the intermediate context is set to sshd_sftpd_t

do not crash in packet.c if no connection
2011-04-05 20:54:12 +02:00 · 2011-04-05 20:54:12 +02:00 · 8bc65c49b7
commit 8bc65c49b7
parent 7317c8f1cf
3 changed files with 31 additions and 22 deletions
--- a/openssh-5.8p1-packet.patch
+++ b/openssh-5.8p1-packet.patch
@ -0,0 +1,12 @@
+diff -up openssh-5.8p1/packet.c.packet openssh-5.8p1/packet.c
+--- openssh-5.8p1/packet.c.packet	2011-04-05 13:29:06.998648899 +0200
+++ openssh-5.8p1/packet.c	2011-04-05 13:30:32.967648596 +0200
+@@ -294,6 +294,8 @@ packet_connection_is_on_socket(void)
+ 	struct sockaddr_storage from, to;
+ 	socklen_t fromlen, tolen;
+ 
+	if (!active_state)
+		return 0;
+ 	/* filedescriptors in and out are the same, so it's a socket */
+ 	if (active_state->connection_in == active_state->connection_out)
+ 		return 1;
--- a/openssh-5.8p1-sftpcontext.patch
+++ b/openssh-5.8p1-sftpcontext.patch
@ -1,24 +1,14 @@
 diff -up openssh-5.8p1/session.c.sftpcontext openssh-5.8p1/session.c
--- openssh-5.8p1/session.c.sftpcontext	2011-04-01 11:22:26.988648474 +0200
-+++ openssh-5.8p1/session.c	2011-04-01 11:31:49.127665411 +0200
-@@ -831,6 +831,10 @@ do_exec(Session *s, const char *command)
- 	if (s->command != NULL)
- 		s->command_handle = PRIVSEP(audit_run_command(s->command));
- #endif
-+#ifdef WITH_SELINUX
-+debug(">>> %d:%d %s ~ %d", getuid(), geteuid(), s->command, IS_INTERNAL_SFTP(s->command));
-+//	ssh_selinux_change_context("sftpd_t");
-+#endif
- 	if (s->ttyfd != -1)
- 		ret = do_exec_pty(s, command);
- 	else
-@@ -1780,9 +1784,6 @@ do_child(Session *s, const char *command
- 		argv[i] = NULL;
- 		optind = optreset = 1;
- 		__progname = argv[0];
-#ifdef WITH_SELINUX
-		ssh_selinux_change_context("sftpd_t");
-#endif
- 		exit(sftp_server_main(i, argv, s->pw));
- 	}
+--- openssh-5.8p1/session.c.sftpcontext	2011-04-05 19:46:53.674654050 +0200
+++ openssh-5.8p1/session.c	2011-04-05 19:48:32.942658237 +0200
+@@ -1520,6 +1520,10 @@ do_setusercontext(struct passwd *pw)
+ 			free(chroot_path);
+ 		}
 
+#ifdef WITH_SELINUX
+		ssh_selinux_change_context("sshd_sftpd_t");
+#endif
+
+ #ifdef HAVE_LOGIN_CAP
+ 		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
+ 			perror("unable to set user context (setuser)");
--- a/openssh.spec
+++ b/openssh.spec
@ -110,6 +110,8 @@ Patch3: openssh-5.8p1-audit3.patch
 Patch4: openssh-5.8p1-audit4.patch
 Patch5: openssh-5.8p1-audit5.patch
 #?
+Patch6: openssh-5.8p1-packet.patch
+#?
 Patch7: openssh-5.8p1-entropy.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
 Patch9: openssh-5.8p1-vendor.patch
@ -325,6 +327,7 @@ The module is most useful for su and sudo service stacks.
 %patch3 -p1 -b .audit3
 %patch4 -p1 -b .audit4
 %patch5 -p1 -b .audit5
+%patch6 -p1 -b .packet
 %patch7 -p1 -b .entropy
 %patch9 -p1 -b .vendor
 %if %{pam_ssh_agent}
@ -658,6 +661,10 @@ fi
 %endif

 %changelog
+* Tue Apr  5 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-24 + 0.9.2-30
+- the intermediate context is set to sshd_sftpd_t
+- do not crash in packet.c if no connection
+
 * Thu Mar 31 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-24 + 0.9.2-30
 - resolve warnings in port_linux.c