From owner-freebsd-bugs@FreeBSD.ORG Fri Apr 12 19:30:01 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 48AFDBF4 for ; Fri, 12 Apr 2013 19:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 2B6031897 for ; Fri, 12 Apr 2013 19:30:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r3CJU1po058633 for ; Fri, 12 Apr 2013 19:30:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r3CJU0QF058632; Fri, 12 Apr 2013 19:30:00 GMT (envelope-from gnats) Date: Fri, 12 Apr 2013 19:30:00 GMT Message-Id: <201304121930.r3CJU0QF058632@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Kevin Barry Subject: Re: kern/177698: [libutil] [patch] sshd sets the user's MAC label at the same time it attempts to set the login class, which can cause the latter to fail if mac_biba is used. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Kevin Barry List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2013 19:30:01 -0000 The following reply was made to PR kern/177698; it has been noted by GNATS. From: Kevin Barry To: bug-followup@FreeBSD.org, ta0kira@gmail.com Cc: Subject: Re: kern/177698: [libutil] [patch] sshd sets the user's MAC label at the same time it attempts to set the login class, which can cause the latter to fail if mac_biba is used. Date: Fri, 12 Apr 2013 15:20:10 -0400 --001a11c25d96b0514204da2eca64 Content-Type: multipart/alternative; boundary=001a11c25d96b0513e04da2eca62 --001a11c25d96b0513e04da2eca62 Content-Type: text/plain; charset=ISO-8859-1 Here's a new patch for login_class.c. As far as I can tell there is no reason to require that a passwd entry be specified in order to set the MAC label; therefore, I removed that requirement. Additionally, the current implementation silently fails to set the MAC label when the pwd argument is NULL, and silent failure when it comes to security isn't a good thing. While not directly related to the original problem, it's related to the underlying issue, which is that the handling of MAC labels in setusercontext has several bugs in need of fixing. --001a11c25d96b0513e04da2eca62 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Here's a new patch for login_class.c. As far as I can = tell there is no reason to require that a passwd entry be specified in orde= r to set the MAC label; therefore, I removed that requirement. Additionally= , the current implementation silently fails to set the MAC label when the p= wd argument is NULL, and silent failure when it comes to security isn't= a good thing. While not directly related to the original problem, it's= related to the underlying issue, which is that the handling of MAC labels = in setusercontext has several bugs in need of fixing.
--001a11c25d96b0513e04da2eca62-- --001a11c25d96b0514204da2eca64 Content-Type: text/plain; charset=US-ASCII; name="login_class.c.txt" Content-Disposition: attachment; filename="login_class.c.txt" Content-Transfer-Encoding: base64 X-Attachment-Id: f_hffqop530 LS0tIC91c3Ivc3JjL2xpYi9saWJ1dGlsL2xvZ2luX2NsYXNzLmMub3JpZwkyMDEyLTEyLTAzIDE2 OjM2OjM2LjAwMDAwMDAwMCAtMDUwMAorKysgL3Vzci9zcmMvbGliL2xpYnV0aWwvbG9naW5fY2xh c3MuYwkyMDEzLTA0LTEyIDE1OjA5OjQ4LjAwMDAwMDAwMCAtMDQwMApAQCAtNDQwLDcgKzQ0MCw3 IEBACiAKICAgICAvKiB3ZSBuZWVkIGEgcGFzc3dkIGVudHJ5IHRvIHNldCB0aGVzZSAqLwogICAg IGlmIChwd2QgPT0gTlVMTCkKLQlmbGFncyAmPSB+KExPR0lOX1NFVEdST1VQIHwgTE9HSU5fU0VU TE9HSU4gfCBMT0dJTl9TRVRNQUMpOworCWZsYWdzICY9IH4oTE9HSU5fU0VUR1JPVVAgfCBMT0dJ Tl9TRVRMT0dJTik7CiAKICAgICAvKiBTZXQgdGhlIHByb2Nlc3MgcHJpb3JpdHkgKi8KICAgICBp ZiAoZmxhZ3MgJiBMT0dJTl9TRVRQUklPUklUWSkgewpAQCAtNDg1LDMxICs0ODUsNiBAQAogCX0K ICAgICB9CiAKLSAgICAvKiBTZXQgdXAgdGhlIHVzZXIncyBNQUMgbGFiZWwuICovCi0gICAgaWYg KChmbGFncyAmIExPR0lOX1NFVE1BQykgJiYgbWFjX2lzX3ByZXNlbnQoTlVMTCkgPT0gMSkgewot CWNvbnN0IGNoYXIgKmxhYmVsX3N0cmluZzsKLQltYWNfdCBsYWJlbDsKLQotCWxhYmVsX3N0cmlu ZyA9IGxvZ2luX2dldGNhcHN0cihsYywgImxhYmVsIiwgTlVMTCwgTlVMTCk7Ci0JaWYgKGxhYmVs X3N0cmluZyAhPSBOVUxMKSB7Ci0JICAgIGlmIChtYWNfZnJvbV90ZXh0KCZsYWJlbCwgbGFiZWxf c3RyaW5nKSA9PSAtMSkgewotCQlzeXNsb2coTE9HX0VSUiwgIm1hY19mcm9tX3RleHQoJyVzJykg Zm9yICVzOiAlbSIsCi0JCSAgICBwd2QtPnB3X25hbWUsIGxhYmVsX3N0cmluZyk7Ci0JCXJldHVy biAoLTEpOwotCSAgICB9Ci0JICAgIGlmIChtYWNfc2V0X3Byb2MobGFiZWwpID09IC0xKQotCQll cnJvciA9IGVycm5vOwotCSAgICBlbHNlCi0JCWVycm9yID0gMDsKLQkgICAgbWFjX2ZyZWUobGFi ZWwpOwotCSAgICBpZiAoZXJyb3IgIT0gMCkgewotCQlzeXNsb2coTE9HX0VSUiwgIm1hY19zZXRf cHJvYygnJXMnKSBmb3IgJXM6ICVzIiwKLQkJICAgIGxhYmVsX3N0cmluZywgcHdkLT5wd19uYW1l LCBzdHJlcnJvcihlcnJvcikpOwotCQlyZXR1cm4gKC0xKTsKLQkgICAgfQotCX0KLSAgICB9Ci0K ICAgICAvKiBTZXQgdGhlIHNlc3Npb25zIGxvZ2luICovCiAgICAgaWYgKChmbGFncyAmIExPR0lO X1NFVExPR0lOKSAmJiBzZXRsb2dpbihwd2QtPnB3X25hbWUpICE9IDApIHsKIAlzeXNsb2coTE9H X0VSUiwgInNldGxvZ2luKCVzKTogJW0iLCBwd2QtPnB3X25hbWUpOwpAQCAtNTQyLDYgKzUxNywz MSBAQAogICAgIG15bWFzayA9IHNldGxvZ2luY29udGV4dChsYywgcHdkLCBteW1hc2ssIGZsYWdz KTsKICAgICBsb2dpbl9jbG9zZShsbGMpOwogCisgICAgLyogU2V0IHVwIHRoZSB1c2VyJ3MgTUFD IGxhYmVsLiAqLworICAgIGlmICgoZmxhZ3MgJiBMT0dJTl9TRVRNQUMpICYmIG1hY19pc19wcmVz ZW50KE5VTEwpID09IDEpIHsKKwljb25zdCBjaGFyICpsYWJlbF9zdHJpbmc7CisJbWFjX3QgbGFi ZWw7CisKKwlsYWJlbF9zdHJpbmcgPSBsb2dpbl9nZXRjYXBzdHIobGMsICJsYWJlbCIsIE5VTEws IE5VTEwpOworCWlmIChsYWJlbF9zdHJpbmcgIT0gTlVMTCkgeworCSAgICBpZiAobWFjX2Zyb21f dGV4dCgmbGFiZWwsIGxhYmVsX3N0cmluZykgPT0gLTEpIHsKKwkJc3lzbG9nKExPR19FUlIsICJt YWNfZnJvbV90ZXh0KCclcycpIGZvciAlczogJW0iLAorCQkgICAgcHdkPyBwd2QtPnB3X25hbWUg OiAicm9vdCIsIGxhYmVsX3N0cmluZyk7CisJCXJldHVybiAoLTEpOworCSAgICB9CisJICAgIGlm IChtYWNfc2V0X3Byb2MobGFiZWwpID09IC0xKQorCQllcnJvciA9IGVycm5vOworCSAgICBlbHNl CisJCWVycm9yID0gMDsKKwkgICAgbWFjX2ZyZWUobGFiZWwpOworCSAgICBpZiAoZXJyb3IgIT0g MCkgeworCQlzeXNsb2coTE9HX0VSUiwgIm1hY19zZXRfcHJvYygnJXMnKSBmb3IgJXM6ICVzIiwK KwkJICAgIGxhYmVsX3N0cmluZywgcHdkPyBwd2QtPnB3X25hbWUgOiAicm9vdCIsIHN0cmVycm9y KGVycm9yKSk7CisJCXJldHVybiAoLTEpOworCSAgICB9CisJfQorICAgIH0KKwogICAgIC8qIFRo aXMgbmVlZHMgdG8gYmUgZG9uZSBhZnRlciBhbnl0aGluZyB0aGF0IG5lZWRzIHJvb3QgcHJpdnMg Ki8KICAgICBpZiAoKGZsYWdzICYgTE9HSU5fU0VUVVNFUikgJiYgc2V0dWlkKHVpZCkgIT0gMCkg ewogCXN5c2xvZyhMT0dfRVJSLCAic2V0dWlkKCVsdSk6ICVtIiwgKHVfbG9uZyl1aWQpOwo= --001a11c25d96b0514204da2eca64--