From owner-freebsd-bugs@FreeBSD.ORG Mon Apr 8 04:00:01 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4ED04B47 for ; Mon, 8 Apr 2013 04:00:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 4106AF0E for ; Mon, 8 Apr 2013 04:00:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r38400mv076012 for ; Mon, 8 Apr 2013 04:00:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r384007Z076011; Mon, 8 Apr 2013 04:00:00 GMT (envelope-from gnats) Date: Mon, 8 Apr 2013 04:00:00 GMT Message-Id: <201304080400.r384007Z076011@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Kevin Barry Subject: Re: bin/177698: [patch] sshd sets the user's MAC label at the same time it attempts to set the login class, which can cause the latter to fail if mac_biba is used. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Kevin Barry List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Apr 2013 04:00:01 -0000 The following reply was made to PR bin/177698; it has been noted by GNATS. From: Kevin Barry To: bug-followup@FreeBSD.org, ta0kira@gmail.com Cc: Subject: Re: bin/177698: [patch] sshd sets the user's MAC label at the same time it attempts to set the login class, which can cause the latter to fail if mac_biba is used. Date: Sun, 7 Apr 2013 23:50:35 -0400 --001a11c34ab6d5d15504d9d15662 Content-Type: multipart/alternative; boundary=001a11c34ab6d5d15204d9d15660 --001a11c34ab6d5d15204d9d15660 Content-Type: text/plain; charset=ISO-8859-1 I submitted this bug report earlier, and since then I've noticed that /usr/bin/login suffers from the same problem. I've therefore made a change to libutil to make setusercontext set the MAC label right before the uid change. I've attached a separate patch that should universally fix the problem. This also makes my previous sshd patch obsolete. Incidentally, this should be reclassified as a bug in libutil. --001a11c34ab6d5d15204d9d15660 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
I submitted this bug report earlier, and since then I'= ve noticed that /usr/bin/login suffers from the same problem. I've ther= efore made a change to libutil to make setusercontext set the MAC label rig= ht before the uid change. I've attached a separate patch that should un= iversally fix the problem. This also makes my previous sshd patch obsolete.= Incidentally, this should be reclassified as a bug in libutil.
--001a11c34ab6d5d15204d9d15660-- --001a11c34ab6d5d15504d9d15662 Content-Type: text/plain; charset=US-ASCII; name="login_class.c.txt" Content-Disposition: attachment; filename="login_class.c.txt" Content-Transfer-Encoding: base64 X-Attachment-Id: f_hf93pf171 KioqIC91c3Ivc3JjL2xpYi9saWJ1dGlsL2xvZ2luX2NsYXNzLmMub3JpZwlNb24gRGVjICAzIDE2 OjM2OjM2IDIwMTIKLS0tIC91c3Ivc3JjL2xpYi9saWJ1dGlsL2xvZ2luX2NsYXNzLmMJU3VuIEFw ciAgNyAyMzo0MzoxNyAyMDEzCioqKioqKioqKioqKioqKgoqKiogNDg1LDUxNSAqKioqCiAgCX0K ICAgICAgfQogIAotICAgICAvKiBTZXQgdXAgdGhlIHVzZXIncyBNQUMgbGFiZWwuICovCi0gICAg IGlmICgoZmxhZ3MgJiBMT0dJTl9TRVRNQUMpICYmIG1hY19pc19wcmVzZW50KE5VTEwpID09IDEp IHsKLSAJY29uc3QgY2hhciAqbGFiZWxfc3RyaW5nOwotIAltYWNfdCBsYWJlbDsKLSAKLSAJbGFi ZWxfc3RyaW5nID0gbG9naW5fZ2V0Y2Fwc3RyKGxjLCAibGFiZWwiLCBOVUxMLCBOVUxMKTsKLSAJ aWYgKGxhYmVsX3N0cmluZyAhPSBOVUxMKSB7Ci0gCSAgICBpZiAobWFjX2Zyb21fdGV4dCgmbGFi ZWwsIGxhYmVsX3N0cmluZykgPT0gLTEpIHsKLSAJCXN5c2xvZyhMT0dfRVJSLCAibWFjX2Zyb21f dGV4dCgnJXMnKSBmb3IgJXM6ICVtIiwKLSAJCSAgICBwd2QtPnB3X25hbWUsIGxhYmVsX3N0cmlu Zyk7Ci0gCQlyZXR1cm4gKC0xKTsKLSAJICAgIH0KLSAJICAgIGlmIChtYWNfc2V0X3Byb2MobGFi ZWwpID09IC0xKQotIAkJZXJyb3IgPSBlcnJubzsKLSAJICAgIGVsc2UKLSAJCWVycm9yID0gMDsK LSAJICAgIG1hY19mcmVlKGxhYmVsKTsKLSAJICAgIGlmIChlcnJvciAhPSAwKSB7Ci0gCQlzeXNs b2coTE9HX0VSUiwgIm1hY19zZXRfcHJvYygnJXMnKSBmb3IgJXM6ICVzIiwKLSAJCSAgICBsYWJl bF9zdHJpbmcsIHB3ZC0+cHdfbmFtZSwgc3RyZXJyb3IoZXJyb3IpKTsKLSAJCXJldHVybiAoLTEp OwotIAkgICAgfQotIAl9Ci0gICAgIH0KLSAKICAgICAgLyogU2V0IHRoZSBzZXNzaW9ucyBsb2dp biAqLwogICAgICBpZiAoKGZsYWdzICYgTE9HSU5fU0VUTE9HSU4pICYmIHNldGxvZ2luKHB3ZC0+ cHdfbmFtZSkgIT0gMCkgewogIAlzeXNsb2coTE9HX0VSUiwgInNldGxvZ2luKCVzKTogJW0iLCBw d2QtPnB3X25hbWUpOwotLS0gNDg1LDQ5MCAtLS0tCioqKioqKioqKioqKioqKgoqKiogNTQyLDU0 NyAqKioqCi0tLSA1MTcsNTQ3IC0tLS0KICAgICAgbXltYXNrID0gc2V0bG9naW5jb250ZXh0KGxj LCBwd2QsIG15bWFzaywgZmxhZ3MpOwogICAgICBsb2dpbl9jbG9zZShsbGMpOwogIAorICAgICAv KiBTZXQgdXAgdGhlIHVzZXIncyBNQUMgbGFiZWwuICovCisgICAgIGlmICgoZmxhZ3MgJiBMT0dJ Tl9TRVRNQUMpICYmIG1hY19pc19wcmVzZW50KE5VTEwpID09IDEpIHsKKyAJY29uc3QgY2hhciAq bGFiZWxfc3RyaW5nOworIAltYWNfdCBsYWJlbDsKKyAKKyAJbGFiZWxfc3RyaW5nID0gbG9naW5f Z2V0Y2Fwc3RyKGxjLCAibGFiZWwiLCBOVUxMLCBOVUxMKTsKKyAJaWYgKGxhYmVsX3N0cmluZyAh PSBOVUxMKSB7CisgCSAgICBpZiAobWFjX2Zyb21fdGV4dCgmbGFiZWwsIGxhYmVsX3N0cmluZykg PT0gLTEpIHsKKyAJCXN5c2xvZyhMT0dfRVJSLCAibWFjX2Zyb21fdGV4dCgnJXMnKSBmb3IgJXM6 ICVtIiwKKyAJCSAgICBwd2QtPnB3X25hbWUsIGxhYmVsX3N0cmluZyk7CisgCQlyZXR1cm4gKC0x KTsKKyAJICAgIH0KKyAJICAgIGlmIChtYWNfc2V0X3Byb2MobGFiZWwpID09IC0xKQorIAkJZXJy b3IgPSBlcnJubzsKKyAJICAgIGVsc2UKKyAJCWVycm9yID0gMDsKKyAJICAgIG1hY19mcmVlKGxh YmVsKTsKKyAJICAgIGlmIChlcnJvciAhPSAwKSB7CisgCQlzeXNsb2coTE9HX0VSUiwgIm1hY19z ZXRfcHJvYygnJXMnKSBmb3IgJXM6ICVzIiwKKyAJCSAgICBsYWJlbF9zdHJpbmcsIHB3ZC0+cHdf bmFtZSwgc3RyZXJyb3IoZXJyb3IpKTsKKyAJCXJldHVybiAoLTEpOworIAkgICAgfQorIAl9Cisg ICAgIH0KKyAKICAgICAgLyogVGhpcyBuZWVkcyB0byBiZSBkb25lIGFmdGVyIGFueXRoaW5nIHRo YXQgbmVlZHMgcm9vdCBwcml2cyAqLwogICAgICBpZiAoKGZsYWdzICYgTE9HSU5fU0VUVVNFUikg JiYgc2V0dWlkKHVpZCkgIT0gMCkgewogIAlzeXNsb2coTE9HX0VSUiwgInNldHVpZCglbHUpOiAl bSIsICh1X2xvbmcpdWlkKTsK --001a11c34ab6d5d15504d9d15662--