FreeBSD Bugzilla – Attachment 133260 Details for
Bug 177698
[libutil] sshd sets the user's MAC label at the same time it attempts to set the login class, which can cause the latter to fail if mac_biba is used.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
login_class.c.txt
login_class.c.diff (text/plain), 2.22 KB, created by
Kevin Barry
on 2013-04-12 20:20:10 UTC
(
hide
)
Description:
login_class.c.txt
Filename:
MIME Type:
Creator:
Kevin Barry
Created:
2013-04-12 20:20:10 UTC
Size:
2.22 KB
patch
obsolete
>--- /usr/src/lib/libutil/login_class.c.orig 2012-12-03 16:36:36.000000000 -0500 >+++ /usr/src/lib/libutil/login_class.c 2013-04-12 15:09:48.000000000 -0400 >@@ -440,7 +440,7 @@ > > /* we need a passwd entry to set these */ > if (pwd == NULL) >- flags &= ~(LOGIN_SETGROUP | LOGIN_SETLOGIN | LOGIN_SETMAC); >+ flags &= ~(LOGIN_SETGROUP | LOGIN_SETLOGIN); > > /* Set the process priority */ > if (flags & LOGIN_SETPRIORITY) { >@@ -485,31 +485,6 @@ > } > } > >- /* Set up the user's MAC label. */ >- if ((flags & LOGIN_SETMAC) && mac_is_present(NULL) == 1) { >- const char *label_string; >- mac_t label; >- >- label_string = login_getcapstr(lc, "label", NULL, NULL); >- if (label_string != NULL) { >- if (mac_from_text(&label, label_string) == -1) { >- syslog(LOG_ERR, "mac_from_text('%s') for %s: %m", >- pwd->pw_name, label_string); >- return (-1); >- } >- if (mac_set_proc(label) == -1) >- error = errno; >- else >- error = 0; >- mac_free(label); >- if (error != 0) { >- syslog(LOG_ERR, "mac_set_proc('%s') for %s: %s", >- label_string, pwd->pw_name, strerror(error)); >- return (-1); >- } >- } >- } >- > /* Set the sessions login */ > if ((flags & LOGIN_SETLOGIN) && setlogin(pwd->pw_name) != 0) { > syslog(LOG_ERR, "setlogin(%s): %m", pwd->pw_name); >@@ -542,6 +517,31 @@ > mymask = setlogincontext(lc, pwd, mymask, flags); > login_close(llc); > >+ /* Set up the user's MAC label. */ >+ if ((flags & LOGIN_SETMAC) && mac_is_present(NULL) == 1) { >+ const char *label_string; >+ mac_t label; >+ >+ label_string = login_getcapstr(lc, "label", NULL, NULL); >+ if (label_string != NULL) { >+ if (mac_from_text(&label, label_string) == -1) { >+ syslog(LOG_ERR, "mac_from_text('%s') for %s: %m", >+ pwd? pwd->pw_name : "root", label_string); >+ return (-1); >+ } >+ if (mac_set_proc(label) == -1) >+ error = errno; >+ else >+ error = 0; >+ mac_free(label); >+ if (error != 0) { >+ syslog(LOG_ERR, "mac_set_proc('%s') for %s: %s", >+ label_string, pwd? pwd->pw_name : "root", strerror(error)); >+ return (-1); >+ } >+ } >+ } >+ > /* This needs to be done after anything that needs root privs */ > if ((flags & LOGIN_SETUSER) && setuid(uid) != 0) { > syslog(LOG_ERR, "setuid(%lu): %m", (u_long)uid);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=133260">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 177698
:
133258
|
133259
|
133260
|
221063