Alexandre Rossi
2008-Mar-21 16:16 UTC
ChrootDirectory fails if compiled with SELinux support (whether or not using SELinux)
Hi, (please CC me as I'm not subscribed to the list) If compiled with SELinux support, OpenSSH 4.8 current cvs fails for accounts where the new ChrootDirectory option is active : debug1: PAM: establishing credentials debug3: PAM: opening session debug2: User child is on pid 1695 debug3: mm_request_receive entering debug1: PAM: establishing credentials debug3: safely_chroot: checking '/' debug3: safely_chroot: checking '/home/' debug3: safely_chroot: checking '/home/user' Changed root directory to "/home/user" debug1: permanently_set_uid: 1002/1005 debug1: SELinux support enabled debug3: ssh_selinux_setup_exec_context: setting execution context ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: security_getenforce() failed debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: do_cleanup debug1: PAM: cleanup debug1: PAM: deleting credentials debug1: PAM: closing session debug3: PAM: sshpam_thread_cleanup entering I do not use SELinux nor know how it works but my guess would be that the ssh_selinux_setup_exec_context() call at line 1442 of ./session.c fails because it expects to find some /dev or /proc SELinux interface. But the call to chroot() is before that, so the call fails. As most distros ship openssh with SELinux support compiled in, this makes ChrootDirectory unusable without a recompile or special SELinux setup in the chroot even if one does not use it. I have no clue on a fix because it does not seem possible to chroot AFTER executing the SELinux context. Cheers, Alexandre
Darren Tucker
2008-Mar-22 01:38 UTC
ChrootDirectory fails if compiled with SELinux support (whether or not using SELinux)
On Fri, Mar 21, 2008 at 05:16:56PM +0100, Alexandre Rossi wrote:> If compiled with SELinux support, OpenSSH 4.8 current cvs fails for > accounts where the new ChrootDirectory option is active :[...]> I do not use SELinux nor know how it works but my guess would be that > the ssh_selinux_setup_exec_context() call at line 1442 of ./session.c > fails because it expects to find some /dev or /proc SELinux interface. > But the call to chroot() is before that, so the call fails. > > As most distros ship openssh with SELinux support compiled in, this > makes ChrootDirectory unusable without a recompile or special SELinux > setup in the chroot even if one does not use it. > > I have no clue on a fix because it does not seem possible to chroot > AFTER executing the SELinux context.This should at least allow it to work when selinux support is compiled in but selinux is disabled. I have no idea if it's possible to make it work with selinux enabled. Index: session.c ==================================================================RCS file: /usr/local/src/security/openssh/cvs/openssh/session.c,v retrieving revision 1.364 diff -u -p -r1.364 session.c --- session.c 15 Mar 2008 06:27:58 -0000 1.364 +++ session.c 22 Mar 2008 01:23:48 -0000 @@ -1350,6 +1350,10 @@ do_setusercontext(struct passwd *pw) #endif /* HAVE_CYGWIN */ { +#ifdef WITH_SELINUX + /* Cache selinux status for later use */ + (void)ssh_selinux_enabled(); +#endif #ifdef HAVE_SETPCRED if (setpcred(pw->pw_name, (char **)NULL) == -1) fatal("Failed to set process credentials"); Index: openbsd-compat/port-linux.c ==================================================================RCS file: /usr/local/src/security/openssh/cvs/openssh/openbsd-compat/port-linux.c,v retrieving revision 1.4 diff -u -p -r1.4 port-linux.c --- openbsd-compat/port-linux.c 27 Jun 2007 22:48:03 -0000 1.4 +++ openbsd-compat/port-linux.c 22 Mar 2008 01:24:06 -0000 @@ -36,7 +36,7 @@ #include <selinux/get_context_list.h> /* Wrapper around is_selinux_enabled() to log its return value once only */ -static int +int ssh_selinux_enabled(void) { static int enabled = -1; Index: openbsd-compat/port-linux.h ==================================================================RCS file: /usr/local/src/security/openssh/cvs/openssh/openbsd-compat/port-linux.h,v retrieving revision 1.1 diff -u -p -r1.1 port-linux.h --- openbsd-compat/port-linux.h 22 Apr 2006 11:26:08 -0000 1.1 +++ openbsd-compat/port-linux.h 22 Mar 2008 01:28:06 -0000 @@ -20,6 +20,7 @@ #define _PORT_LINUX_H #ifdef WITH_SELINUX +int ssh_selinux_enabled(void); void ssh_selinux_setup_pty(char *, const char *); void ssh_selinux_setup_exec_context(char *); #endif -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.