openssh bugs - Mar 2010 - [Bug 1726] New: ChrootDirectory doesn't work with SE Linux

https://bugzilla.mindrot.org/show_bug.cgi?id=1726

           Summary: ChrootDirectory doesn't work with SE Linux
           Product: Portable OpenSSH
           Version: 5.3p1
          Platform: Other
               URL: http://bugs.debian.org/556644
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: cjwatson at debian.org


Created an attachment (id=1800)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1800)
call ssh_selinux_setup_exec_context before chrooting

This patch is from Russell Coker <russell at coker.com.au>; I know little
about SE Linux myself and defer to him for domain knowledge.  He says:

"The following patch allows the chroot functionality for sftp (and
probably regular logins) work with SE Linux.  After chroot() is called
the SE Linux context setting won't work unless /selinux and /proc are
mounted in the chroot environment.  Even worse, if the user has control
over the chroot environment then they may be able to control the
context that they get (I haven't verified this)."

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1726

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1800|                            |ok+
               Flag|                            |

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1726

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au
             Blocks|                            |1743

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1726

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #1 from Damien Miller <djm at mindrot.org> 2010-03-26 11:05:05
EST ---
Patch applied and will be in OpenSSH-5.5. FYI there is no risk of
privilege escalation because we ensure that the ChrootDirectory is
root-owned and not writable by the user.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1726

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> 2010-04-16 15:50:20
EST ---
Mass move of bugs RESOLVED->CLOSED following the release of
openssh-5.5p1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.