ChrootDirectory fails if compiled with SELinux support (whether or not using SELinux)
Alexandre Rossi
alexandre.rossi at gmail.com
Sat Mar 22 03:16:56 EST 2008
Hi,
(please CC me as I'm not subscribed to the list)
If compiled with SELinux support, OpenSSH 4.8 current cvs fails for
accounts where the new ChrootDirectory option is active :
debug1: PAM: establishing credentials
debug3: PAM: opening session
debug2: User child is on pid 1695
debug3: mm_request_receive entering
debug1: PAM: establishing credentials
debug3: safely_chroot: checking '/'
debug3: safely_chroot: checking '/home/'
debug3: safely_chroot: checking '/home/user'
Changed root directory to "/home/user"
debug1: permanently_set_uid: 1002/1005
debug1: SELinux support enabled
debug3: ssh_selinux_setup_exec_context: setting execution context
ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: security_getenforce() failed
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: do_cleanup
debug1: PAM: cleanup
debug1: PAM: deleting credentials
debug1: PAM: closing session
debug3: PAM: sshpam_thread_cleanup entering
I do not use SELinux nor know how it works but my guess would be that
the ssh_selinux_setup_exec_context() call at line 1442 of ./session.c
fails because it expects to find some /dev or /proc SELinux interface.
But the call to chroot() is before that, so the call fails.
As most distros ship openssh with SELinux support compiled in, this
makes ChrootDirectory unusable without a recompile or special SELinux
setup in the chroot even if one does not use it.
I have no clue on a fix because it does not seem possible to chroot
AFTER executing the SELinux context.
Cheers,
Alexandre
More information about the openssh-unix-dev
mailing list