bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-01 14:00 UTC
[Bug 1726] New: ChrootDirectory doesn't work with SE Linux
https://bugzilla.mindrot.org/show_bug.cgi?id=1726 Summary: ChrootDirectory doesn't work with SE Linux Product: Portable OpenSSH Version: 5.3p1 Platform: Other URL: http://bugs.debian.org/556644 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: cjwatson at debian.org Created an attachment (id=1800) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1800) call ssh_selinux_setup_exec_context before chrooting This patch is from Russell Coker <russell at coker.com.au>; I know little about SE Linux myself and defer to him for domain knowledge. He says: "The following patch allows the chroot functionality for sftp (and probably regular logins) work with SE Linux. After chroot() is called the SE Linux context setting won't work unless /selinux and /proc are mounted in the chroot environment. Even worse, if the user has control over the chroot environment then they may be able to control the context that they get (I haven't verified this)." -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-26 00:03 UTC
[Bug 1726] ChrootDirectory doesn't work with SE Linux
https://bugzilla.mindrot.org/show_bug.cgi?id=1726 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1800| |ok+ Flag| | -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-26 00:03 UTC
[Bug 1726] ChrootDirectory doesn't work with SE Linux
https://bugzilla.mindrot.org/show_bug.cgi?id=1726 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au Blocks| |1743 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-26 00:05 UTC
[Bug 1726] ChrootDirectory doesn't work with SE Linux
https://bugzilla.mindrot.org/show_bug.cgi?id=1726 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Status|NEW |RESOLVED Resolution| |FIXED --- Comment #1 from Damien Miller <djm at mindrot.org> 2010-03-26 11:05:05 EST --- Patch applied and will be in OpenSSH-5.5. FYI there is no risk of privilege escalation because we ensure that the ChrootDirectory is root-owned and not writable by the user. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Apr-16 05:50 UTC
[Bug 1726] ChrootDirectory doesn't work with SE Linux
https://bugzilla.mindrot.org/show_bug.cgi?id=1726 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> 2010-04-16 15:50:20 EST --- Mass move of bugs RESOLVED->CLOSED following the release of openssh-5.5p1 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Possibly Parallel Threads
- ChrootDirectory fails if compiled with SELinux support (whether or not using SELinux)
- OpenSSH + chroot + SELinux = broke
- Questions about ChrootDirectory
- [Bug 1574] New: trailing white space on Forced Command within ChrootDirectory causes failure
- ChrootDirectory security