vishalmishra434 / rpms / openssh

Forked from rpms/openssh 3 months ago
Clone
Jakub Jelen 5b55d0
diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
Jakub Jelen 5b55d0
--- openssh/auth2-pubkey.c.refactor	2017-09-27 13:10:19.556830609 +0200
Jakub Jelen 5b55d0
+++ openssh/auth2-pubkey.c	2017-09-27 13:10:19.677831274 +0200
Jakub Jelen 5b55d0
@@ -72,6 +72,9 @@
Jakub Jelen 5b55d0
 extern ServerOptions options;
Jakub Jelen 5b55d0
 extern u_char *session_id2;
Jakub Jelen 5b55d0
 extern u_int session_id2_len;
Jakub Jelen 5b55d0
+extern int inetd_flag;
Jakub Jelen 5b55d0
+extern int rexeced_flag;
Jakub Jelen 5b55d0
+extern Authctxt *the_authctxt;
Jakub Jelen 5b55d0
 
Jakub Jelen 3cd489
 static char *
Jakub Jelen 3cd489
 format_key(const struct sshkey *key)
Jakub Jelen 5b55d0
@@ -432,7 +435,8 @@ match_principals_command(struct passwd *
Jakub Jelen 5b55d0
 
Jakub Jelen 3cd489
 	if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
Jakub Jelen 5b55d0
 	    ac, av, &f,
Jakub Jelen 5b55d0
-	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
Jakub Jelen 5b55d0
+	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
Jakub Jelen 5b55d0
+	    (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
Jakub Jelen 5b55d0
 		goto out;
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 	uid_swapped = 1;
Jakub Jelen 5b55d0
@@ -762,7 +766,8 @@ user_key_command_allowed2(struct passwd
Jakub Jelen 5b55d0
 
Jakub Jelen 3cd489
 	if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
Jakub Jelen 5b55d0
 	    ac, av, &f,
Jakub Jelen 5b55d0
-	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
Jakub Jelen 5b55d0
+	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
Jakub Jelen 5b55d0
+	    (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
Jakub Jelen 5b55d0
 		goto out;
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 	uid_swapped = 1;
Jakub Jelen 3cd489
diff -up openssh/auth.c.refactor openssh/auth.c
Jakub Jelen 3cd489
--- openssh/auth.c.refactor	2017-09-27 13:10:19.640831071 +0200
Jakub Jelen 3cd489
+++ openssh/auth.c	2017-09-27 13:10:19.678831279 +0200
Jakub Jelen 5b55d0
@@ -1435,7 +1435,8 @@ argv_assemble(int argc, char **argv)
Jakub Jelen 5b55d0
  */
Jakub Jelen 5b55d0
 pid_t
Jakub Jelen 5b55d0
 subprocess(const char *tag, struct passwd *pw, const char *command,
Jakub Jelen 5b55d0
-    int ac, char **av, FILE **child, u_int flags)
Jakub Jelen 5b55d0
+    int ac, char **av, FILE **child, u_int flags, int inetd,
Jakub Jelen 5b55d0
+    void *the_authctxt)
Jakub Jelen 5b55d0
 {
Jakub Jelen 5b55d0
 	FILE *f = NULL;
Jakub Jelen 5b55d0
 	struct stat st;
Jakub Jelen 5b55d0
@@ -1551,7 +1552,7 @@ subprocess(const char *tag, struct passw
Jakub Jelen 5b55d0
 		}
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 #ifdef WITH_SELINUX
Jakub Jelen 5b55d0
-		if (sshd_selinux_setup_env_variables() < 0) {
Jakub Jelen 5b55d0
+		if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
Jakub Jelen 5b55d0
 			error ("failed to copy environment:  %s",
Jakub Jelen 5b55d0
 			    strerror(errno));
Jakub Jelen 5b55d0
 			_exit(127);
Jakub Jelen 3cd489
diff -up openssh/auth.h.refactor openssh/auth.h
Jakub Jelen 3cd489
--- openssh/auth.h.refactor	2017-09-25 01:48:10.000000000 +0200
Jakub Jelen 3cd489
+++ openssh/auth.h	2017-09-27 13:10:19.678831279 +0200
Jakub Jelen 5b55d0
@@ -144,7 +144,7 @@ int	 exited_cleanly(pid_t, const char *,
Jakub Jelen 3cd489
 #define	SSH_SUBPROCESS_STDOUT_CAPTURE  (1<<1)  /* Redirect stdout */
Jakub Jelen 3cd489
 #define	SSH_SUBPROCESS_STDERR_DISCARD  (1<<2)  /* Discard stderr */
Jakub Jelen 3cd489
 pid_t	subprocess(const char *, struct passwd *,
Jakub Jelen 5b55d0
-    const char *, int, char **, FILE **, u_int flags);
Jakub Jelen 5b55d0
+    const char *, int, char **, FILE **, u_int flags, int, void *);
Jakub Jelen 5b55d0
 
Jakub Jelen 3cd489
 int	 sys_auth_passwd(struct ssh *, const char *);
Jakub Jelen 3cd489
 
Jakub Jelen 5b55d0
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
Jakub Jelen 5b55d0
--- openssh/openbsd-compat/port-linux.h.refactor	2017-09-27 13:10:19.634831038 +0200
Jakub Jelen 5b55d0
+++ openssh/openbsd-compat/port-linux.h	2017-09-27 13:10:54.954025248 +0200
Jakub Jelen 5b55d0
@@ -26,8 +26,8 @@ void ssh_selinux_setfscreatecon(const ch
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 int sshd_selinux_enabled(void);
Jakub Jelen 5b55d0
 void sshd_selinux_copy_context(void);
Jakub Jelen 5b55d0
-void sshd_selinux_setup_exec_context(char *);
Jakub Jelen 5b55d0
-int sshd_selinux_setup_env_variables(void);
Jakub Jelen 5b55d0
+void sshd_selinux_setup_exec_context(char *, int, int(char *, const char *), void *, int);
Jakub Jelen 5b55d0
+int sshd_selinux_setup_env_variables(int inetd, void *);
Jakub Jelen 5b55d0
 void sshd_selinux_change_privsep_preauth_context(void);
Jakub Jelen 5b55d0
 #endif
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c
Jakub Jelen 5b55d0
--- openssh/openbsd-compat/port-linux-sshd.c.refactor	2017-09-27 13:10:19.634831038 +0200
Jakub Jelen 5b55d0
+++ openssh/openbsd-compat/port-linux-sshd.c	2017-09-27 13:12:06.811420371 +0200
Jakub Jelen 5b55d0
@@ -48,11 +48,6 @@
Jakub Jelen 5b55d0
 #include <unistd.h>
Jakub Jelen 5b55d0
 #endif
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
-extern ServerOptions options;
Jakub Jelen 5b55d0
-extern Authctxt *the_authctxt;
Jakub Jelen 5b55d0
-extern int inetd_flag;
Jakub Jelen 5b55d0
-extern int rexeced_flag;
Jakub Jelen 5b55d0
-
Jakub Jelen 5b55d0
 /* Wrapper around is_selinux_enabled() to log its return value once only */
Jakub Jelen 5b55d0
 int
Jakub Jelen 5b55d0
 sshd_selinux_enabled(void)
Jakub Jelen 5b55d0
@@ -222,7 +217,8 @@ get_user_context(const char *sename, con
Jakub Jelen 5b55d0
 }
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 static void
Jakub Jelen 5b55d0
-ssh_selinux_get_role_level(char **role, const char **level)
Jakub Jelen 5b55d0
+ssh_selinux_get_role_level(char **role, const char **level,
Jakub Jelen 5b55d0
+    Authctxt *the_authctxt)
Jakub Jelen 5b55d0
 {
Jakub Jelen 5b55d0
 	*role = NULL;
Jakub Jelen 5b55d0
 	*level = NULL;
Jakub Jelen 5b55d0
@@ -240,8 +236,8 @@ ssh_selinux_get_role_level(char **role,
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 /* Return the default security context for the given username */
Jakub Jelen 5b55d0
 static int
Jakub Jelen 5b55d0
-sshd_selinux_getctxbyname(char *pwname,
Jakub Jelen 5b55d0
-	security_context_t *default_sc, security_context_t *user_sc)
Jakub Jelen 5b55d0
+sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
Jakub Jelen 5b55d0
+    security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
Jakub Jelen 5b55d0
 {
Jakub Jelen 5b55d0
 	char *sename, *lvl;
Jakub Jelen 5b55d0
 	char *role;
Jakub Jelen 5b55d0
@@ -249,7 +245,7 @@ sshd_selinux_getctxbyname(char *pwname,
Jakub Jelen 5b55d0
 	int r = 0;
Jakub Jelen 5b55d0
 	context_t con = NULL;
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
-	ssh_selinux_get_role_level(&role, &reqlvl);
Jakub Jelen 5b55d0
+	ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 #ifdef HAVE_GETSEUSERBYNAME
Jakub Jelen 5b55d0
 	if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
Jakub Jelen 5b55d0
@@ -271,7 +267,7 @@ sshd_selinux_getctxbyname(char *pwname,
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 	if (r == 0) {
Jakub Jelen 5b55d0
 		/* If launched from xinetd, we must use current level */
Jakub Jelen 5b55d0
-		if (inetd_flag && !rexeced_flag) {
Jakub Jelen 5b55d0
+		if (inetd) {
Jakub Jelen 5b55d0
 			security_context_t sshdsc=NULL;
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 			if (getcon_raw(&sshdsc) < 0)
Jakub Jelen 5b55d0
@@ -332,7 +328,8 @@ sshd_selinux_getctxbyname(char *pwname,
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 /* Setup environment variables for pam_selinux */
Jakub Jelen 5b55d0
 static int
Jakub Jelen 5b55d0
-sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
Jakub Jelen 5b55d0
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *), int inetd,
Jakub Jelen 5b55d0
+    Authctxt *the_authctxt)
Jakub Jelen 5b55d0
 {
Jakub Jelen 5b55d0
 	const char *reqlvl;
Jakub Jelen 5b55d0
 	char *role;
Jakub Jelen 5b55d0
@@ -341,11 +338,11 @@ sshd_selinux_setup_variables(int(*set_it
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 	debug3("%s: setting execution context", __func__);
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
-	ssh_selinux_get_role_level(&role, &reqlvl);
Jakub Jelen 5b55d0
+	ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 	rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
-	if (inetd_flag && !rexeced_flag) {
Jakub Jelen 5b55d0
+	if (inetd) {
Jakub Jelen 5b55d0
 		use_current = "1";
Jakub Jelen 5b55d0
 	} else {
Jakub Jelen 5b55d0
 		use_current = "";
Jakub Jelen 5b55d0
@@ -361,9 +358,10 @@ sshd_selinux_setup_variables(int(*set_it
Jakub Jelen 5b55d0
 }
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 static int
Jakub Jelen 5b55d0
-sshd_selinux_setup_pam_variables(void)
Jakub Jelen 5b55d0
+sshd_selinux_setup_pam_variables(int inetd,
Jakub Jelen 5b55d0
+    int(pam_setenv)(char *, const char *), Authctxt *the_authctxt)
Jakub Jelen 5b55d0
 {
Jakub Jelen 5b55d0
-	return sshd_selinux_setup_variables(do_pam_putenv);
Jakub Jelen 5b55d0
+	return sshd_selinux_setup_variables(pam_setenv, inetd, the_authctxt);
Jakub Jelen 5b55d0
 }
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 static int
Jakub Jelen 5b55d0
@@ -373,25 +371,28 @@ do_setenv(char *name, const char *value)
Jakub Jelen 5b55d0
 }
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 int
Jakub Jelen 5b55d0
-sshd_selinux_setup_env_variables(void)
Jakub Jelen 5b55d0
+sshd_selinux_setup_env_variables(int inetd, void *the_authctxt)
Jakub Jelen 5b55d0
 {
Jakub Jelen 5b55d0
-	return sshd_selinux_setup_variables(do_setenv);
Jakub Jelen 5b55d0
+	Authctxt *authctxt = (Authctxt *) the_authctxt;
Jakub Jelen 5b55d0
+	return sshd_selinux_setup_variables(do_setenv, inetd, authctxt);
Jakub Jelen 5b55d0
 }
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 /* Set the execution context to the default for the specified user */
Jakub Jelen 5b55d0
 void
Jakub Jelen 5b55d0
-sshd_selinux_setup_exec_context(char *pwname)
Jakub Jelen 5b55d0
+sshd_selinux_setup_exec_context(char *pwname, int inetd,
Jakub Jelen 5b55d0
+    int(pam_setenv)(char *, const char *), void *the_authctxt, int use_pam)
Jakub Jelen 5b55d0
 {
Jakub Jelen 5b55d0
 	security_context_t user_ctx = NULL;
Jakub Jelen 5b55d0
 	int r = 0;
Jakub Jelen 5b55d0
 	security_context_t default_ctx = NULL;
Jakub Jelen 5b55d0
+	Authctxt *authctxt = (Authctxt *) the_authctxt;
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 	if (!sshd_selinux_enabled())
Jakub Jelen 5b55d0
 		return;
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
-	if (options.use_pam) {
Jakub Jelen 5b55d0
+	if (use_pam) {
Jakub Jelen 5b55d0
 		/* do not compute context, just setup environment for pam_selinux */
Jakub Jelen 5b55d0
-		if (sshd_selinux_setup_pam_variables()) {
Jakub Jelen 5b55d0
+		if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
Jakub Jelen 5b55d0
 			switch (security_getenforce()) {
Jakub Jelen 5b55d0
 			case -1:
Jakub Jelen 5b55d0
 				fatal("%s: security_getenforce() failed", __func__);
Jakub Jelen 5b55d0
@@ -409,7 +410,7 @@ sshd_selinux_setup_exec_context(char *pw
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 	debug3("%s: setting execution context", __func__);
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
-	r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
Jakub Jelen 5b55d0
+	r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
Jakub Jelen 5b55d0
 	if (r >= 0) {
Jakub Jelen 5b55d0
 		r = setexeccon(user_ctx);
Jakub Jelen 5b55d0
 		if (r < 0) {
Jakub Jelen 5b55d0
diff -up openssh/platform.c.refactor openssh/platform.c
Jakub Jelen 5b55d0
--- openssh/platform.c.refactor	2017-09-27 13:10:19.574830708 +0200
Jakub Jelen 5b55d0
+++ openssh/platform.c	2017-09-27 13:11:45.475303050 +0200
Jakub Jelen 5b55d0
@@ -33,6 +33,9 @@
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 extern int use_privsep;
Jakub Jelen 5b55d0
 extern ServerOptions options;
Jakub Jelen 5b55d0
+extern int inetd_flag;
Jakub Jelen 5b55d0
+extern int rexeced_flag;
Jakub Jelen 5b55d0
+extern Authctxt *the_authctxt;
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
 void
Jakub Jelen 5b55d0
 platform_pre_listen(void)
Jakub Jelen 5b55d0
@@ -184,7 +187,9 @@ platform_setusercontext_post_groups(stru
Jakub Jelen 5b55d0
 	}
Jakub Jelen 5b55d0
 #endif /* HAVE_SETPCRED */
Jakub Jelen 5b55d0
 #ifdef WITH_SELINUX
Jakub Jelen 5b55d0
-	sshd_selinux_setup_exec_context(pw->pw_name);
Jakub Jelen 5b55d0
+	sshd_selinux_setup_exec_context(pw->pw_name,
Jakub Jelen 5b55d0
+	    (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
Jakub Jelen 5b55d0
+	    options.use_pam);
Jakub Jelen 5b55d0
 #endif
Jakub Jelen 5b55d0
 }
Jakub Jelen 5b55d0
 
Jakub Jelen 5b55d0
diff -up openssh/sshd.c.refactor openssh/sshd.c
Jakub Jelen 5b55d0
--- openssh/sshd.c.refactor	2017-09-27 13:10:19.674831257 +0200
Jakub Jelen 5b55d0
+++ openssh/sshd.c	2017-09-27 13:12:01.635391909 +0200
Jakub Jelen 5b55d0
@@ -2135,7 +2135,9 @@ main(int ac, char **av)
Jakub Jelen 5b55d0
 	}
Jakub Jelen 5b55d0
 #endif
Jakub Jelen 5b55d0
 #ifdef WITH_SELINUX
Jakub Jelen 5b55d0
-	sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
Jakub Jelen 5b55d0
+	sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
Jakub Jelen 5b55d0
+	    (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
Jakub Jelen 5b55d0
+	    options.use_pam);
Jakub Jelen 5b55d0
 #endif
Jakub Jelen 5b55d0
 #ifdef USE_PAM
Jakub Jelen 5b55d0
 	if (options.use_pam) {