Bugzilla – Attachment 2857 Details for
Bug 2600
Use Linux capabilities to revoke additional permissions from chrooted users
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Configure integration of libcap-ng and its usage related to chroot
openssh-libcap-ng.patch (text/plain), 3.68 KB, created by
Jakub Jelen
on 2016-07-21 00:16:32 AEST
(
hide
)
Description:
Configure integration of libcap-ng and its usage related to chroot
Filename:
MIME Type:
Creator:
Jakub Jelen
Created:
2016-07-21 00:16:32 AEST
Size:
3.68 KB
patch
obsolete
>From 6487f2d1a6348d1654172bb1f3f8975b20922198 Mon Sep 17 00:00:00 2001 >From: Jakub Jelen <jjelen@redhat.com> >Date: Wed, 20 Jul 2016 15:58:12 +0200 >Subject: [PATCH] Add possibility to use libcap-ng to drop permissions earlier > >--- > configure.ac | 31 +++++++++++++++++++++++++++++++ > session.c | 26 +++++++++++++++++++++++--- > 2 files changed, 54 insertions(+), 3 deletions(-) > >diff --git a/configure.ac b/configure.ac >index 21ef389..a03f8a1 100644 >--- a/configure.ac >+++ b/configure.ac >@@ -4845,6 +4845,37 @@ if test -n "$conf_lastlog_location"; then > [Define if you want to specify the path to your lastlog file]) > fi > >+AC_ARG_WITH(libcap-ng, >+ [ --with-libcap-ng=[auto/yes/no] Add Libcap-ng support [default=auto]],, >+ with_libcap_ng=auto) >+ >+dnl libcap-ng detection >+if test x$with_libcap_ng = xno ; then >+ have_libcap_ng=no; >+else >+ # Start by checking for header file >+ AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no) >+ >+ # See if we have libcap-ng library >+ AC_CHECK_LIB(cap-ng, capng_clear, CAPNG_LDADD=-lcap-ng,) >+ >+ # Check results are usable >+ if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then >+ AC_MSG_ERROR(libcap-ng support was requested and the library was not found) >+ fi >+ if test x$CAPNG_LDADD != x -a $capng_headers = no ; then >+ AC_MSG_ERROR(libcap-ng libraries found but headers are missing) >+ fi >+fi >+AC_MSG_CHECKING(whether to use libcap-ng) >+if test x$CAPNG_LDADD != x ; then >+ AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support]) >+ SSHDLIBS="$SSHDLIBS -lcap-ng" >+ AC_MSG_RESULT(yes) >+else >+ AC_MSG_RESULT(no) >+fi >+ > dnl utmp detection > AC_MSG_CHECKING([if your system defines UTMP_FILE]) > AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ >diff --git a/session.c b/session.c >index 2235f26..107be06 100644 >--- a/session.c >+++ b/session.c >@@ -96,6 +96,10 @@ > #include "monitor_wrap.h" > #include "sftp.h" > >+#ifdef HAVE_LIBCAP_NG >+#include <cap-ng.h> >+#endif >+ > #if defined(KRB5) && defined(USE_AFS) > #include <kafs.h> > #endif >@@ -1520,6 +1524,7 @@ void > do_setusercontext(struct passwd *pw) > { > char *chroot_path, *tmp; >+ int dropped_suid = -1; > > platform_setusercontext(pw); > >@@ -1549,11 +1554,25 @@ do_setusercontext(struct passwd *pw) > > if (!in_chroot && options.chroot_directory != NULL && > strcasecmp(options.chroot_directory, "none") != 0) { >- tmp = tilde_expand_filename(options.chroot_directory, >+ tmp = tilde_expand_filename(options.chroot_directory, > pw->pw_uid); > chroot_path = percent_expand(tmp, "h", pw->pw_dir, > "u", pw->pw_name, (char *)NULL); >+#ifdef HAVE_LIBCAP_NG >+ /* drop suid soon, retain SYS_CHROOT capability */ >+ capng_clear(CAPNG_SELECT_BOTH); >+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_CHROOT); >+ if (dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING)) >+ logit("capng_change_id() = %d (failure): Try to drop UID later", dropped_suid); >+#endif > safely_chroot(chroot_path, pw->pw_uid); >+#ifdef HAVE_LIBCAP_NG >+ /* Drop chroot capability. Already used */ >+ if (dropped_suid == 0) { >+ capng_clear(CAPNG_SELECT_BOTH); >+ capng_apply(CAPNG_SELECT_BOTH); >+ } >+#endif > free(tmp); > free(chroot_path); > /* Make sure we don't attempt to chroot again */ >@@ -1585,8 +1604,9 @@ do_setusercontext(struct passwd *pw) > if (!in_chroot && set_id(pw->pw_name) != 0) > fatal("set_id(%s) Failed", pw->pw_name); > # endif /* USE_LIBIAF */ >- /* Permanently switch to the desired uid. */ >- permanently_set_uid(pw); >+ /* Permanently switch to the desired uid if not yet done. */ >+ if (dropped_suid != 0) >+ permanently_set_uid(pw); > #endif > } else if (options.chroot_directory != NULL && > strcasecmp(options.chroot_directory, "none") != 0) { >-- >2.5.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2857">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2600
: 2857