pool/openssh
SHA256
12
0
Fork 1
Code Issues Pull Requests Activity
Files
18d888f3cc0e91717c06da52d0081f37507654a792ed4bf31274e8acf226af5e
openssh/openssh-6.6p1-privsep-selinux.patch
Antonio Larrosa 52583b8481 Accepting request 1268126 from home:alarrosa:branches:network 
- Update to openssh 10.0p1:
  * No changes for askpass, see main package changelog for
    details.

- Update to openssh 10.0p1:
  = Potentially-incompatible changes
  * This release removes support for the weak DSA signature
    algorithm, completing the deprecation process that began in
    2015 (when DSA was disabled by default) and repeatedly warned
    over the last 12 months.
  * scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by
    scp & sftp. This disables implicit session creation by these
    tools when ControlMaster was set to yes/auto by configuration,
    which some users found surprising. This change will not prevent
    scp/sftp from using an existing multiplexing session if one had
    already been created. GHPR557
  * This release has the version number 10.0 and announces itself
    as "SSH-2.0-OpenSSH_10.0". Software that naively matches
    versions using patterns like "OpenSSH_1*" may be confused by
    this.
  * sshd(8): this release removes the code responsible for the
    user authentication phase of the protocol from the per-
    connection sshd-session binary to a new sshd-auth binary.
    Splitting this code into a separate binary ensures that the
    crucial pre-authentication attack surface has an entirely
    disjoint address space from the code used for the rest of the
    connection. It also yields a small runtime memory saving as the
    authentication code will be unloaded after the authentication
    phase completes. This change should be largely invisible to
    users, though some log messages may now come from "sshd-auth"

OBS-URL: https://build.opensuse.org/request/show/1268126
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=286
2025-04-09 10:49:15 +00:00

130 lines
4.0 KiB
Diff
Raw Blame History

Index: openssh-9.3p2/openbsd-compat/port-linux.h
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
+++ openssh-9.3p2/openbsd-compat/port-linux.h
@@ -23,6 +23,7 @@ void ssh_selinux_setup_pty(char *, const
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+void sshd_selinux_copy_context(void);
void sshd_selinux_setup_exec_context(char *);
#endif
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
@@ -416,6 +416,28 @@ sshd_selinux_setup_exec_context(char *pw
debug3_f("done");
}
+void
+sshd_selinux_copy_context(void)
+{
+ security_context_t *ctx;
+
+ if (!ssh_selinux_enabled())
+ return;
+
+ if (getexeccon((security_context_t *)&ctx) != 0) {
+ logit_f("getexeccon failed with %s", strerror(errno));
+ return;
+ }
+ if (ctx != NULL) {
+ /* unset exec context before we will lose this capabililty */
+ if (setexeccon(NULL) != 0)
+ fatal_f("setexeccon failed with %s", strerror(errno));
+ if (setcon(ctx) != 0)
+ fatal_f("setcon failed with %s", strerror(errno));
+ freecon(ctx);
+ }
+}
+
#endif
#endif
Index: openssh-9.3p2/session.c
===================================================================
--- openssh-9.3p2.orig/session.c
+++ openssh-9.3p2/session.c
@@ -1403,7 +1403,7 @@ do_setusercontext(struct passwd *pw)
platform_setusercontext(pw);
- if (platform_privileged_uidswap()) {
+ if (platform_privileged_uidswap() && !is_child) {
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
@@ -1435,6 +1435,9 @@ do_setusercontext(struct passwd *pw)
(unsigned long long)pw->pw_uid);
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
"u", pw->pw_name, "U", uidstr, (char *)NULL);
+#ifdef WITH_SELINUX
+ sshd_selinux_copy_context();
+#endif
safely_chroot(chroot_path, pw->pw_uid);
free(tmp);
free(chroot_path);
@@ -1470,6 +1473,11 @@ do_setusercontext(struct passwd *pw)
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
+
+#ifdef WITH_SELINUX
+ if (in_chroot == 0)
+ sshd_selinux_copy_context();
+#endif
} else if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
fatal("server lacks privileges to chroot to ChrootDirectory");
@@ -1487,9 +1495,6 @@ do_pwchange(Session *s)
if (s->ttyfd != -1) {
fprintf(stderr,
"You must change your password now and log in again!\n");
-#ifdef WITH_SELINUX
- setexeccon(NULL);
-#endif
#ifdef PASSWD_NEEDS_USERNAME
execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
(char *)NULL);
@@ -1723,9 +1728,6 @@ do_child(struct ssh *ssh, Session *s, co
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
-#ifdef WITH_SELINUX
- ssh_selinux_change_context("sftpd_t");
-#endif
exit(sftp_server_main(i, argv, s->pw));
}
Index: openssh-10/sshd-auth.c
===================================================================
--- openssh-10.orig/sshd-auth.c
+++ openssh-10/sshd-auth.c
@@ -200,6 +200,11 @@ privsep_preauth_child(struct ssh *ssh)
if ((box = ssh_sandbox_init(pmonitor)) == NULL)
fatal_f("ssh_sandbox_init failed");
#endif
+
+#ifdef WITH_SELINUX
+ ssh_selinux_change_context("sshd_net_t");
+#endif
+
/* Demote the child */
if (privsep_chroot) {
/* Change our root directory */
Index: openssh-9.3p2/sshd-session.c
===================================================================
--- openssh-9.3p2.orig/sshd-session.c
+++ openssh-9.3p2/sshd-session.c
@@ -490,7 +490,7 @@ privsep_postauth(struct ssh *ssh, Authct
* fd passing, as AFAIK PTY allocation on this platform doesn't require
* special privileges to begin with.
*/
-#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN)
+#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN) && !defined(WITH_SELINUX)
skip_privdrop = 1;
#endif
Reference in New Issue View Git Blame Copy Permalink