diff --git a/openssh-5.2p1-selinux.patch b/openssh-5.2p1-selinux.patch index 84dfbc7..19cea68 100644 --- a/openssh-5.2p1-selinux.patch +++ b/openssh-5.2p1-selinux.patch @@ -1,116 +1,301 @@ -diff -up openssh-5.2p1/configure.ac.selinux openssh-5.2p1/configure.ac ---- openssh-5.2p1/configure.ac.selinux 2008-07-23 16:32:13.000000000 +0200 -+++ openssh-5.2p1/configure.ac 2008-07-23 16:32:13.000000000 +0200 -@@ -3309,6 +3309,7 @@ AC_ARG_WITH(selinux, - AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], - AC_MSG_ERROR(SELinux support requires libselinux library)) - SSHDLIBS="$SSHDLIBS $LIBSELINUX" -+ LIBS="$LIBS $LIBSELINUX" - AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) - LIBS="$save_LIBS" - fi ] diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c ---- openssh-5.2p1/auth1.c.selinux 2008-07-23 16:32:13.000000000 +0200 -+++ openssh-5.2p1/auth1.c 2008-07-23 16:32:13.000000000 +0200 -@@ -391,7 +391,7 @@ void - do_authentication(Authctxt *authctxt) +--- openssh-5.2p1/auth1.c.selinux 2008-07-09 12:54:05.000000000 +0200 ++++ openssh-5.2p1/auth1.c 2009-08-11 22:43:07.918183730 +0200 +@@ -392,6 +392,9 @@ do_authentication(Authctxt *authctxt) { u_int ulen; -- char *user, *style = NULL; -+ char *user, *style = NULL, *role=NULL; + char *user, *style = NULL; ++#ifdef WITH_SELINUX ++ char *role=NULL; ++#endif /* Get the name of the user that we wish to log in as. */ packet_read_expect(SSH_CMSG_USER); -@@ -400,11 +400,19 @@ do_authentication(Authctxt *authctxt) +@@ -400,11 +403,25 @@ do_authentication(Authctxt *authctxt) user = packet_get_string(&ulen); packet_check_eom(); ++#ifdef WITH_SELINUX + if ((role = strchr(user, '/')) != NULL) + *role++ = '\0'; ++#endif + if ((style = strchr(user, ':')) != NULL) *style++ = '\0'; ++#ifdef WITH_SELINUX + else + if (role && (style = strchr(role, ':')) != NULL) + *style++ = '\0'; ++#endif + authctxt->user = user; authctxt->style = style; ++#ifdef WITH_SELINUX + authctxt->role = role; ++#endif /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) +diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c +--- openssh-5.2p1/auth2.c.selinux 2008-11-05 06:20:46.000000000 +0100 ++++ openssh-5.2p1/auth2.c 2009-08-11 22:43:07.919756192 +0200 +@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32 + Authctxt *authctxt = ctxt; + Authmethod *m = NULL; + char *user, *service, *method, *style = NULL; ++#ifdef WITH_SELINUX ++ char *role = NULL; ++#endif + int authenticated = 0; + + if (authctxt == NULL) +@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32 + debug("userauth-request for user %s service %s method %s", user, service, method); + debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); + ++#ifdef WITH_SELINUX ++ if ((role = strchr(user, '/')) != NULL) ++ *role++ = 0; ++#endif ++ + if ((style = strchr(user, ':')) != NULL) + *style++ = 0; + +@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32 + use_privsep ? " [net]" : ""); + authctxt->service = xstrdup(service); + authctxt->style = style ? xstrdup(style) : NULL; +- if (use_privsep) ++#ifdef WITH_SELINUX ++ authctxt->role = role ? xstrdup(role) : NULL; ++#endif ++ if (use_privsep) { + mm_inform_authserv(service, style); ++#ifdef WITH_SELINUX ++ mm_inform_authrole(role); ++#endif ++ } + userauth_banner(); + } else if (strcmp(user, authctxt->user) != 0 || + strcmp(service, authctxt->service) != 0) { +diff -up openssh-5.2p1/auth2-gss.c.selinux openssh-5.2p1/auth2-gss.c +--- openssh-5.2p1/auth2-gss.c.selinux 2007-12-02 12:59:45.000000000 +0100 ++++ openssh-5.2p1/auth2-gss.c 2009-08-11 22:43:07.921723295 +0200 +@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple + Authctxt *authctxt = ctxt; + Gssctxt *gssctxt; + int authenticated = 0; ++ char *micuser; + Buffer b; + gss_buffer_desc mic, gssbuf; + u_int len; +@@ -270,7 +271,13 @@ input_gssapi_mic(int type, u_int32_t ple + mic.value = packet_get_string(&len); + mic.length = len; + +- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, ++#ifdef WITH_SELINUX ++ if (authctxt->role && (strlen(authctxt->role) > 0)) ++ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role); ++ else ++#endif ++ micuser = authctxt->user; ++ ssh_gssapi_buildmic(&b, micuser, authctxt->service, + "gssapi-with-mic"); + + gssbuf.value = buffer_ptr(&b); +@@ -282,6 +289,8 @@ input_gssapi_mic(int type, u_int32_t ple + logit("GSSAPI MIC check failed"); + + buffer_free(&b); ++ if (micuser != authctxt->user) ++ xfree(micuser); + xfree(mic.value); + + authctxt->postponed = 0; +diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c +--- openssh-5.2p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200 ++++ openssh-5.2p1/auth2-hostbased.c 2009-08-11 22:43:07.923721059 +0200 +@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt) + buffer_put_string(&b, session_id2, session_id2_len); + /* reconstruct packet */ + buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); +- buffer_put_cstring(&b, authctxt->user); ++#ifdef WITH_SELINUX ++ if (authctxt->role) { ++ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); ++ buffer_append(&b, authctxt->user, strlen(authctxt->user)); ++ buffer_put_char(&b, '/'); ++ buffer_append(&b, authctxt->role, strlen(authctxt->role)); ++ } else ++#endif ++ buffer_put_cstring(&b, authctxt->user); + buffer_put_cstring(&b, service); + buffer_put_cstring(&b, "hostbased"); + buffer_put_string(&b, pkalg, alen); diff -up openssh-5.2p1/auth2-pubkey.c.selinux openssh-5.2p1/auth2-pubkey.c --- openssh-5.2p1/auth2-pubkey.c.selinux 2008-07-04 04:54:25.000000000 +0200 -+++ openssh-5.2p1/auth2-pubkey.c 2008-07-23 16:32:13.000000000 +0200 -@@ -117,7 +117,14 @@ userauth_pubkey(Authctxt *authctxt) ++++ openssh-5.2p1/auth2-pubkey.c 2009-08-11 22:43:07.925704588 +0200 +@@ -117,7 +117,15 @@ userauth_pubkey(Authctxt *authctxt) } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); - buffer_put_cstring(&b, authctxt->user); ++#ifdef WITH_SELINUX + if (authctxt->role) { + buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); + buffer_append(&b, authctxt->user, strlen(authctxt->user)); + buffer_put_char(&b, '/'); + buffer_append(&b, authctxt->role, strlen(authctxt->role)); -+ } else { ++ } else ++#endif + buffer_put_cstring(&b, authctxt->user); -+ } buffer_put_cstring(&b, datafellows & SSH_BUG_PKSERVICE ? "ssh-userauth" : -diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h ---- openssh-5.2p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200 -+++ openssh-5.2p1/monitor_wrap.h 2008-07-23 16:32:13.000000000 +0200 -@@ -41,6 +41,7 @@ int mm_is_monitor(void); - DH *mm_choose_dh(int, int, int); - int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); - void mm_inform_authserv(char *, char *); -+void mm_inform_authrole(char *); - struct passwd *mm_getpwnamallow(const char *); - char *mm_auth2_read_banner(void); - int mm_auth_password(struct Authctxt *, char *); -diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h ---- openssh-5.2p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200 -+++ openssh-5.2p1/monitor.h 2008-07-23 16:32:13.000000000 +0200 -@@ -30,7 +30,7 @@ +diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h +--- openssh-5.2p1/auth.h.selinux 2008-11-05 06:20:46.000000000 +0100 ++++ openssh-5.2p1/auth.h 2009-08-11 22:43:07.927199901 +0200 +@@ -58,6 +58,9 @@ struct Authctxt { + char *service; + struct passwd *pw; /* set if 'valid' */ + char *style; ++#ifdef WITH_SELINUX ++ char *role; ++#endif + void *kbdintctxt; + void *jpake_ctx; + #ifdef BSD_AUTH +diff -up openssh-5.2p1/configure.ac.selinux openssh-5.2p1/configure.ac +--- openssh-5.2p1/configure.ac.selinux 2009-02-16 05:37:03.000000000 +0100 ++++ openssh-5.2p1/configure.ac 2009-08-11 22:43:07.930259052 +0200 +@@ -3335,6 +3335,7 @@ AC_ARG_WITH(selinux, + AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], + AC_MSG_ERROR(SELinux support requires libselinux library)) + SSHDLIBS="$SSHDLIBS $LIBSELINUX" ++ LIBS="$LIBS $LIBSELINUX" + AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) + LIBS="$save_LIBS" + fi ] +diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c +--- openssh-5.2p1/monitor.c.selinux 2009-02-14 06:33:31.000000000 +0100 ++++ openssh-5.2p1/monitor.c 2009-08-11 22:43:07.933623092 +0200 +@@ -135,6 +135,9 @@ int mm_answer_sign(int, Buffer *); + int mm_answer_pwnamallow(int, Buffer *); + int mm_answer_auth2_read_banner(int, Buffer *); + int mm_answer_authserv(int, Buffer *); ++#ifdef WITH_SELINUX ++int mm_answer_authrole(int, Buffer *); ++#endif + int mm_answer_authpassword(int, Buffer *); + int mm_answer_bsdauthquery(int, Buffer *); + int mm_answer_bsdauthrespond(int, Buffer *); +@@ -211,6 +214,9 @@ struct mon_table mon_dispatch_proto20[] + {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, + {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, + {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, ++#ifdef WITH_SELINUX ++ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, ++#endif + {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, + {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, + #ifdef USE_PAM +@@ -680,6 +686,9 @@ mm_answer_pwnamallow(int sock, Buffer *m + else { + /* Allow service/style information on the auth context */ + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); ++#ifdef WITH_SELINUX ++ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); ++#endif + monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); + } + +@@ -724,6 +733,25 @@ mm_answer_authserv(int sock, Buffer *m) + return (0); + } + ++#ifdef WITH_SELINUX ++int ++mm_answer_authrole(int sock, Buffer *m) ++{ ++ monitor_permit_authentications(1); ++ ++ authctxt->role = buffer_get_string(m, NULL); ++ debug3("%s: role=%s", ++ __func__, authctxt->role); ++ ++ if (strlen(authctxt->role) == 0) { ++ xfree(authctxt->role); ++ authctxt->role = NULL; ++ } ++ ++ return (0); ++} ++#endif ++ + int + mm_answer_authpassword(int sock, Buffer *m) + { +@@ -1102,7 +1130,7 @@ static int + monitor_valid_userblob(u_char *data, u_int datalen) + { + Buffer b; +- char *p; ++ char *p, *r; + u_int len; + int fail = 0; +@@ -1128,6 +1156,8 @@ monitor_valid_userblob(u_char *data, u_i + if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) + fail++; + p = buffer_get_string(&b, NULL); ++ if ((r = strchr(p, '/')) != NULL) ++ *r = '\0'; + if (strcmp(authctxt->user, p) != 0) { + logit("wrong user name passed to monitor: expected %s != %.100s", + authctxt->user, p); +@@ -1159,7 +1189,7 @@ monitor_valid_hostbasedblob(u_char *data + char *chost) + { + Buffer b; +- char *p; ++ char *p, *r; + u_int len; + int fail = 0; + +@@ -1176,6 +1206,8 @@ monitor_valid_hostbasedblob(u_char *data + if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) + fail++; + p = buffer_get_string(&b, NULL); ++ if ((r = strchr(p, '/')) != NULL) ++ *r = '\0'; + if (strcmp(authctxt->user, p) != 0) { + logit("wrong user name passed to monitor: expected %s != %.100s", + authctxt->user, p); +diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h +--- openssh-5.2p1/monitor.h.selinux 2008-11-05 06:20:46.000000000 +0100 ++++ openssh-5.2p1/monitor.h 2009-08-11 22:43:07.935612930 +0200 +@@ -31,6 +31,9 @@ enum monitor_reqtype { MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, -- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, -+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE, + MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, ++#ifdef WITH_SELINUX ++ MONITOR_REQ_AUTHROLE, ++#endif MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, -diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c ---- openssh-5.2p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200 -+++ openssh-5.2p1/auth2-hostbased.c 2008-07-23 16:32:13.000000000 +0200 -@@ -106,7 +106,14 @@ userauth_hostbased(Authctxt *authctxt) - buffer_put_string(&b, session_id2, session_id2_len); - /* reconstruct packet */ - buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); -- buffer_put_cstring(&b, authctxt->user); -+ if (authctxt->role) { -+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); -+ buffer_append(&b, authctxt->user, strlen(authctxt->user)); -+ buffer_put_char(&b, '/'); -+ buffer_append(&b, authctxt->role, strlen(authctxt->role)); -+ } else { -+ buffer_put_cstring(&b, authctxt->user); -+ } - buffer_put_cstring(&b, service); - buffer_put_cstring(&b, "hostbased"); - buffer_put_string(&b, pkalg, alen); diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c ---- openssh-5.2p1/monitor_wrap.c.selinux 2008-07-11 09:36:48.000000000 +0200 -+++ openssh-5.2p1/monitor_wrap.c 2008-07-23 16:32:13.000000000 +0200 -@@ -296,6 +296,23 @@ mm_inform_authserv(char *service, char * +--- openssh-5.2p1/monitor_wrap.c.selinux 2008-11-05 06:20:47.000000000 +0100 ++++ openssh-5.2p1/monitor_wrap.c 2009-08-11 22:43:07.937212340 +0200 +@@ -297,6 +297,25 @@ mm_inform_authserv(char *service, char * buffer_free(&m); } +/* Inform the privileged process about role */ + ++#ifdef WITH_SELINUX +void +mm_inform_authrole(char *role) +{ @@ -125,13 +310,27 @@ diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c + + buffer_free(&m); +} ++#endif + /* Do the password authentication */ int mm_auth_password(Authctxt *authctxt, char *password) +diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h +--- openssh-5.2p1/monitor_wrap.h.selinux 2008-11-05 06:20:47.000000000 +0100 ++++ openssh-5.2p1/monitor_wrap.h 2009-08-11 22:43:07.938268752 +0200 +@@ -41,6 +41,9 @@ int mm_is_monitor(void); + DH *mm_choose_dh(int, int, int); + int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); + void mm_inform_authserv(char *, char *); ++#ifdef WITH_SELINUX ++void mm_inform_authrole(char *); ++#endif + struct passwd *mm_getpwnamallow(const char *); + char *mm_auth2_read_banner(void); + int mm_auth_password(struct Authctxt *, char *); diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd-compat/port-linux.c --- openssh-5.2p1/openbsd-compat/port-linux.c.selinux 2008-03-26 21:27:21.000000000 +0100 -+++ openssh-5.2p1/openbsd-compat/port-linux.c 2008-07-23 16:32:13.000000000 +0200 ++++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-11 22:44:14.529196220 +0200 @@ -30,11 +30,16 @@ #ifdef WITH_SELINUX #include "log.h" @@ -193,169 +392,3 @@ diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd if (r != 0) { switch (security_getenforce()) { -diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h ---- openssh-5.2p1/auth.h.selinux 2008-07-02 14:37:30.000000000 +0200 -+++ openssh-5.2p1/auth.h 2008-07-23 16:32:13.000000000 +0200 -@@ -58,6 +58,7 @@ struct Authctxt { - char *service; - struct passwd *pw; /* set if 'valid' */ - char *style; -+ char *role; - void *kbdintctxt; - void *jpake_ctx; - #ifdef BSD_AUTH -diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c ---- openssh-5.2p1/auth2.c.selinux 2008-07-05 01:44:53.000000000 +0200 -+++ openssh-5.2p1/auth2.c 2008-07-23 16:32:13.000000000 +0200 -@@ -209,7 +209,7 @@ input_userauth_request(int type, u_int32 - { - Authctxt *authctxt = ctxt; - Authmethod *m = NULL; -- char *user, *service, *method, *style = NULL; -+ char *user, *service, *method, *style = NULL, *role = NULL; - int authenticated = 0; - - if (authctxt == NULL) -@@ -221,6 +221,9 @@ input_userauth_request(int type, u_int32 - debug("userauth-request for user %s service %s method %s", user, service, method); - debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); - -+ if ((role = strchr(user, '/')) != NULL) -+ *role++ = 0; -+ - if ((style = strchr(user, ':')) != NULL) - *style++ = 0; - -@@ -246,8 +249,11 @@ input_userauth_request(int type, u_int32 - use_privsep ? " [net]" : ""); - authctxt->service = xstrdup(service); - authctxt->style = style ? xstrdup(style) : NULL; -- if (use_privsep) -+ authctxt->role = role ? xstrdup(role) : NULL; -+ if (use_privsep) { - mm_inform_authserv(service, style); -+ mm_inform_authrole(role); -+ } - userauth_banner(); - } else if (strcmp(user, authctxt->user) != 0 || - strcmp(service, authctxt->service) != 0) { -diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c ---- openssh-5.2p1/monitor.c.selinux 2008-07-11 09:36:48.000000000 +0200 -+++ openssh-5.2p1/monitor.c 2008-07-23 16:36:10.000000000 +0200 -@@ -134,6 +134,7 @@ int mm_answer_sign(int, Buffer *); - int mm_answer_pwnamallow(int, Buffer *); - int mm_answer_auth2_read_banner(int, Buffer *); - int mm_answer_authserv(int, Buffer *); -+int mm_answer_authrole(int, Buffer *); - int mm_answer_authpassword(int, Buffer *); - int mm_answer_bsdauthquery(int, Buffer *); - int mm_answer_bsdauthrespond(int, Buffer *); -@@ -205,6 +206,7 @@ struct mon_table mon_dispatch_proto20[] - {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, - {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, - {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, -+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, - {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, - {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, - #ifdef USE_PAM -@@ -658,6 +660,7 @@ mm_answer_pwnamallow(int sock, Buffer *m - else { - /* Allow service/style information on the auth context */ - monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); -+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); - } - -@@ -703,6 +706,23 @@ mm_answer_authserv(int sock, Buffer *m) - } - - int -+mm_answer_authrole(int sock, Buffer *m) -+{ -+ monitor_permit_authentications(1); -+ -+ authctxt->role = buffer_get_string(m, NULL); -+ debug3("%s: role=%s", -+ __func__, authctxt->role); -+ -+ if (strlen(authctxt->role) == 0) { -+ xfree(authctxt->role); -+ authctxt->role = NULL; -+ } -+ -+ return (0); -+} -+ -+int - mm_answer_authpassword(int sock, Buffer *m) - { - static int call_count; -@@ -1080,7 +1100,7 @@ static int - monitor_valid_userblob(u_char *data, u_int datalen) - { - Buffer b; -- char *p; -+ char *p, *r; - u_int len; - int fail = 0; - -@@ -1106,6 +1126,8 @@ monitor_valid_userblob(u_char *data, u_i - if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) - fail++; - p = buffer_get_string(&b, NULL); -+ if ((r = strchr(p, '/')) != NULL) -+ *r = '\0'; - if (strcmp(authctxt->user, p) != 0) { - logit("wrong user name passed to monitor: expected %s != %.100s", - authctxt->user, p); -@@ -1137,7 +1159,7 @@ monitor_valid_hostbasedblob(u_char *data - char *chost) - { - Buffer b; -- char *p; -+ char *p, *r; - u_int len; - int fail = 0; - -@@ -1154,6 +1176,8 @@ monitor_valid_hostbasedblob(u_char *data - if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) - fail++; - p = buffer_get_string(&b, NULL); -+ if ((r = strchr(p, '/')) != NULL) -+ *r = '\0'; - if (strcmp(authctxt->user, p) != 0) { - logit("wrong user name passed to monitor: expected %s != %.100s", - authctxt->user, p); -diff -up openssh-5.1p1/auth2-gss.c.gssapi-role openssh-5.1p1/auth2-gss.c ---- openssh-5.1p1/auth2-gss.c.gssapi-role 2007-12-02 12:59:45.000000000 +0100 -+++ openssh-5.1p1/auth2-gss.c 2008-07-23 19:18:15.000000000 +0200 -@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple - Authctxt *authctxt = ctxt; - Gssctxt *gssctxt; - int authenticated = 0; -+ char *micuser; - Buffer b; - gss_buffer_desc mic, gssbuf; - u_int len; -@@ -270,7 +271,11 @@ input_gssapi_mic(int type, u_int32_t ple - mic.value = packet_get_string(&len); - mic.length = len; - -- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, -+ if (authctxt->role && (strlen(authctxt->role) > 0)) -+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role); -+ else -+ micuser = authctxt->user; -+ ssh_gssapi_buildmic(&b, micuser, authctxt->service, - "gssapi-with-mic"); - - gssbuf.value = buffer_ptr(&b); -@@ -282,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple - logit("GSSAPI MIC check failed"); - - buffer_free(&b); -+ if (micuser != authctxt->user) -+ xfree(micuser); - xfree(mic.value); - - authctxt->postponed = 0; diff --git a/openssh-5.2p1-sesftp.patch b/openssh-5.2p1-sesftp.patch index 384d07a..3470e8f 100644 --- a/openssh-5.2p1-sesftp.patch +++ b/openssh-5.2p1-sesftp.patch @@ -1,67 +1,64 @@ -diff -up openssh-5.2p1/session.c.sesftp openssh-5.2p1/session.c ---- openssh-5.2p1/session.c.sesftp 2009-08-09 10:21:11.586827446 +0200 -+++ openssh-5.2p1/session.c 2009-08-09 10:39:30.475622699 +0200 -@@ -58,6 +58,9 @@ - #include - #include - #include -+#ifdef WITH_SELINUX -+#include -+#endif +diff -up openssh-5.2p1/openbsd-compat/port-linux.c.sesftp openssh-5.2p1/openbsd-compat/port-linux.c +--- openssh-5.2p1/openbsd-compat/port-linux.c.sesftp 2009-08-12 00:29:37.712368892 +0200 ++++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-12 00:29:37.732544890 +0200 +@@ -469,4 +469,36 @@ ssh_selinux_setup_pty(char *pwname, cons + freecon(user_ctx); + debug3("%s: done", __func__); + } ++ ++void ++ssh_selinux_change_context(const char *newname) ++{ ++ int len, newlen; ++ char *oldctx, *newctx, *cx; ++ ++ if (!ssh_selinux_enabled()) ++ return; ++ ++ if (getcon((security_context_t *)&oldctx) < 0) { ++ logit("%s: getcon failed with %s", __func__, strerror (errno)); ++ return; ++ } ++ if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == NULL) { ++ logit ("%s: unparseable context %s", __func__, oldctx); ++ return; ++ } ++ ++ newlen = strlen(oldctx) + strlen(newname) + 1; ++ newctx = xmalloc(newlen); ++ len = cx - oldctx + 1; ++ memcpy(newctx, oldctx, len); ++ strlcpy(newctx + len, newname, newlen - len); ++ if ((cx = index(cx + 1, ':'))) ++ strlcat(newctx, cx, newlen); ++ debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, newctx); ++ if (setcon(newctx) < 0) ++ logit("%s: setcon failed with %s", __func__, strerror (errno)); ++ xfree(oldctx); ++ xfree(newctx); ++} + #endif /* WITH_SELINUX */ +diff -up openssh-5.2p1/openbsd-compat/port-linux.h.sesftp openssh-5.2p1/openbsd-compat/port-linux.h +--- openssh-5.2p1/openbsd-compat/port-linux.h.sesftp 2008-03-26 21:27:21.000000000 +0100 ++++ openssh-5.2p1/openbsd-compat/port-linux.h 2009-08-12 00:29:37.733388083 +0200 +@@ -23,6 +23,7 @@ + int ssh_selinux_enabled(void); + void ssh_selinux_setup_pty(char *, const char *); + void ssh_selinux_setup_exec_context(char *); ++void ssh_selinux_change_context(const char *); + #endif - #include "openbsd-compat/sys-queue.h" - #include "xmalloc.h" -@@ -101,6 +104,9 @@ - c[sizeof(INTERNAL_SFTP_NAME) - 1] == ' ' || \ - c[sizeof(INTERNAL_SFTP_NAME) - 1] == '\t')) - -+#ifdef WITH_SELINUX -+#define SFTPD_T "sftpd_t" -+#endif - /* func */ - - Session *session_new(void); -@@ -1789,6 +1795,10 @@ do_child(Session *s, const char *command - extern int optind, optreset; - int i; - char *p, *args; -+#ifdef WITH_SELINUX -+ int L1, L2; -+ char *c1, *c2, *cx; -+#endif - - setproctitle("%s@internal-sftp-server", s->pw->pw_name); - args = xstrdup(command ? command : "sftp-server"); -@@ -1798,6 +1808,32 @@ do_child(Session *s, const char *command + #endif /* ! _PORT_LINUX_H */ +diff -up openssh-5.2p1/session.c.sesftp openssh-5.2p1/session.c +--- openssh-5.2p1/session.c.sesftp 2009-08-12 00:29:37.659250161 +0200 ++++ openssh-5.2p1/session.c 2009-08-12 00:29:37.729578695 +0200 +@@ -1798,6 +1798,9 @@ do_child(Session *s, const char *command argv[i] = NULL; optind = optreset = 1; __progname = argv[0]; +#ifdef WITH_SELINUX -+ if (getcon ((security_context_t *) &c1) < 0) { -+ logit("do_child: getcon failed with %s", strerror (errno)); -+ } else { -+ L1 = strlen (c1) + sizeof (SFTPD_T); -+ c2 = xmalloc (L1); -+ if (!(cx = index (c1, ':'))) -+ goto badcontext; -+ if (!(cx = index (cx + 1, ':'))) { -+badcontext: -+ logit ("do_child: unparseable context %s", c1); -+ } else { -+ L2 = cx - c1 + 1; -+ memcpy (c2, c1, L2); -+ strlcpy (c2 + L2, SFTPD_T, L1); -+ if ((cx = index (cx + 1, ':'))) -+ strlcat (c2, cx, L1); -+ if (setcon (c2) < 0) -+ logit("do_child: setcon failed with %s", strerror (errno)); -+ -+ } -+ xfree (c1); -+ xfree (c2); -+ } ++ ssh_selinux_change_context("sftpd_t"); +#endif -+ exit(sftp_server_main(i, argv, s->pw)); } diff --git a/openssh.spec b/openssh.spec index 44ec403..3f6258c 100644 --- a/openssh.spec +++ b/openssh.spec @@ -468,7 +468,7 @@ fi %endif %changelog -* Mon Auc 31 2009 Jan F. Chadima - 5.2p1-21 +* Mon Aug 31 2009 Jan F. Chadima - 5.2p1-21 - rearange selinux patch to be acceptable for upstream - replace seftp patch by an upstream version