From owner-freebsd-bugs@FreeBSD.ORG Thu Aug 21 23:08:43 2014 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0487AB4 for ; Thu, 21 Aug 2014 23:08:43 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DF1F83350 for ; Thu, 21 Aug 2014 23:08:42 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id s7LN8gt7014693 for ; Thu, 21 Aug 2014 23:08:42 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 177698] [libutil] [patch] sshd sets the user's MAC label at the same time it attempts to set the login class, which can cause the latter to fail if mac_biba is used. Date: Thu, 21 Aug 2014 23:08:43 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: ta0kira@gmail.com X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2014 23:08:43 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=177698 --- Comment #2 from ta0kira@gmail.com --- (The following comment did not carry over when the bug report was migrated to the new system.) From: Kevin Barry [submitter] To: bug-followup@FreeBSD.org, ta0kira@gmail.com Date: Fri, 12 Apr 2013 15:20:10 -0400 Here's a new patch for login_class.c. As far as I can tell there is no reason to require that a passwd entry be specified in order to set the MAC label; therefore, I removed that requirement. Additionally, the current implementation silently fails to set the MAC label when the pwd argument is NULL, and silent failure when it comes to security isn't a good thing. While not directly related to the original problem, it's related to the underlying issue, which is that the handling of MAC labels in setusercontext has several bugs in need of fixing. -- You are receiving this mail because: You are the assignee for the bug.