RepoMirrors/openssh
1
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2025-04-08 02:21:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

- (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux

Browse Source 
is enabled set the security context to "sftpd_t" before running the
   internal sftp server   Based on a patch from jchadima at redhat.
This commit is contained in:
Darren Tucker 2009-10-24 15:04:12 +11:00
parent 6ac91a7c83
commit 4d6656b103
4 changed files with 44 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -28,6 +28,9 @@
[ssh-keygen.1] [ssh-keygen.1]
ssh-keygen now uses AES-128 for private keys ssh-keygen now uses AES-128 for private keys
- (dtucker) [mdoc2man.awk] Teach it to understand the .Ux macro. - (dtucker) [mdoc2man.awk] Teach it to understand the .Ux macro.
- (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux
is enabled set the security context to "sftpd_t" before running the
internal sftp server Based on a patch from jchadima at redhat.
20091011 20091011
- (dtucker) [configure.ac sftp-client.c] Remove the gyrations required for - (dtucker) [configure.ac sftp-client.c] Remove the gyrations required for

37
openbsd-compat/port-linux.c
View File

@ -1,4 +1,4 @@
/* $Id: port-linux.c,v 1.5 2008/03/26 20:27:21 dtucker Exp $ */ /* $Id: port-linux.c,v 1.6 2009/10/24 04:04:13 dtucker Exp $ */
/* /*
* Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@ -29,6 +29,7 @@
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
#include "log.h" #include "log.h"
#include "xmalloc.h"
#include "port-linux.h" #include "port-linux.h"
#include <selinux/selinux.h> #include <selinux/selinux.h>
@ -168,4 +169,38 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
freecon(user_ctx); freecon(user_ctx);
debug3("%s: done", __func__); debug3("%s: done", __func__);
} }
void
ssh_selinux_change_context(const char *newname)
{
int len, newlen;
char *oldctx, *newctx, *cx;
if (!ssh_selinux_enabled())
return;
if (getcon((security_context_t *)&oldctx) < 0) {
logit("%s: getcon failed with %s", __func__, strerror (errno));
return;
}
if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) ==
NULL) {
logit ("%s: unparseable context %s", __func__, oldctx);
return;
}
newlen = strlen(oldctx) + strlen(newname) + 1;
newctx = xmalloc(newlen);
len = cx - oldctx + 1;
memcpy(newctx, oldctx, len);
strlcpy(newctx + len, newname, newlen - len);
if ((cx = index(cx + 1, ':')))
strlcat(newctx, cx, newlen);
debug3("%s: setting context from '%s' to '%s'", __func__, oldctx,
newctx);
if (setcon(newctx) < 0)
logit("%s: setcon failed with %s", __func__, strerror (errno));
xfree(oldctx);
xfree(newctx);
}
#endif /* WITH_SELINUX */ #endif /* WITH_SELINUX */

3
openbsd-compat/port-linux.h
View File

@ -1,4 +1,4 @@
/* $Id: port-linux.h,v 1.2 2008/03/26 20:27:21 dtucker Exp $ */ /* $Id: port-linux.h,v 1.3 2009/10/24 04:04:13 dtucker Exp $ */
/* /*
* Copyright (c) 2006 Damien Miller <djm@openbsd.org> * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
@ -23,6 +23,7 @@
int ssh_selinux_enabled(void); int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *); void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_setup_exec_context(char *); void ssh_selinux_setup_exec_context(char *);
void ssh_selinux_change_context(const char *);
#endif #endif
#endif /* ! _PORT_LINUX_H */ #endif /* ! _PORT_LINUX_H */

3
session.c
View File

@ -1796,6 +1796,9 @@ do_child(Session *s, const char *command)
argv[i] = NULL; argv[i] = NULL;
optind = optreset = 1; optind = optreset = 1;
__progname = argv[0]; __progname = argv[0];
#ifdef WITH_SELINUX
ssh_selinux_change_context("sftpd_t");
#endif
exit(sftp_server_main(i, argv, s->pw)); exit(sftp_server_main(i, argv, s->pw));
} }