1726 – ChrootDirectory doesn't work with SE Linux

Bug 1726 - ChrootDirectory doesn't work with SE Linux

Summary: ChrootDirectory doesn't work with SE Linux

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	5.3p1
Hardware:	Other Linux

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:	http://bugs.debian.org/556644
Keywords:

Depends on:
Blocks:	V_5_5
	Show dependency tree / graph

Reported:	2010-03-02 01:00 AEDT by Colin Watson
Modified:	2010-04-16 15:50 AEST (History)
CC List:	2 users (show)

See Also:

Attachments
call ssh_selinux_setup_exec_context before chrooting (676 bytes, patch) 2010-03-02 01:00 AEDT, Colin Watson	dtucker: ok+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Colin Watson 2010-03-02 01:00:00 AEDT

Created attachment 1800 [details]
call ssh_selinux_setup_exec_context before chrooting

This patch is from Russell Coker <russell@coker.com.au>; I know little about SE Linux myself and defer to him for domain knowledge.  He says:

"The following patch allows the chroot functionality for sftp (and probably regular logins) work with SE Linux.  After chroot() is called the SE Linux context setting won't work unless /selinux and /proc are mounted in the chroot environment.  Even worse, if the user has control over the chroot environment then they may be able to control the context that they get (I haven't verified this)."

Comment 1 Damien Miller 2010-03-26 11:05:05 AEDT

Patch applied and will be in OpenSSH-5.5. FYI there is no risk of privilege escalation because we ensure that the ChrootDirectory is root-owned and not writable by the user.

Comment 2 Damien Miller 2010-04-16 15:50:20 AEST

Mass move of bugs RESOLVED->CLOSED following the release of openssh-5.5p1