Bug#394795: marked as done (openssh-server: Updated SELinux patch for openssh)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 14 Nov 2006 17:47:17 -0800
with message-id <E1Gk9rx-00076A-5K@spohr.debian.org>
and subject line Bug#394795: fixed in openssh 1:4.3p2-6
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh-server: Updated SELinux patch for openssh
• From: Manoj Srivastava <srivasta@debian.org>
• Date: Mon, 23 Oct 2006 02:10:18 -0500
• Message-id: <87d58jik2t.fsf@glaurung.internal.golden-gryphon.com>

Package: openssh-server
Version: 1:4.3p2-5
Severity: normal
Tags: patch

Hi,

        The attached patch bring openssh back in compatibility with
 recent SELinux releases --and includes an autoconf macro for
 configure.ac. I have tested the patch (after running autoreconf), and
 indeed, I am using it now.

        manoj

diff -uBbwr ../debian-current/openssh-4.3p2/configure.ac openssh-4.3p2/configure.ac
--- ../debian-current/openssh-4.3p2/configure.ac	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/configure.ac	2006-10-20 15:34:53.000000000 -0500
@@ -2996,6 +2996,28 @@
 	fi
 	])
 
+# Check whether user wants SELinux support
+SELINUX_MSG="no"
+LIBSELINUX=""
+AC_ARG_WITH(selinux,
+	[  --with-selinux[[=LIBSELINUX-PATH]]   Enable SELinux support],
+	[ if test "x$withval" != "xno" ; then
+		if test "x$withval" != "xyes"; then
+			CPPFLAGS="$CPPFLAGS -I${withval}/include"
+			if test -n "${need_dash_r}"; then
+				LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+			else
+				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+			fi
+               fi 
+		AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
+		SELINUX_MSG="yes"
+		AC_CHECK_HEADERS(selinux.h)
+		LIBSELINUX="-lselinux"
+	fi
+	])
+AC_SUBST(LIBSELINUX)
+
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 AC_ARG_WITH(kerberos5,
diff -uBbwr ../debian-current/openssh-4.3p2/Makefile.in openssh-4.3p2/Makefile.in
--- ../debian-current/openssh-4.3p2/Makefile.in	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/Makefile.in	2006-10-20 15:34:48.000000000 -0500
@@ -43,6 +43,7 @@
 CFLAGS=@CFLAGS@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
+LIBSELINUX=@LIBSELINUX@
 LIBEDIT=@LIBEDIT@
 LIBPAM=@LIBPAM@
 LIBWRAP=@LIBWRAP@
@@ -136,7 +137,7 @@
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
 
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -uBbwr ../debian-current/openssh-4.3p2/monitor.c openssh-4.3p2/monitor.c
--- ../debian-current/openssh-4.3p2/monitor.c	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor.c	2006-10-20 15:34:48.000000000 -0500
@@ -111,6 +111,7 @@
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
@@ -182,6 +183,7 @@
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
@@ -638,6 +640,7 @@
 	else {
 		/* Allow service/style information on the auth context */
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 	}
 
@@ -692,6 +695,23 @@
 }
 
 int
+mm_answer_authrole(int sock, Buffer *m)
+{
+	monitor_permit_authentications(1);
+
+	authctxt->role = buffer_get_string(m, NULL);
+	debug3("%s: role=%s",
+	    __func__, authctxt->role);
+
+	if (strlen(authctxt->role) == 0) {
+		xfree(authctxt->role);
+		authctxt->role = NULL;
+	}
+
+	return (0);
+}
+
+int
 mm_answer_authpassword(int sock, Buffer *m)
 {
 	static int call_count;
diff -uBbwr ../debian-current/openssh-4.3p2/monitor.h openssh-4.3p2/monitor.h
--- ../debian-current/openssh-4.3p2/monitor.h	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor.h	2006-10-20 15:34:48.000000000 -0500
@@ -30,7 +30,7 @@
 
 enum monitor_reqtype {
 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
-	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -uBbwr ../debian-current/openssh-4.3p2/monitor_wrap.c openssh-4.3p2/monitor_wrap.c
--- ../debian-current/openssh-4.3p2/monitor_wrap.c	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor_wrap.c	2006-10-20 15:34:48.000000000 -0500
@@ -272,6 +272,23 @@
 	buffer_free(&m);
 }
 
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+	Buffer m;
+
+	debug3("%s entering", __func__);
+
+	buffer_init(&m);
+	buffer_put_cstring(&m, role ? role : "");
+
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+	buffer_free(&m);
+}
+
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
diff -uBbwr ../debian-current/openssh-4.3p2/monitor_wrap.h openssh-4.3p2/monitor_wrap.h
--- ../debian-current/openssh-4.3p2/monitor_wrap.h	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor_wrap.h	2006-10-20 15:39:45.000000000 -0500
@@ -44,6 +44,7 @@
 DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
 void mm_inform_authserv(char *, char *, char *);
+void mm_inform_authrole(char *);
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
diff -uBbwr ../debian-current/openssh-4.3p2/selinux.c openssh-4.3p2/selinux.c
--- ../debian-current/openssh-4.3p2/selinux.c	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/selinux.c	2006-10-20 15:57:51.000000000 -0500
@@ -13,20 +11,24 @@
 
 extern Authctxt *the_authctxt;
 
-static security_context_t
+static const security_context_t 
 selinux_get_user_context(const char *name)
 {
 	security_context_t user_context = NULL;
 	char *role = NULL;
-	int ret = 0;
+	int ret = -1;
+	char *seuser=NULL;
+	char *level=NULL;
 
 	if (the_authctxt)
 		role = the_authctxt->role;
+        if (getseuserbyname(name, &seuser, &level)==0) {
 	if (role != NULL && role[0])
-		ret = get_default_context_with_role(name, role, NULL,
+            ret=get_default_context_with_rolelevel(seuser, role, level,NULL,
 		    &user_context);
 	else
-		ret = get_default_context(name, NULL, &user_context);
+            ret=get_default_context_with_level(seuser, level, NULL,&user_context);
+        }
 	if (ret < 0) {
 		if (security_getenforce() > 0)
 			fatal("Failed to get default security context for %s.",
@@ -42,12 +44,9 @@
 void
 setup_selinux_pty(const char *name, const char *tty)
 {
-	security_context_t new_tty_context, user_context, old_tty_context;
+  if (is_selinux_enabled() > 0) {
+    security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL;
 
-	if (is_selinux_enabled() <= 0)
-		return;
-
-	new_tty_context = old_tty_context = NULL;
 	user_context = selinux_get_user_context(name);
 
 	if (getfilecon(tty, &old_tty_context) < 0) {
@@ -66,20 +65,18 @@
 		}
 		freecon(old_tty_context);
 	}
-	if (user_context)
+    if (user_context) {
 		freecon(user_context);
 }
+  }
+}
 
 void
-setup_selinux_exec_context(const char *name)
+setup_selinux_exec_context(char *name)
 {
-	security_context_t user_context;
-
-	if (is_selinux_enabled() <= 0)
-		return;
-
-	user_context = selinux_get_user_context(name);
 
+  if (is_selinux_enabled() > 0) {
+    security_context_t user_context=selinux_get_user_context(name);
 	if (setexeccon(user_context)) {
 		if (security_getenforce() > 0)
 			fatal("Failed to set exec security context %s for %s.",
@@ -89,23 +86,10 @@
 			    "Continuing in permissive mode",
 			    user_context, name);
 	}
-	if (user_context)
+    if (user_context) {
 		freecon(user_context);
 }
-
-#else /* WITH_SELINUX */
-
-void
-setup_selinux_pty(const char *name, const char *tty)
-{
-	(void) name;
-	(void) tty;
 }
-
-void
-setup_selinux_exec_context(const char *name)
-{
-	(void) name;
 }
 
 #endif /* WITH_SELINUX */
diff -uBbwr ../debian-current/openssh-4.3p2/selinux.h openssh-4.3p2/selinux.h
--- ../debian-current/openssh-4.3p2/selinux.h	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/selinux.h	2006-10-20 15:41:29.000000000 -0500
@@ -1,7 +1,15 @@
 #ifndef SELINUX_H
 #define SELINUX_H
 
+#  ifdef WITH_SELINUX
+
 extern void setup_selinux_pty(const char *, const char *);
 extern void setup_selinux_exec_context(const char *);
 
+#  else
+
+static inline void setup_selinux_pty(const char *name, const char *tty) {}
+static inline void setup_selinux_exec_context(const char *name) {} 
+
+#endif /* WITH_SELINUX */
 #endif /* SELINUX_H */

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-mh1-skas3-v9-pre9-fremap
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)

Versions of packages openssh-server depends on:
ii  adduser  3.99                            Add and remove users and groups
ii  debconf  1.5.6                           Debian configuration management sy
ii  dpkg     1.13.24                         package maintenance system for Deb
ii  libc6    2.3.6.ds1-6                     GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2006.10.02+dfsg-1 common error description library
ii  libkrb53 1.4.4-3                         MIT Kerberos runtime libraries
ii  libpam-m 0.79-3.2                        Pluggable Authentication Modules f
ii  libpam-r 0.79-3.2                        Runtime support for the PAM librar
ii  libpam0g 0.79-3.2                        Pluggable Authentication Modules l
ii  libselin 1.32-2                          SELinux shared libraries
ii  libssl0. 0.9.8c-3                        SSL shared libraries
ii  libwrap0 7.6.dbs-11                      Wietse Venema's TCP wrappers libra
ii  openssh- 1:4.3p2-5                       Secure shell client, an rlogin/rsh
ii  zlib1g   1:1.2.3-13                      compression library - runtime

openssh-server recommends no packages.

-- debconf information:
  ssh/insecure_rshd:
* ssh/forward_warning:
  ssh/encrypted_host_key_but_no_keygen:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/disable_cr_auth: false
* ssh/protocol2_only: false

-- 
Once, I read that a man be never stronger than when he truly realizes
how weak he is.  -- Jim Starlin, "Captain Marvel #31"
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

--- End Message ---

--- Begin Message ---

• To: 394795-close@bugs.debian.org
• Subject: Bug#394795: fixed in openssh 1:4.3p2-6
• From: Colin Watson <cjwatson@debian.org>
• Date: Tue, 14 Nov 2006 17:47:17 -0800
• Message-id: <E1Gk9rx-00076A-5K@spohr.debian.org>

Source: openssh
Source-Version: 1:4.3p2-6

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_4.3p2-6_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.3p2-6_powerpc.udeb
openssh-client_4.3p2-6_powerpc.deb
  to pool/main/o/openssh/openssh-client_4.3p2-6_powerpc.deb
openssh-server-udeb_4.3p2-6_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.3p2-6_powerpc.udeb
openssh-server_4.3p2-6_powerpc.deb
  to pool/main/o/openssh/openssh-server_4.3p2-6_powerpc.deb
openssh_4.3p2-6.diff.gz
  to pool/main/o/openssh/openssh_4.3p2-6.diff.gz
openssh_4.3p2-6.dsc
  to pool/main/o/openssh/openssh_4.3p2-6.dsc
ssh-askpass-gnome_4.3p2-6_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.3p2-6_powerpc.deb
ssh_4.3p2-6_all.deb
  to pool/main/o/openssh/ssh_4.3p2-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 394795@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 15 Nov 2006 00:07:32 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.3p2-6
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - Secure shell client for the Debian installer (udeb)
 openssh-server - Secure shell server, an rshd replacement
 openssh-server-udeb - Secure shell server for the Debian installer (udeb)
 ssh        - Secure shell client and server (transitional package)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 394795 395473 395947
Changes: 
 openssh (1:4.3p2-6) unstable; urgency=low
 .
   * Acknowledge NMU (thanks, Manoj; closes: #394795).
   * Backport from 4.5p1:
     - Fix a bug in the sshd privilege separation monitor that weakened its
       verification of successful authentication. This bug is not known to be
       exploitable in the absence of additional vulnerabilities.
   * openssh-server Suggests: molly-guard (closes: #395473).
   * debconf template translations:
     - Update German (thanks, Helge Kreutzmann; closes: #395947).
Files: 
 74ee752b2bc14b256069c5aae36d046a 990 net standard openssh_4.3p2-6.dsc
 db6254c8aa9cc029c30d7b4037f84d82 255764 net standard openssh_4.3p2-6.diff.gz
 6c2c380ac331bc467640bc3eda135d18 1048 net extra ssh_4.3p2-6_all.deb
 9c6e029c33d86dc2f59c319ca5f63769 642874 net standard openssh-client_4.3p2-6_powerpc.deb
 a8de5d891d677fc8a3137d01a4352537 230714 net optional openssh-server_4.3p2-6_powerpc.deb
 b0656bb2d949b5d81e4e0876837a53ae 99636 gnome optional ssh-askpass-gnome_4.3p2-6_powerpc.deb
 360eea90f1178b4845bd257462a932ef 166758 debian-installer optional openssh-client-udeb_4.3p2-6_powerpc.udeb
 712ebcd1011cf5a74c6e7eb9eba6f234 169890 debian-installer optional openssh-server-udeb_4.3p2-6_powerpc.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFWmaZ9t0zAhD6TNERAq5+AJ4rERTrN5eC9a3fODfPjEMlJ8pgpACfQFqq
k0qbEvZNglqZ+iIzQKEn0Kw=
=WARm
-----END PGP SIGNATURE-----

--- End Message ---