Please review openssh patch for selinux
Nigel Kukard
nkukard at lbsd.net
Wed Sep 8 02:28:24 EST 2004
As posted, here is an updated patch which allows openssh to be built
with non-selinux config.
(Hi openssh guys, forwarding this to you incase you interested including
it into the devel version of openssh. Please let us know if you have any
suggestions or changes that need to be made)
Regards
Nigel Kukard
On Thu, Sep 02, 2004 at 04:11:54PM -0400, Daniel J Walsh wrote:
> New SSH patch.
>
> Provides the capability of doing
>
> ssh hostname -l root/sysadm_r
>
> suggested by Collin.
>
> I used the / instead of : to preserve the BSD syntax.
>
> Comments?
>
>
> Dan
>
-------------- next part --------------
Author: Daniel J Walsh <dwalsh at redhat.com>
Date: 02/09/2004
Source: selinux at tycho.nsa.gov mailing list
ChangeLog:
07/09/2004 - Nigel Kukard <nkukard at lbsd.net>
o Fixed patch to work with non-selinux configuration
Changes:
Makefile.in | 2
auth.h | 3 +
auth1.c | 11 +++++
auth2.c | 17 +++++++
config.h.in | 3 +
configure.ac | 13 ++++++
contrib/redhat/sshd.init | 9 ++++
monitor.c | 29 +++++++++++++
monitor.h | 2
monitor_wrap.c | 18 ++++++++
monitor_wrap.h | 3 +
selinux.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++
selinux.h | 10 ++++
session.c | 8 +++
sshpty.c | 8 +++
15 files changed, 234 insertions(+), 3 deletions(-)
diff -u --new-file --recursive openssh-3.9p1_vanilla/Makefile.in openssh-3.9p1_selinux/Makefile.in
--- openssh-3.9p1_vanilla/Makefile.in 2004-08-15 13:01:37.000000000 +0200
+++ openssh-3.9p1_selinux/Makefile.in 2004-09-07 17:41:15.000000000 +0200
@@ -76,7 +76,7 @@
sshconnect.o sshconnect1.o sshconnect2.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
- sshpty.o sshlogin.o servconf.o serverloop.o \
+ sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \
auth.o auth1.o auth2.o auth-options.o session.o \
auth-chall.o auth2-chall.o groupaccess.o \
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
diff -u --new-file --recursive openssh-3.9p1_vanilla/auth.h openssh-3.9p1_selinux/auth.h
--- openssh-3.9p1_vanilla/auth.h 2004-05-24 02:36:23.000000000 +0200
+++ openssh-3.9p1_selinux/auth.h 2004-09-07 18:03:09.000000000 +0200
@@ -57,6 +57,9 @@
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+#ifdef WITH_SELINUX
+ char *role;
+#endif
void *kbdintctxt;
#ifdef BSD_AUTH
auth_session_t *as;
diff -u --new-file --recursive openssh-3.9p1_vanilla/auth1.c openssh-3.9p1_selinux/auth1.c
--- openssh-3.9p1_vanilla/auth1.c 2004-08-12 14:40:25.000000000 +0200
+++ openssh-3.9p1_selinux/auth1.c 2004-09-07 18:04:03.000000000 +0200
@@ -284,6 +284,9 @@
{
u_int ulen;
char *user, *style = NULL;
+#ifdef WITH_SELINUX
+ char *role=NULL;
+#endif
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
@@ -292,11 +295,19 @@
user = packet_get_string(&ulen);
packet_check_eom();
+#ifdef WITH_SELINUX
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = '\0';
+#endif
+
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
authctxt->user = user;
authctxt->style = style;
+#ifdef WITH_SELINUX
+ authctxt->role = role;
+#endif
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -u --new-file --recursive openssh-3.9p1_vanilla/auth2.c openssh-3.9p1_selinux/auth2.c
--- openssh-3.9p1_vanilla/auth2.c 2004-08-12 14:40:25.000000000 +0200
+++ openssh-3.9p1_selinux/auth2.c 2004-09-07 18:06:25.000000000 +0200
@@ -133,6 +133,9 @@
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
+#ifdef WITH_SELINUX
+ char *role = NULL;
+#endif
int authenticated = 0;
if (authctxt == NULL)
@@ -144,6 +147,11 @@
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+#ifdef WITH_SELINUX
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = 0;
+#endif
+
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
@@ -170,8 +178,15 @@
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
- if (use_privsep)
+#ifdef WITH_SELINUX
+ authctxt->role = role ? xstrdup(role) : NULL;
+#endif
+ if (use_privsep) {
mm_inform_authserv(service, style);
+#ifdef WITH_SELINUX
+ mm_inform_authrole(role);
+#endif
+ }
} else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
packet_disconnect("Change of username or service not allowed: "
diff -u --new-file --recursive openssh-3.9p1_vanilla/config.h.in openssh-3.9p1_selinux/config.h.in
--- openssh-3.9p1_vanilla/config.h.in 2004-08-17 14:54:51.000000000 +0200
+++ openssh-3.9p1_selinux/config.h.in 2004-09-07 17:41:15.000000000 +0200
@@ -265,6 +265,9 @@
/* Define if you want Kerberos 5 support */
#undef KRB5
+/* Define if have want SELinux support */
+#undef WITH_SELINUX
+
/* Define this if you are using the Heimdal version of Kerberos V5 */
#undef HEIMDAL
diff -u --new-file --recursive openssh-3.9p1_vanilla/configure.ac openssh-3.9p1_selinux/configure.ac
--- openssh-3.9p1_vanilla/configure.ac 2004-08-16 15:12:06.000000000 +0200
+++ openssh-3.9p1_selinux/configure.ac 2004-09-07 17:41:15.000000000 +0200
@@ -2218,6 +2218,18 @@
[#include <arpa/nameser.h>])
])
+# Check whether user wants SELinux support
+SELINUX_MSG="no"
+AC_ARG_WITH(selinux,
+ [ --with-selinux Enable SELinux support],
+ [ if test "x$withval" != "xno" ; then
+ AC_DEFINE(WITH_SELINUX)
+ SELINUX_MSG="yes"
+ AC_CHECK_HEADERS(selinux.h)
+ LIBS="$LIBS -lselinux"
+ fi
+ ])
+
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,
@@ -2973,6 +2985,7 @@
echo " Manpage format: $MANTYPE"
echo " PAM support: $PAM_MSG"
echo " KerberosV support: $KRB5_MSG"
+echo " SELinux support: $SELINUX_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
diff -u --new-file --recursive openssh-3.9p1_vanilla/contrib/redhat/sshd.init openssh-3.9p1_selinux/contrib/redhat/sshd.init
--- openssh-3.9p1_vanilla/contrib/redhat/sshd.init 2002-05-10 04:19:23.000000000 +0200
+++ openssh-3.9p1_selinux/contrib/redhat/sshd.init 2004-09-07 17:41:15.000000000 +0200
@@ -35,6 +35,9 @@
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $RSA1_KEY.pub
+ fi
success $"RSA1 key generation"
echo
else
@@ -51,6 +54,9 @@
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $RSA_KEY.pub
+ fi
success $"RSA key generation"
echo
else
@@ -67,6 +73,9 @@
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $DSA_KEY.pub
+ fi
success $"DSA key generation"
echo
else
diff -u --new-file --recursive openssh-3.9p1_vanilla/monitor.c openssh-3.9p1_selinux/monitor.c
--- openssh-3.9p1_vanilla/monitor.c 2004-07-17 09:05:14.000000000 +0200
+++ openssh-3.9p1_selinux/monitor.c 2004-09-07 18:01:38.000000000 +0200
@@ -127,6 +127,10 @@
int mm_answer_sesskey(int, Buffer *);
int mm_answer_sessid(int, Buffer *);
+#ifdef WITH_SELINUX
+int mm_answer_authrole(int, Buffer *);
+#endif
+
#ifdef USE_PAM
int mm_answer_pam_start(int, Buffer *);
int mm_answer_pam_account(int, Buffer *);
@@ -178,6 +182,9 @@
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+#ifdef WITH_SELINUX
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+#endif
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
@@ -602,6 +609,9 @@
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+#ifdef WITH_SELINUX
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+#endif
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
@@ -646,6 +656,25 @@
return (0);
}
+#ifdef WITH_SELINUX
+int
+mm_answer_authrole(int sock, Buffer *m)
+{
+ monitor_permit_authentications(1);
+
+ authctxt->role = buffer_get_string(m, NULL);
+ debug3("%s: style=%s",
+ __func__, authctxt->role);
+
+ if (strlen(authctxt->role) == 0) {
+ xfree(authctxt->role);
+ authctxt->role = NULL;
+ }
+
+ return (0);
+}
+#endif
+
int
mm_answer_authpassword(int sock, Buffer *m)
{
diff -u --new-file --recursive openssh-3.9p1_vanilla/monitor.h openssh-3.9p1_selinux/monitor.h
--- openssh-3.9p1_vanilla/monitor.h 2003-11-17 13:18:22.000000000 +0200
+++ openssh-3.9p1_selinux/monitor.h 2004-09-07 18:08:22.000000000 +0200
@@ -30,7 +30,7 @@
enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE,
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -u --new-file --recursive openssh-3.9p1_vanilla/monitor_wrap.c openssh-3.9p1_selinux/monitor_wrap.c
--- openssh-3.9p1_vanilla/monitor_wrap.c 2004-07-17 09:05:14.000000000 +0200
+++ openssh-3.9p1_selinux/monitor_wrap.c 2004-09-07 18:14:58.000000000 +0200
@@ -274,6 +274,24 @@
buffer_free(&m);
}
+/* Inform the privileged process about role */
+#ifdef WITH_SELINUX
+void
+mm_inform_authrole(char *role)
+{
+ Buffer m;
+
+ debug3("%s entering", __func__);
+
+ buffer_init(&m);
+ buffer_put_cstring(&m, role ? role : "");
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+ buffer_free(&m);
+}
+#endif
+
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
diff -u --new-file --recursive openssh-3.9p1_vanilla/monitor_wrap.h openssh-3.9p1_selinux/monitor_wrap.h
--- openssh-3.9p1_vanilla/monitor_wrap.h 2004-06-22 04:56:02.000000000 +0200
+++ openssh-3.9p1_selinux/monitor_wrap.h 2004-09-07 18:13:13.000000000 +0200
@@ -44,6 +44,9 @@
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX
+void mm_inform_authrole(char *);
+#endif
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
diff -u --new-file --recursive openssh-3.9p1_vanilla/selinux.c openssh-3.9p1_selinux/selinux.c
--- openssh-3.9p1_vanilla/selinux.c 1970-01-01 02:00:00.000000000 +0200
+++ openssh-3.9p1_selinux/selinux.c 2004-09-07 17:41:15.000000000 +0200
@@ -0,0 +1,101 @@
+#include "includes.h"
+#include "auth.h"
+#include "log.h"
+
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/context.h>
+#include <selinux/get_context_list.h>
+#include <selinux/get_default_type.h>
+extern Authctxt *the_authctxt;
+
+static const security_context_t selinux_get_user_context(const char *name) {
+ security_context_t user_context=NULL;
+ if (get_default_context(name,NULL,&user_context)) {
+ if (security_getenforce() > 0)
+ fatal("Failed to get default security context for %s.", name);
+ else
+ error("Failed to get default security context for %s. Continuing in permissve mode", name);
+ } else {
+ if (the_authctxt) {
+ char *role=the_authctxt->role;
+ if (role != NULL && role[0]) {
+ char *type;
+ if (get_default_type(role, &type) < 0) {
+ if (security_getenforce() > 0)
+ fatal("Failed to get default type for role %s, user %s.", role, name);
+ else
+ error("Failed to get default type for role %s, user %s. Continuing in permissive mode", role, name);
+ } else {
+ context_t newcon=context_new(user_context);
+ if (context_role_set(newcon, role) != 0) {
+ context_free(newcon);
+ if (security_getenforce() > 0)
+ fatal("Failed to set role %s for %s.", role, name);
+ else
+ error("Failed to set role %s for %s. Continuing in permissive mode", role, name);
+ } else if (context_type_set(newcon, type) != 0) {
+ context_free(newcon);
+ if (security_getenforce() > 0)
+ fatal("Failed to set type %s for %s.", role, name);
+ else
+ error("Failed to set type %s for %s. Continuing in permissive mode", role, name);
+ } else {
+ freecon(user_context);
+ user_context = strdup(context_str(newcon));
+ context_free(newcon);
+ }
+ }
+ }
+ }
+ }
+ return user_context;
+}
+
+void setup_selinux_pty(const char *name, const char *tty) {
+ if (is_selinux_enabled() > 0) {
+ security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL;
+
+ user_context=selinux_get_user_context(name);
+
+ if (getfilecon(tty, &old_tty_context) < 0) {
+ error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno));
+ } else {
+ if (security_compute_relabel(user_context,old_tty_context,
+ SECCLASS_CHR_FILE,
+ &new_tty_context) != 0) {
+ error("security_compute_relabel(%.100s) failed: %.100s", tty,
+ strerror(errno));
+ } else {
+ if (setfilecon (tty, new_tty_context) != 0)
+ error("setfilecon(%.100s, %s) failed: %.100s",
+ tty, new_tty_context,
+ strerror(errno));
+ freecon(new_tty_context);
+ }
+ freecon(old_tty_context);
+ }
+ if (user_context) {
+ freecon(user_context);
+ }
+ }
+}
+
+void setup_selinux_exec_context(char *name) {
+
+ if (is_selinux_enabled() > 0) {
+ security_context_t user_context=selinux_get_user_context(name);
+ if (setexeccon(user_context)) {
+ if (security_getenforce() > 0)
+ fatal("Failed to set exec security context %s for %s.", user_context, name);
+ else
+ error("Failed to set exec security context %s for %s. Continuing in permissive mode", user_context, name);
+ }
+ if (user_context) {
+ freecon(user_context);
+ }
+ }
+}
+
+#endif /* WITH_SELINUX */
diff -u --new-file --recursive openssh-3.9p1_vanilla/selinux.h openssh-3.9p1_selinux/selinux.h
--- openssh-3.9p1_vanilla/selinux.h 1970-01-01 02:00:00.000000000 +0200
+++ openssh-3.9p1_selinux/selinux.h 2004-09-07 17:41:16.000000000 +0200
@@ -0,0 +1,10 @@
+#ifndef __SELINUX_H_
+#define __SELINUX_H_
+#ifdef WITH_SELINUX
+extern void setup_selinux_pty(const char *name, const char *tty);
+extern void setup_selinux_exec_context(const char *name);
+#else
+inline void setup_selinux_pty(const char *name, const char *tty) {}
+inline void setup_selinux_exec_context(const char *name) {}
+#endif /* WITH_SELINUX */
+#endif /* __SELINUX_H_ */
diff -u --new-file --recursive openssh-3.9p1_vanilla/session.c openssh-3.9p1_selinux/session.c
--- openssh-3.9p1_vanilla/session.c 2004-08-12 14:40:25.000000000 +0200
+++ openssh-3.9p1_selinux/session.c 2004-09-07 17:41:56.000000000 +0200
@@ -58,6 +58,10 @@
#include "session.h"
#include "monitor_wrap.h"
+#ifdef WITH_SELINUX
+#include "selinux.h"
+#endif
+
#if defined(KRB5) && defined(USE_AFS)
#include <kafs.h>
#endif
@@ -1304,6 +1308,10 @@
#endif
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+
+#ifdef WITH_SELINUX
+ setup_selinux_exec_context(pw->pw_name);
+#endif
}
static void
diff -u --new-file --recursive openssh-3.9p1_vanilla/sshpty.c openssh-3.9p1_selinux/sshpty.c
--- openssh-3.9p1_vanilla/sshpty.c 2004-06-22 04:56:02.000000000 +0200
+++ openssh-3.9p1_selinux/sshpty.c 2004-09-07 17:42:39.000000000 +0200
@@ -22,6 +22,10 @@
#include "log.h"
#include "misc.h"
+#ifdef WITH_SELINUX
+#include "selinux.h"
+#endif
+
#ifdef HAVE_PTY_H
# include <pty.h>
#endif
@@ -200,6 +204,10 @@
fatal("stat(%.100s) failed: %.100s", tty,
strerror(errno));
+#ifdef WITH_SELINUX
+ setup_selinux_pty(pw->pw_name, tty);
+#endif
+
if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
if (chown(tty, pw->pw_uid, gid) < 0) {
if (errno == EROFS &&
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040907/0c2e1d93/attachment.bin
More information about the openssh-unix-dev
mailing list