Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Apr 2013 19:30:00 GMT
From:      Kevin Barry <ta0kira@gmail.com>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: kern/177698: [libutil] [patch] sshd sets the user's MAC label at the same time it attempts to set the login class, which can cause the latter to fail if mac_biba is used.
Message-ID:  <201304121930.r3CJU0QF058632@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/177698; it has been noted by GNATS.

From: Kevin Barry <ta0kira@gmail.com>
To: bug-followup@FreeBSD.org, ta0kira@gmail.com
Cc:  
Subject: Re: kern/177698: [libutil] [patch] sshd sets the user's MAC label at
 the same time it attempts to set the login class, which can cause the latter
 to fail if mac_biba is used.
Date: Fri, 12 Apr 2013 15:20:10 -0400

 --001a11c25d96b0514204da2eca64
 Content-Type: multipart/alternative; boundary=001a11c25d96b0513e04da2eca62
 
 --001a11c25d96b0513e04da2eca62
 Content-Type: text/plain; charset=ISO-8859-1
 
 Here's a new patch for login_class.c. As far as I can tell there is no
 reason to require that a passwd entry be specified in order to set the MAC
 label; therefore, I removed that requirement. Additionally, the current
 implementation silently fails to set the MAC label when the pwd argument is
 NULL, and silent failure when it comes to security isn't a good thing.
 While not directly related to the original problem, it's related to the
 underlying issue, which is that the handling of MAC labels in
 setusercontext has several bugs in need of fixing.
 
 --001a11c25d96b0513e04da2eca62
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 <div dir=3D"ltr">Here&#39;s a new patch for login_class.c. As far as I can =
 tell there is no reason to require that a passwd entry be specified in orde=
 r to set the MAC label; therefore, I removed that requirement. Additionally=
 , the current implementation silently fails to set the MAC label when the p=
 wd argument is NULL, and silent failure when it comes to security isn&#39;t=
  a good thing. While not directly related to the original problem, it&#39;s=
  related to the underlying issue, which is that the handling of MAC labels =
 in setusercontext has several bugs in need of fixing.<br>
 </div>
 
 --001a11c25d96b0513e04da2eca62--
 --001a11c25d96b0514204da2eca64
 Content-Type: text/plain; charset=US-ASCII; name="login_class.c.txt"
 Content-Disposition: attachment; filename="login_class.c.txt"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_hffqop530
 
 LS0tIC91c3Ivc3JjL2xpYi9saWJ1dGlsL2xvZ2luX2NsYXNzLmMub3JpZwkyMDEyLTEyLTAzIDE2
 OjM2OjM2LjAwMDAwMDAwMCAtMDUwMAorKysgL3Vzci9zcmMvbGliL2xpYnV0aWwvbG9naW5fY2xh
 c3MuYwkyMDEzLTA0LTEyIDE1OjA5OjQ4LjAwMDAwMDAwMCAtMDQwMApAQCAtNDQwLDcgKzQ0MCw3
 IEBACiAKICAgICAvKiB3ZSBuZWVkIGEgcGFzc3dkIGVudHJ5IHRvIHNldCB0aGVzZSAqLwogICAg
 IGlmIChwd2QgPT0gTlVMTCkKLQlmbGFncyAmPSB+KExPR0lOX1NFVEdST1VQIHwgTE9HSU5fU0VU
 TE9HSU4gfCBMT0dJTl9TRVRNQUMpOworCWZsYWdzICY9IH4oTE9HSU5fU0VUR1JPVVAgfCBMT0dJ
 Tl9TRVRMT0dJTik7CiAKICAgICAvKiBTZXQgdGhlIHByb2Nlc3MgcHJpb3JpdHkgKi8KICAgICBp
 ZiAoZmxhZ3MgJiBMT0dJTl9TRVRQUklPUklUWSkgewpAQCAtNDg1LDMxICs0ODUsNiBAQAogCX0K
 ICAgICB9CiAKLSAgICAvKiBTZXQgdXAgdGhlIHVzZXIncyBNQUMgbGFiZWwuICovCi0gICAgaWYg
 KChmbGFncyAmIExPR0lOX1NFVE1BQykgJiYgbWFjX2lzX3ByZXNlbnQoTlVMTCkgPT0gMSkgewot
 CWNvbnN0IGNoYXIgKmxhYmVsX3N0cmluZzsKLQltYWNfdCBsYWJlbDsKLQotCWxhYmVsX3N0cmlu
 ZyA9IGxvZ2luX2dldGNhcHN0cihsYywgImxhYmVsIiwgTlVMTCwgTlVMTCk7Ci0JaWYgKGxhYmVs
 X3N0cmluZyAhPSBOVUxMKSB7Ci0JICAgIGlmIChtYWNfZnJvbV90ZXh0KCZsYWJlbCwgbGFiZWxf
 c3RyaW5nKSA9PSAtMSkgewotCQlzeXNsb2coTE9HX0VSUiwgIm1hY19mcm9tX3RleHQoJyVzJykg
 Zm9yICVzOiAlbSIsCi0JCSAgICBwd2QtPnB3X25hbWUsIGxhYmVsX3N0cmluZyk7Ci0JCXJldHVy
 biAoLTEpOwotCSAgICB9Ci0JICAgIGlmIChtYWNfc2V0X3Byb2MobGFiZWwpID09IC0xKQotCQll
 cnJvciA9IGVycm5vOwotCSAgICBlbHNlCi0JCWVycm9yID0gMDsKLQkgICAgbWFjX2ZyZWUobGFi
 ZWwpOwotCSAgICBpZiAoZXJyb3IgIT0gMCkgewotCQlzeXNsb2coTE9HX0VSUiwgIm1hY19zZXRf
 cHJvYygnJXMnKSBmb3IgJXM6ICVzIiwKLQkJICAgIGxhYmVsX3N0cmluZywgcHdkLT5wd19uYW1l
 LCBzdHJlcnJvcihlcnJvcikpOwotCQlyZXR1cm4gKC0xKTsKLQkgICAgfQotCX0KLSAgICB9Ci0K
 ICAgICAvKiBTZXQgdGhlIHNlc3Npb25zIGxvZ2luICovCiAgICAgaWYgKChmbGFncyAmIExPR0lO
 X1NFVExPR0lOKSAmJiBzZXRsb2dpbihwd2QtPnB3X25hbWUpICE9IDApIHsKIAlzeXNsb2coTE9H
 X0VSUiwgInNldGxvZ2luKCVzKTogJW0iLCBwd2QtPnB3X25hbWUpOwpAQCAtNTQyLDYgKzUxNywz
 MSBAQAogICAgIG15bWFzayA9IHNldGxvZ2luY29udGV4dChsYywgcHdkLCBteW1hc2ssIGZsYWdz
 KTsKICAgICBsb2dpbl9jbG9zZShsbGMpOwogCisgICAgLyogU2V0IHVwIHRoZSB1c2VyJ3MgTUFD
 IGxhYmVsLiAqLworICAgIGlmICgoZmxhZ3MgJiBMT0dJTl9TRVRNQUMpICYmIG1hY19pc19wcmVz
 ZW50KE5VTEwpID09IDEpIHsKKwljb25zdCBjaGFyICpsYWJlbF9zdHJpbmc7CisJbWFjX3QgbGFi
 ZWw7CisKKwlsYWJlbF9zdHJpbmcgPSBsb2dpbl9nZXRjYXBzdHIobGMsICJsYWJlbCIsIE5VTEws
 IE5VTEwpOworCWlmIChsYWJlbF9zdHJpbmcgIT0gTlVMTCkgeworCSAgICBpZiAobWFjX2Zyb21f
 dGV4dCgmbGFiZWwsIGxhYmVsX3N0cmluZykgPT0gLTEpIHsKKwkJc3lzbG9nKExPR19FUlIsICJt
 YWNfZnJvbV90ZXh0KCclcycpIGZvciAlczogJW0iLAorCQkgICAgcHdkPyBwd2QtPnB3X25hbWUg
 OiAicm9vdCIsIGxhYmVsX3N0cmluZyk7CisJCXJldHVybiAoLTEpOworCSAgICB9CisJICAgIGlm
 IChtYWNfc2V0X3Byb2MobGFiZWwpID09IC0xKQorCQllcnJvciA9IGVycm5vOworCSAgICBlbHNl
 CisJCWVycm9yID0gMDsKKwkgICAgbWFjX2ZyZWUobGFiZWwpOworCSAgICBpZiAoZXJyb3IgIT0g
 MCkgeworCQlzeXNsb2coTE9HX0VSUiwgIm1hY19zZXRfcHJvYygnJXMnKSBmb3IgJXM6ICVzIiwK
 KwkJICAgIGxhYmVsX3N0cmluZywgcHdkPyBwd2QtPnB3X25hbWUgOiAicm9vdCIsIHN0cmVycm9y
 KGVycm9yKSk7CisJCXJldHVybiAoLTEpOworCSAgICB9CisJfQorICAgIH0KKwogICAgIC8qIFRo
 aXMgbmVlZHMgdG8gYmUgZG9uZSBhZnRlciBhbnl0aGluZyB0aGF0IG5lZWRzIHJvb3QgcHJpdnMg
 Ki8KICAgICBpZiAoKGZsYWdzICYgTE9HSU5fU0VUVVNFUikgJiYgc2V0dWlkKHVpZCkgIT0gMCkg
 ewogCXN5c2xvZyhMT0dfRVJSLCAic2V0dWlkKCVsdSk6ICVtIiwgKHVfbG9uZyl1aWQpOwo=
 --001a11c25d96b0514204da2eca64--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201304121930.r3CJU0QF058632>