[openssh] fix privsep patch
plautrba
plautrba at fedoraproject.org
Mon Dec 3 09:42:20 UTC 2012
commit f578f0ac161e53dddbb66360796de163d05dfeff
Author: Petr Lautrbach <plautrba at redhat.com>
Date: Mon Dec 3 10:25:26 2012 +0100
fix privsep patch
the selinux-policy removed rules which allow SELinux users to use setuid()
so we can't do setcon() before setuid()
openssh-6.1p1-privsep-selinux.patch | 34 +++++++++++++++++++++++-----------
1 files changed, 23 insertions(+), 11 deletions(-)
---
diff --git a/openssh-6.1p1-privsep-selinux.patch b/openssh-6.1p1-privsep-selinux.patch
index 136e9d3..a2912f5 100644
--- a/openssh-6.1p1-privsep-selinux.patch
+++ b/openssh-6.1p1-privsep-selinux.patch
@@ -39,20 +39,32 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.1p1
#endif
diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
---- openssh-6.1p1/session.c.privsep-selinux 2012-11-05 14:46:39.314809081 +0100
-+++ openssh-6.1p1/session.c 2012-11-05 14:46:39.340809241 +0100
-@@ -1513,6 +1513,10 @@ do_setusercontext(struct passwd *pw)
-
- platform_setusercontext_post_groups(pw);
-
+--- openssh-6.1p1/session.c.privsep-selinux 2012-12-03 09:43:11.727505761 +0100
++++ openssh-6.1p1/session.c 2012-12-03 09:54:50.455688902 +0100
+@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw)
+ pw->pw_uid);
+ chroot_path = percent_expand(tmp, "h", pw->pw_dir,
+ "u", pw->pw_name, (char *)NULL);
++#ifdef WITH_SELINUX
++ ssh_selinux_copy_context();
++#endif
+ safely_chroot(chroot_path, pw->pw_uid);
+ free(tmp);
+ free(chroot_path);
+@@ -1533,6 +1536,12 @@ do_setusercontext(struct passwd *pw)
+ /* Permanently switch to the desired uid. */
+ permanently_set_uid(pw);
+ #endif
+
+#ifdef WITH_SELINUX
-+ ssh_selinux_copy_context();
++ if (options.chroot_directory == NULL ||
++ strcasecmp(options.chroot_directory, "none") == 0)
++ ssh_selinux_copy_context();
+#endif
- if (options.chroot_directory != NULL &&
- strcasecmp(options.chroot_directory, "none") != 0) {
- tmp = tilde_expand_filename(options.chroot_directory,
-@@ -1787,9 +1791,6 @@ do_child(Session *s, const char *command
+ }
+
+ if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
+@@ -1787,9 +1796,6 @@ do_child(Session *s, const char *command
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
More information about the scm-commits
mailing list