vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Source Code
GIT

Blame openssh-7.2p2-chroot-capabilities.patch

c10s-sig-hyperscale c10s-sig-hyperscale-2 c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   f499c489fd2d03a2fea7d9786223addbe21bc99f
  2.   openssh-7.2p2-chroot-capabilities.patch
Blob History Raw
Jakub Jelen b4df5e 
diff --git a/configure.ac b/configure.ac
Jakub Jelen b4df5e 
index aeef42a..d01e67e 100644
Jakub Jelen b4df5e 
--- a/configure.ac
Jakub Jelen b4df5e 
+++ b/configure.ac
Jakub Jelen b4df5e 
@@ -4998,6 +4998,37 @@ if test -n "$conf_lastlog_location"; then
Jakub Jelen b4df5e 
 		[Define if you want to specify the path to your lastlog file])
Jakub Jelen b4df5e 
 fi
Jakub Jelen b4df5e
Jakub Jelen b4df5e 
+AC_ARG_WITH(libcap-ng,
Jakub Jelen b4df5e 
+	[  --with-libcap-ng=[auto/yes/no]  Add Libcap-ng support [default=auto]],,
Jakub Jelen b4df5e 
+	with_libcap_ng=auto)
Jakub Jelen b4df5e 
+
Jakub Jelen b4df5e 
+dnl libcap-ng detection
Jakub Jelen b4df5e 
+if test x$with_libcap_ng = xno ; then
Jakub Jelen b4df5e 
+	have_libcap_ng=no;
Jakub Jelen b4df5e 
+else
Jakub Jelen b4df5e 
+	# Start by checking for header file
Jakub Jelen b4df5e 
+	AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no)
Jakub Jelen b4df5e 
+
Jakub Jelen b4df5e 
+	# See if we have libcap-ng library
Jakub Jelen b4df5e 
+	AC_CHECK_LIB(cap-ng, capng_clear, CAPNG_LDADD=-lcap-ng,)
Jakub Jelen b4df5e 
+
Jakub Jelen b4df5e 
+	# Check results are usable
Jakub Jelen b4df5e 
+	if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then
Jakub Jelen b4df5e 
+	AC_MSG_ERROR(libcap-ng support was requested and the library was not found)
Jakub Jelen b4df5e 
+	fi
Jakub Jelen b4df5e 
+	if test x$CAPNG_LDADD != x -a $capng_headers = no ; then
Jakub Jelen b4df5e 
+	AC_MSG_ERROR(libcap-ng libraries found but headers are missing)
Jakub Jelen b4df5e 
+	fi
Jakub Jelen b4df5e 
+fi
Jakub Jelen b4df5e 
+AC_MSG_CHECKING(whether to use libcap-ng)
Jakub Jelen b4df5e 
+if test x$CAPNG_LDADD != x ; then
Jakub Jelen b4df5e 
+	AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support])
Jakub Jelen b4df5e 
+	SSHDLIBS="$SSHDLIBS -lcap-ng"
Jakub Jelen b4df5e 
+	AC_MSG_RESULT(yes)
Jakub Jelen b4df5e 
+else
Jakub Jelen b4df5e 
+	AC_MSG_RESULT(no)
Jakub Jelen b4df5e 
+fi
Jakub Jelen b4df5e 
+
Jakub Jelen b4df5e 
 dnl utmp detection
Jakub Jelen b4df5e 
 AC_MSG_CHECKING([if your system defines UTMP_FILE])
Jakub Jelen b4df5e 
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
Jakub Jelen b4df5e 
diff --git a/session.c b/session.c
Jakub Jelen b4df5e 
index 6cfcba4..80d2806 100644
Jakub Jelen b4df5e 
--- a/session.c
Jakub Jelen b4df5e 
+++ b/session.c
Jakub Jelen b4df5e 
@@ -96,6 +96,10 @@
Jakub Jelen b4df5e 
 #include "monitor_wrap.h"
Jakub Jelen b4df5e 
 #include "sftp.h"
Jakub Jelen b4df5e
Jakub Jelen b4df5e 
+#ifdef HAVE_LIBCAP_NG
Jakub Jelen b4df5e 
+#include <cap-ng.h>
Jakub Jelen b4df5e 
+#endif
Jakub Jelen b4df5e 
+
Jakub Jelen b4df5e 
 #if defined(KRB5) && defined(USE_AFS)
Jakub Jelen b4df5e 
 #include <kafs.h>
Jakub Jelen b4df5e 
 #endif
Jakub Jelen b4df5e 
@@ -1586,6 +1590,7 @@ void
Jakub Jelen b4df5e 
 do_setusercontext(struct passwd *pw)
Jakub Jelen b4df5e 
 {
Jakub Jelen b4df5e 
 	char *chroot_path, *tmp;
Jakub Jelen b4df5e 
+	int dropped_suid = -1;
Jakub Jelen b4df5e
Jakub Jelen b4df5e 
 	platform_setusercontext(pw);
Jakub Jelen b4df5e
Jakub Jelen ecc9f8 
@@ -1619,10 +1624,25 @@ do_setusercontext(struct passwd *pw)
Jakub Jelen b4df5e 
 			    pw->pw_uid);
Jakub Jelen b4df5e 
 			chroot_path = percent_expand(tmp, "h", pw->pw_dir,
Jakub Jelen b4df5e 
 			    "u", pw->pw_name, (char *)NULL);
Jakub Jelen b4df5e 
+#ifdef HAVE_LIBCAP_NG
Jakub Jelen b4df5e 
+			/* drop suid soon, retain SYS_CHROOT capability */
Jakub Jelen b4df5e 
+			capng_clear(CAPNG_SELECT_BOTH);
Jakub Jelen b4df5e 
+			capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_CHROOT);
Jakub Jelen ecc9f8 
+			if (pw->pw_uid != 0 &&
Jakub Jelen ecc9f8 
+			    (dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_INIT_SUPP_GRP)) != 0)
Jakub Jelen b4df5e 
+				logit("capng_change_id() = %d (failure): Try to drop UID later", dropped_suid);
Jakub Jelen b4df5e 
+#endif
Jakub Jelen b4df5e 
 #ifdef WITH_SELINUX
Jakub Jelen b4df5e 
 			sshd_selinux_copy_context();
Jakub Jelen b4df5e 
 #endif
Jakub Jelen b4df5e 
 			safely_chroot(chroot_path, pw->pw_uid);
Jakub Jelen b4df5e 
+#ifdef HAVE_LIBCAP_NG
Jakub Jelen b4df5e 
+			/* Drop chroot capability. Already used */
Jakub Jelen b4df5e 
+			if (dropped_suid == 0) {
Jakub Jelen b4df5e 
+				capng_clear(CAPNG_SELECT_BOTH);
Jakub Jelen b4df5e 
+				capng_apply(CAPNG_SELECT_BOTH);
Jakub Jelen b4df5e 
+			}
Jakub Jelen b4df5e 
+#endif
Jakub Jelen b4df5e 
 			free(tmp);
Jakub Jelen b4df5e 
 			free(chroot_path);
Jakub Jelen b4df5e 
 			/* Make sure we don't attempt to chroot again */
Jakub Jelen b4df5e 
@@ -1654,8 +1673,9 @@ do_setusercontext(struct passwd *pw)
Jakub Jelen b4df5e 
 		if (!in_chroot && set_id(pw->pw_name) != 0)
Jakub Jelen b4df5e 
 			fatal("set_id(%s) Failed", pw->pw_name);
Jakub Jelen b4df5e 
 # endif /* USE_LIBIAF */
Jakub Jelen b4df5e 
-		/* Permanently switch to the desired uid. */
Jakub Jelen b4df5e 
-		permanently_set_uid(pw);
Jakub Jelen b4df5e 
+		/* Permanently switch to the desired uid if not yet done. */
Jakub Jelen b4df5e 
+		if (dropped_suid != 0)
Jakub Jelen b4df5e 
+			permanently_set_uid(pw);
Jakub Jelen b4df5e 
 #endif
Jakub Jelen b4df5e
Jakub Jelen b4df5e 
 #ifdef WITH_SELINUX

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation