ChrootDirectory fails if compiled with SELinux support (whether or not using SELinux)
Darren Tucker
dtucker at zip.com.au
Sat Mar 22 12:38:22 EST 2008
On Fri, Mar 21, 2008 at 05:16:56PM +0100, Alexandre Rossi wrote:
> If compiled with SELinux support, OpenSSH 4.8 current cvs fails for
> accounts where the new ChrootDirectory option is active :
[...]
> I do not use SELinux nor know how it works but my guess would be that
> the ssh_selinux_setup_exec_context() call at line 1442 of ./session.c
> fails because it expects to find some /dev or /proc SELinux interface.
> But the call to chroot() is before that, so the call fails.
>
> As most distros ship openssh with SELinux support compiled in, this
> makes ChrootDirectory unusable without a recompile or special SELinux
> setup in the chroot even if one does not use it.
>
> I have no clue on a fix because it does not seem possible to chroot
> AFTER executing the SELinux context.
This should at least allow it to work when selinux support is compiled
in but selinux is disabled. I have no idea if it's possible to make
it work with selinux enabled.
Index: session.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/session.c,v
retrieving revision 1.364
diff -u -p -r1.364 session.c
--- session.c 15 Mar 2008 06:27:58 -0000 1.364
+++ session.c 22 Mar 2008 01:23:48 -0000
@@ -1350,6 +1350,10 @@ do_setusercontext(struct passwd *pw)
#endif /* HAVE_CYGWIN */
{
+#ifdef WITH_SELINUX
+ /* Cache selinux status for later use */
+ (void)ssh_selinux_enabled();
+#endif
#ifdef HAVE_SETPCRED
if (setpcred(pw->pw_name, (char **)NULL) == -1)
fatal("Failed to set process credentials");
Index: openbsd-compat/port-linux.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/openbsd-compat/port-linux.c,v
retrieving revision 1.4
diff -u -p -r1.4 port-linux.c
--- openbsd-compat/port-linux.c 27 Jun 2007 22:48:03 -0000 1.4
+++ openbsd-compat/port-linux.c 22 Mar 2008 01:24:06 -0000
@@ -36,7 +36,7 @@
#include <selinux/get_context_list.h>
/* Wrapper around is_selinux_enabled() to log its return value once only */
-static int
+int
ssh_selinux_enabled(void)
{
static int enabled = -1;
Index: openbsd-compat/port-linux.h
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/openbsd-compat/port-linux.h,v
retrieving revision 1.1
diff -u -p -r1.1 port-linux.h
--- openbsd-compat/port-linux.h 22 Apr 2006 11:26:08 -0000 1.1
+++ openbsd-compat/port-linux.h 22 Mar 2008 01:28:06 -0000
@@ -20,6 +20,7 @@
#define _PORT_LINUX_H
#ifdef WITH_SELINUX
+int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_setup_exec_context(char *);
#endif
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list