                monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+               monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+        }
+ 
+@@ -732,14 +735,37 @@
+ 
+        authctxt->service = buffer_get_string(m, NULL);
+        authctxt->style = buffer_get_string(m, NULL);
+-       debug3("%s: service=%s, style=%s",
+-           __func__, authctxt->service, authctxt->style);
+       authctxt->role = buffer_get_string(m, NULL);
+       debug3("%s: service=%s, style=%s, role=%s",
+           __func__, authctxt->service, authctxt->style, authctxt->role);
+ 
+        if (strlen(authctxt->style) == 0) {
+                xfree(authctxt->style);
+                authctxt->style = NULL;
+        }
+ 
+       if (strlen(authctxt->role) == 0) {
+               xfree(authctxt->role);
+               authctxt->role = NULL;
+       }
+
+       return (0);
+}
+
+int
+mm_answer_authrole(int sock, Buffer *m)
+{
+       monitor_permit_authentications(1);
+
+       authctxt->role = buffer_get_string(m, NULL);
+       debug3("%s: role=%s",
+           __func__, authctxt->role);
+
+       if (strlen(authctxt->role) == 0) {
+               xfree(authctxt->role);
+               authctxt->role = NULL;
+       }
+
+        return (0);
+ }
+ 
+Index: b/monitor.h
+===================================================================
+--- a/monitor.h
+++ b/monitor.h
+@@ -30,7 +30,7 @@
+ 
+ enum monitor_reqtype {
+        MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
+-       MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+       MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE,
+        MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
+        MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
+        MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
+Index: b/monitor_wrap.c
+===================================================================
+--- a/monitor_wrap.c
+++ b/monitor_wrap.c
+@@ -279,10 +279,10 @@
+        return (banner);
+ }
+ 
+-/* Inform the privileged process about service and style */
+/* Inform the privileged process about service, style, and role */
+ 
+ void
+-mm_inform_authserv(char *service, char *style)
+mm_inform_authserv(char *service, char *style, char *role)
+ {
+        Buffer m;
+ 
+@@ -291,12 +291,30 @@
+        buffer_init(&m);
+        buffer_put_cstring(&m, service);
+        buffer_put_cstring(&m, style ? style : "");
+       buffer_put_cstring(&m, role ? role : "");
+ 
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m);
+ 
+        buffer_free(&m);
+ }
+ 
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+       Buffer m;
+
+       debug3("%s entering", __func__);
+
+       buffer_init(&m);
+       buffer_put_cstring(&m, role ? role : "");
+
+       mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+       buffer_free(&m);
+}
+
+ /* Do the password authentication */
+ int
+ mm_auth_password(Authctxt *authctxt, char *password)
+Index: b/monitor_wrap.h
+===================================================================
+--- a/monitor_wrap.h
+++ b/monitor_wrap.h
+@@ -40,7 +40,8 @@
+ int mm_is_monitor(void);
+ DH *mm_choose_dh(int, int, int);
+ int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
+-void mm_inform_authserv(char *, char *);
+void mm_inform_authserv(char *, char *, char *);
+void mm_inform_authrole(char *);
+ struct passwd *mm_getpwnamallow(const char *);
+ char *mm_auth2_read_banner(void);
+ int mm_auth_password(struct Authctxt *, char *);
+Index: b/openbsd-compat/port-linux.c
+===================================================================
+--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
+@@ -29,6 +29,12 @@
+ #include <string.h>
+ #include <stdio.h>
+ 
+#ifdef WITH_SELINUX
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+#endif
+
+ #include "log.h"
+ #include "xmalloc.h"
+ #include "port-linux.h"
+@@ -38,6 +44,8 @@
+ #include <selinux/flask.h>
+ #include <selinux/get_context_list.h>
+ 
+extern Authctxt *the_authctxt;
+
+ /* Wrapper around is_selinux_enabled() to log its return value once only */
+ int
+ ssh_selinux_enabled(void)
+@@ -56,8 +64,8 @@
+ static security_context_t
+ ssh_selinux_getctxbyname(char *pwname)
+ {
+-       security_context_t sc;
+-       char *sename = NULL, *lvl = NULL;
+       security_context_t sc = NULL;
+       char *sename = NULL, *role = NULL, *lvl = NULL;
+        int r;
+ 
+ #ifdef HAVE_GETSEUSERBYNAME
+@@ -67,11 +75,20 @@
+        sename = pwname;
+        lvl = NULL;
+ #endif
+       if (the_authctxt)
+               role = the_authctxt->role;
+ 
+ #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+-       r = get_default_context_with_level(sename, lvl, NULL, &sc);
+       if (role != NULL && role[0])
+               r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
+                                                      &sc);
+       else
+               r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ #else
+-       r = get_default_context(sename, NULL, &sc);
+       if (role != NULL && role[0])
+               r = get_default_context_with_role(sename, role, NULL, &sc);
+       else
+               r = get_default_context(sename, NULL, &sc);
+ #endif
+ 
+        if (r != 0) {

diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch new file mode 100644 index 000000000..8a7e7c687 --- /dev/null +++ b/debian/patches/selinux-role.patch
@@ -0,0 +1,293 @@
	1	Description: Handle SELinux authorisation roles
	2	Rejected upstream due to discomfort with magic usernames; a better approach
	3	will need an SSH protocol change. In the meantime, this came from Debian's
	4	SELinux maintainer, so we'll keep it until we have something better.
	5	Author: Manoj Srivastava <srivasta@debian.org>
	6	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
	7	Bug-Debian: http://bugs.debian.org/394795
	8	Last-Update: 2010-02-27
	9
	10	Index: b/auth.h
	11	===================================================================
	12	--- a/auth.h
	13	+++ b/auth.h
	14	@@ -59,6 +59,7 @@
	15	char *service;
	16	struct passwd pw; / set if 'valid' */
	17	char *style;
	18	+ char *role;
	19	void *kbdintctxt;
	20	void *jpake_ctx;
	21	#ifdef BSD_AUTH
	22	Index: b/auth1.c
	23	===================================================================
	24	--- a/auth1.c
	25	+++ b/auth1.c
	26	@@ -383,7 +383,7 @@
	27	do_authentication(Authctxt *authctxt)
	28	{
	29	u_int ulen;
	30	- char user, style = NULL;
	31	+ char user, style = NULL, *role = NULL;
	32
	33	/* Get the name of the user that we wish to log in as. */
	34	packet_read_expect(SSH_CMSG_USER);
	35	@@ -392,11 +392,17 @@
	36	user = packet_get_string(&ulen);
	37	packet_check_eom();
	38
	39	+ if ((role = strchr(user, '/')) != NULL)
	40	+ *role++ = '\0';
	41	+
	42	if ((style = strchr(user, ':')) != NULL)
	43	*style++ = '\0';
	44	+ else if (role && (style = strchr(role, ':')) != NULL)
	45	+ *style++ = '\0';
	46
	47	authctxt->user = user;
	48	authctxt->style = style;
	49	+ authctxt->role = role;
	50
	51	/* Verify that the user is a valid user. */
	52	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
	53	Index: b/auth2.c
	54	===================================================================
	55	--- a/auth2.c
	56	+++ b/auth2.c
	57	@@ -217,7 +217,7 @@
	58	{
	59	Authctxt *authctxt = ctxt;
	60	Authmethod *m = NULL;
	61	- char user, service, method, style = NULL;
	62	+ char user, service, method, style = NULL, *role = NULL;
	63	int authenticated = 0;
	64
	65	if (authctxt == NULL)
	66	@@ -229,8 +229,13 @@
	67	debug("userauth-request for user %s service %s method %s", user, service, method);
	68	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
	69
	70	+ if ((role = strchr(user, '/')) != NULL)
	71	+ *role++ = 0;
	72	+
	73	if ((style = strchr(user, ':')) != NULL)
	74	*style++ = 0;
	75	+ else if (role && (style = strchr(role, ':')) != NULL)
	76	+ *style++ = '\0';
	77
	78	if (authctxt->attempt++ == 0) {
	79	/* setup auth context */
	80	@@ -254,8 +259,9 @@
	81	use_privsep ? " [net]" : "");
	82	authctxt->service = xstrdup(service);
	83	authctxt->style = style ? xstrdup(style) : NULL;
	84	+ authctxt->role = role ? xstrdup(role) : NULL;
	85	if (use_privsep)
	86	- mm_inform_authserv(service, style);
	87	+ mm_inform_authserv(service, style, role);
	88	userauth_banner();
	89	} else if (strcmp(user, authctxt->user) != 0 \|\|
	90	strcmp(service, authctxt->service) != 0) {
	91	Index: b/monitor.c
	92	===================================================================
	93	--- a/monitor.c
	94	+++ b/monitor.c
	95	@@ -137,6 +137,7 @@
	96	int mm_answer_pwnamallow(int, Buffer *);
	97	int mm_answer_auth2_read_banner(int, Buffer *);
	98	int mm_answer_authserv(int, Buffer *);
	99	+int mm_answer_authrole(int, Buffer *);
	100	int mm_answer_authpassword(int, Buffer *);
	101	int mm_answer_bsdauthquery(int, Buffer *);
	102	int mm_answer_bsdauthrespond(int, Buffer *);
	103	@@ -215,6 +216,7 @@
	104	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
	105	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
	106	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
	107	+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
	108	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
	109	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
	110	#ifdef USE_PAM
	111	@@ -699,6 +701,7 @@
	112	else {
	113	/* Allow service/style information on the auth context */
	114	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
	115	+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
	116	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
	117	}
	118
	119	@@ -732,14 +735,37 @@
	120
	121	authctxt->service = buffer_get_string(m, NULL);
	122	authctxt->style = buffer_get_string(m, NULL);
	123	- debug3("%s: service=%s, style=%s",
	124	- __func__, authctxt->service, authctxt->style);
	125	+ authctxt->role = buffer_get_string(m, NULL);
	126	+ debug3("%s: service=%s, style=%s, role=%s",
	127	+ __func__, authctxt->service, authctxt->style, authctxt->role);
	128
	129	if (strlen(authctxt->style) == 0) {
	130	xfree(authctxt->style);
	131	authctxt->style = NULL;
	132	}
	133
	134	+ if (strlen(authctxt->role) == 0) {
	135	+ xfree(authctxt->role);
	136	+ authctxt->role = NULL;
	137	+ }
	138	+
	139	+ return (0);
	140	+}
	141	+
	142	+int
	143	+mm_answer_authrole(int sock, Buffer *m)
	144	+{
	145	+ monitor_permit_authentications(1);
	146	+
	147	+ authctxt->role = buffer_get_string(m, NULL);
	148	+ debug3("%s: role=%s",
	149	+ __func__, authctxt->role);
	150	+
	151	+ if (strlen(authctxt->role) == 0) {
	152	+ xfree(authctxt->role);
	153	+ authctxt->role = NULL;
	154	+ }
	155	+
	156	return (0);
	157	}
	158
	159	Index: b/monitor.h
	160	===================================================================
	161	--- a/monitor.h
	162	+++ b/monitor.h
	163	@@ -30,7 +30,7 @@
	164
	165	enum monitor_reqtype {
	166	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
	167	- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
	168	+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE,
	169	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
	170	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
	171	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
	172	Index: b/monitor_wrap.c
	173	===================================================================
	174	--- a/monitor_wrap.c
	175	+++ b/monitor_wrap.c
	176	@@ -279,10 +279,10 @@
	177	return (banner);
	178	}
	179
	180	-/* Inform the privileged process about service and style */
	181	+/* Inform the privileged process about service, style, and role */
	182
	183	void
	184	-mm_inform_authserv(char service, char style)
	185	+mm_inform_authserv(char service, char style, char *role)
	186	{
	187	Buffer m;
	188
	189	@@ -291,12 +291,30 @@
	190	buffer_init(&m);
	191	buffer_put_cstring(&m, service);
	192	buffer_put_cstring(&m, style ? style : "");
	193	+ buffer_put_cstring(&m, role ? role : "");
	194
	195	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m);
	196
	197	buffer_free(&m);
	198	}
	199
	200	+/* Inform the privileged process about role */
	201	+
	202	+void
	203	+mm_inform_authrole(char *role)
	204	+{
	205	+ Buffer m;
	206	+
	207	+ debug3("%s entering", __func__);
	208	+
	209	+ buffer_init(&m);
	210	+ buffer_put_cstring(&m, role ? role : "");
	211	+
	212	+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
	213	+
	214	+ buffer_free(&m);
	215	+}
	216	+
	217	/* Do the password authentication */
	218	int
	219	mm_auth_password(Authctxt authctxt, char password)
	220	Index: b/monitor_wrap.h
	221	===================================================================
	222	--- a/monitor_wrap.h
	223	+++ b/monitor_wrap.h
	224	@@ -40,7 +40,8 @@
	225	int mm_is_monitor(void);
	226	DH *mm_choose_dh(int, int, int);
	227	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);
	228	-void mm_inform_authserv(char , char );
	229	+void mm_inform_authserv(char , char , char *);
	230	+void mm_inform_authrole(char *);
	231	struct passwd mm_getpwnamallow(const char );
	232	char *mm_auth2_read_banner(void);
	233	int mm_auth_password(struct Authctxt , char );
	234	Index: b/openbsd-compat/port-linux.c
	235	===================================================================
	236	--- a/openbsd-compat/port-linux.c
	237	+++ b/openbsd-compat/port-linux.c
	238	@@ -29,6 +29,12 @@
	239	#include <string.h>
	240	#include <stdio.h>
	241
	242	+#ifdef WITH_SELINUX
	243	+#include "key.h"
	244	+#include "hostfile.h"
	245	+#include "auth.h"
	246	+#endif
	247	+
	248	#include "log.h"
	249	#include "xmalloc.h"
	250	#include "port-linux.h"
	251	@@ -38,6 +44,8 @@
	252	#include <selinux/flask.h>
	253	#include <selinux/get_context_list.h>
	254
	255	+extern Authctxt *the_authctxt;
	256	+
	257	/* Wrapper around is_selinux_enabled() to log its return value once only */
	258	int
	259	ssh_selinux_enabled(void)
	260	@@ -56,8 +64,8 @@
	261	static security_context_t
	262	ssh_selinux_getctxbyname(char *pwname)
	263	{
	264	- security_context_t sc;
	265	- char sename = NULL, lvl = NULL;
	266	+ security_context_t sc = NULL;
	267	+ char sename = NULL, role = NULL, *lvl = NULL;
	268	int r;
	269
	270	#ifdef HAVE_GETSEUSERBYNAME
	271	@@ -67,11 +75,20 @@
	272	sename = pwname;
	273	lvl = NULL;
	274	#endif
	275	+ if (the_authctxt)
	276	+ role = the_authctxt->role;
	277
	278	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
	279	- r = get_default_context_with_level(sename, lvl, NULL, &sc);
	280	+ if (role != NULL && role[0])
	281	+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
	282	+ &sc);
	283	+ else
	284	+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
	285	#else
	286	- r = get_default_context(sename, NULL, &sc);
	287	+ if (role != NULL && role[0])
	288	+ r = get_default_context_with_role(sename, role, NULL, &sc);
	289	+ else
	290	+ r = get_default_context(sename, NULL, &sc);
	291	#endif
	292
	293	if (r != 0) {