[openssh] fix privsep patch

plautrba plautrba at fedoraproject.org
Mon Dec 3 09:42:20 UTC 2012 

commit f578f0ac161e53dddbb66360796de163d05dfeff
Author: Petr Lautrbach <plautrba at redhat.com>
Date:   Mon Dec 3 10:25:26 2012 +0100

    fix privsep patch
    
    the selinux-policy removed rules which allow SELinux users to use setuid()
    so we can't do setcon() before setuid()

 openssh-6.1p1-privsep-selinux.patch |   34 +++++++++++++++++++++++-----------
 1 files changed, 23 insertions(+), 11 deletions(-)
---
diff --git a/openssh-6.1p1-privsep-selinux.patch b/openssh-6.1p1-privsep-selinux.patch
index 136e9d3..a2912f5 100644
--- a/openssh-6.1p1-privsep-selinux.patch
+++ b/openssh-6.1p1-privsep-selinux.patch
@@ -39,20 +39,32 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.1p1
  #endif
  
 diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
---- openssh-6.1p1/session.c.privsep-selinux	2012-11-05 14:46:39.314809081 +0100
-+++ openssh-6.1p1/session.c	2012-11-05 14:46:39.340809241 +0100
-@@ -1513,6 +1513,10 @@ do_setusercontext(struct passwd *pw)
- 
- 		platform_setusercontext_post_groups(pw);
- 
+--- openssh-6.1p1/session.c.privsep-selinux	2012-12-03 09:43:11.727505761 +0100
++++ openssh-6.1p1/session.c	2012-12-03 09:54:50.455688902 +0100
+@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw)
+ 			    pw->pw_uid);
+ 			chroot_path = percent_expand(tmp, "h", pw->pw_dir,
+ 			    "u", pw->pw_name, (char *)NULL);
++#ifdef WITH_SELINUX
++			ssh_selinux_copy_context();
++#endif
+ 			safely_chroot(chroot_path, pw->pw_uid);
+ 			free(tmp);
+ 			free(chroot_path);
+@@ -1533,6 +1536,12 @@ do_setusercontext(struct passwd *pw)
+ 		/* Permanently switch to the desired uid. */
+ 		permanently_set_uid(pw);
+ #endif
 +
 +#ifdef WITH_SELINUX
-+		ssh_selinux_copy_context();
++		if (options.chroot_directory == NULL ||
++		    strcasecmp(options.chroot_directory, "none") == 0)
++			ssh_selinux_copy_context();
 +#endif
- 		if (options.chroot_directory != NULL &&
- 		    strcasecmp(options.chroot_directory, "none") != 0) {
-                         tmp = tilde_expand_filename(options.chroot_directory,
-@@ -1787,9 +1791,6 @@ do_child(Session *s, const char *command
+ 	}
+ 
+ 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
+@@ -1787,9 +1796,6 @@ do_child(Session *s, const char *command
  		argv[i] = NULL;
  		optind = optreset = 1;
  		__progname = argv[0];

More information about the scm-commits mailing list