2012-01-31 13:09:00 +00:00
|
|
|
diff --git a/session.c b/session.c
|
|
|
|
|
index 436ea48..49c9321 100644
|
|
|
|
|
--- a/session.c
|
|
|
|
|
+++ b/session.c
|
|
|
|
|
@@ -1561,6 +1561,13 @@ do_setusercontext(struct passwd *pw)
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+#ifdef WITH_SELINUX
|
|
|
|
|
+ if (options.chroot_directory == NULL ||
|
|
|
|
|
+ strcasecmp(options.chroot_directory, "none") == 0) {
|
|
|
|
|
+ ssh_selinux_copy_context();
|
|
|
|
|
+ }
|
|
|
|
|
+#endif
|
|
|
|
|
+
|
|
|
|
|
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
|
|
|
|
|
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
|
|
|
|
|
}
|
2012-02-17 10:35:49 +00:00
|
|
|
@@ -1670,7 +1677,9 @@ do_child(Session *s, const char *command
|
2012-01-31 13:09:00 +00:00
|
|
|
/* When PAM is enabled we rely on it to do the nologin check */
|
|
|
|
|
if (!options.use_pam)
|
|
|
|
|
do_nologin(pw);
|
|
|
|
|
- do_setusercontext(pw);
|
|
|
|
|
+ /* We are already separated */
|
|
|
|
|
+ if (!use_privsep)
|
|
|
|
|
+ do_setusercontext(pw);
|
|
|
|
|
/*
|
|
|
|
|
* PAM session modules in do_setusercontext may have
|
|
|
|
|
* generated messages, so if this in an interactive
|
2012-02-17 10:35:49 +00:00
|
|
|
@@ -1791,8 +1800,8 @@ do_child(Session *s, const char *command
|
|
|
|
|
optind = optreset = 1;
|
|
|
|
|
__progname = argv[0];
|
|
|
|
|
#ifdef WITH_SELINUX
|
|
|
|
|
- if (options.chroot_directory == NULL ||
|
|
|
|
|
- strcasecmp(options.chroot_directory, "none") == 0) {
|
|
|
|
|
+ if (!use_privsep &&
|
|
|
|
|
+ (options.chroot_directory == NULL || strcasecmp(options.chroot_directory, "none") == 0)) {
|
|
|
|
|
ssh_selinux_copy_context();
|
|
|
|
|
}
|
|
|
|
|
#endif
|
