Summary: | [libutil] [patch] sshd sets the user's MAC label at the same time it attempts to set the login class, which can cause the latter to fail if mac_biba is used. | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | Kevin Barry <ta0kira> | ||||||||||
Component: | kern | Assignee: | Dag-Erling Smørgrav <des> | ||||||||||
Status: | Open --- | ||||||||||||
Severity: | Affects Only Me | CC: | des, kaktus, ta0kira | ||||||||||
Priority: | Normal | Keywords: | patch | ||||||||||
Version: | 12.2-RELEASE | ||||||||||||
Hardware: | Any | ||||||||||||
OS: | Any | ||||||||||||
Bug Depends on: | |||||||||||||
Bug Blocks: | 192900 | ||||||||||||
Attachments: |
|
Description
Kevin Barry
2013-04-07 22:50:01 UTC
(The following comment did not carry over when the bug report was migrated to the new system.) From: Kevin Barry <ta0kira@gmail.com> [submitter] To: bug-followup@FreeBSD.org, ta0kira@gmail.com Date: Sun, 7 Apr 2013 23:50:35 -0400 I submitted this bug report earlier, and since then I've noticed that /usr/bin/login suffers from the same problem. I've therefore made a change to libutil to make setusercontext set the MAC label right before the uid change. I've attached a separate patch that should universally fix the problem. This also makes my previous sshd patch obsolete. Incidentally, this should be reclassified as a bug in libutil. (The following comment did not carry over when the bug report was migrated to the new system.) From: Kevin Barry <ta0kira@gmail.com> [submitter] To: bug-followup@FreeBSD.org, ta0kira@gmail.com Date: Fri, 12 Apr 2013 15:20:10 -0400 Here's a new patch for login_class.c. As far as I can tell there is no reason to require that a passwd entry be specified in order to set the MAC label; therefore, I removed that requirement. Additionally, the current implementation silently fails to set the MAC label when the pwd argument is NULL, and silent failure when it comes to security isn't a good thing. While not directly related to the original problem, it's related to the underlying issue, which is that the handling of MAC labels in setusercontext has several bugs in need of fixing. I will try to look into this. Created attachment 221063 [details]
libutil patch updated for 12.2-RELEASE
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi> |