blob: 03942392b4905c4002455671c0269956f0146741 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
Description: Make ChrootDirectory work with SELinux
After chroot() is called the SE Linux context setting won't work unless
/selinux and /proc are mounted in the chroot environment. Even worse, if
the user has control over the chroot environment then they may be able to
control the context that they get (I haven't verified this).
Author: Russell Coker <russell@coker.com.au>
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1726
Bug-Debian: http://bugs.debian.org/556644
Last-Update: 2010-03-01
Index: b/session.c
===================================================================
--- a/session.c
+++ b/session.c
@@ -1551,6 +1551,10 @@
}
#endif /* HAVE_SETPCRED */
+#ifdef WITH_SELINUX
+ ssh_selinux_setup_exec_context(pw->pw_name);
+#endif
+
if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
tmp = tilde_expand_filename(options.chroot_directory,
@@ -1575,10 +1579,6 @@
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
-
-#ifdef WITH_SELINUX
- ssh_selinux_setup_exec_context(pw->pw_name);
-#endif
}
static void
|
