bin/177698: [patch] sshd sets the user's MAC label at the same time it attempts to set the login class, which can cause the latter to fail if mac_biba is used.

Mon Apr 8 04:00:01 UTC 2013

The following reply was made to PR bin/177698; it has been noted by GNATS.

From: Kevin Barry <ta0kira at gmail.com>
To: bug-followup at FreeBSD.org, ta0kira at gmail.com
Cc:  
Subject: Re: bin/177698: [patch] sshd sets the user's MAC label at the same
 time it attempts to set the login class, which can cause the latter to fail
 if mac_biba is used.
Date: Sun, 7 Apr 2013 23:50:35 -0400

 --001a11c34ab6d5d15504d9d15662
 Content-Type: multipart/alternative; boundary=001a11c34ab6d5d15204d9d15660

 --001a11c34ab6d5d15204d9d15660
 Content-Type: text/plain; charset=ISO-8859-1

 I submitted this bug report earlier, and since then I've noticed that
 /usr/bin/login suffers from the same problem. I've therefore made a change
 to libutil to make setusercontext set the MAC label right before the uid
 change. I've attached a separate patch that should universally fix the
 problem. This also makes my previous sshd patch obsolete. Incidentally,
 this should be reclassified as a bug in libutil.

 --001a11c34ab6d5d15204d9d15660
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable

 <div dir=3D"ltr">I submitted this bug report earlier, and since then I'=
 ve noticed that /usr/bin/login suffers from the same problem. I've ther=
 efore made a change to libutil to make setusercontext set the MAC label rig=
 ht before the uid change. I've attached a separate patch that should un=
 iversally fix the problem. This also makes my previous sshd patch obsolete.=
  Incidentally, this should be reclassified as a bug in libutil.<br>
 </div>

 --001a11c34ab6d5d15204d9d15660--
 --001a11c34ab6d5d15504d9d15662
 Content-Type: text/plain; charset=US-ASCII; name="login_class.c.txt"
 Content-Disposition: attachment; filename="login_class.c.txt"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_hf93pf171

 KioqIC91c3Ivc3JjL2xpYi9saWJ1dGlsL2xvZ2luX2NsYXNzLmMub3JpZwlNb24gRGVjICAzIDE2
 OjM2OjM2IDIwMTIKLS0tIC91c3Ivc3JjL2xpYi9saWJ1dGlsL2xvZ2luX2NsYXNzLmMJU3VuIEFw
 ciAgNyAyMzo0MzoxNyAyMDEzCioqKioqKioqKioqKioqKgoqKiogNDg1LDUxNSAqKioqCiAgCX0K
 ICAgICAgfQogIAotICAgICAvKiBTZXQgdXAgdGhlIHVzZXIncyBNQUMgbGFiZWwuICovCi0gICAg
 IGlmICgoZmxhZ3MgJiBMT0dJTl9TRVRNQUMpICYmIG1hY19pc19wcmVzZW50KE5VTEwpID09IDEp
 IHsKLSAJY29uc3QgY2hhciAqbGFiZWxfc3RyaW5nOwotIAltYWNfdCBsYWJlbDsKLSAKLSAJbGFi
 ZWxfc3RyaW5nID0gbG9naW5fZ2V0Y2Fwc3RyKGxjLCAibGFiZWwiLCBOVUxMLCBOVUxMKTsKLSAJ
 aWYgKGxhYmVsX3N0cmluZyAhPSBOVUxMKSB7Ci0gCSAgICBpZiAobWFjX2Zyb21fdGV4dCgmbGFi
 ZWwsIGxhYmVsX3N0cmluZykgPT0gLTEpIHsKLSAJCXN5c2xvZyhMT0dfRVJSLCAibWFjX2Zyb21f
 dGV4dCgnJXMnKSBmb3IgJXM6ICVtIiwKLSAJCSAgICBwd2QtPnB3X25hbWUsIGxhYmVsX3N0cmlu
 Zyk7Ci0gCQlyZXR1cm4gKC0xKTsKLSAJICAgIH0KLSAJICAgIGlmIChtYWNfc2V0X3Byb2MobGFi
 ZWwpID09IC0xKQotIAkJZXJyb3IgPSBlcnJubzsKLSAJICAgIGVsc2UKLSAJCWVycm9yID0gMDsK
 LSAJICAgIG1hY19mcmVlKGxhYmVsKTsKLSAJICAgIGlmIChlcnJvciAhPSAwKSB7Ci0gCQlzeXNs
 b2coTE9HX0VSUiwgIm1hY19zZXRfcHJvYygnJXMnKSBmb3IgJXM6ICVzIiwKLSAJCSAgICBsYWJl
 bF9zdHJpbmcsIHB3ZC0+cHdfbmFtZSwgc3RyZXJyb3IoZXJyb3IpKTsKLSAJCXJldHVybiAoLTEp
 OwotIAkgICAgfQotIAl9Ci0gICAgIH0KLSAKICAgICAgLyogU2V0IHRoZSBzZXNzaW9ucyBsb2dp
 biAqLwogICAgICBpZiAoKGZsYWdzICYgTE9HSU5fU0VUTE9HSU4pICYmIHNldGxvZ2luKHB3ZC0+
 cHdfbmFtZSkgIT0gMCkgewogIAlzeXNsb2coTE9HX0VSUiwgInNldGxvZ2luKCVzKTogJW0iLCBw
 d2QtPnB3X25hbWUpOwotLS0gNDg1LDQ5MCAtLS0tCioqKioqKioqKioqKioqKgoqKiogNTQyLDU0
 NyAqKioqCi0tLSA1MTcsNTQ3IC0tLS0KICAgICAgbXltYXNrID0gc2V0bG9naW5jb250ZXh0KGxj
 LCBwd2QsIG15bWFzaywgZmxhZ3MpOwogICAgICBsb2dpbl9jbG9zZShsbGMpOwogIAorICAgICAv
 KiBTZXQgdXAgdGhlIHVzZXIncyBNQUMgbGFiZWwuICovCisgICAgIGlmICgoZmxhZ3MgJiBMT0dJ
 Tl9TRVRNQUMpICYmIG1hY19pc19wcmVzZW50KE5VTEwpID09IDEpIHsKKyAJY29uc3QgY2hhciAq
 bGFiZWxfc3RyaW5nOworIAltYWNfdCBsYWJlbDsKKyAKKyAJbGFiZWxfc3RyaW5nID0gbG9naW5f
 Z2V0Y2Fwc3RyKGxjLCAibGFiZWwiLCBOVUxMLCBOVUxMKTsKKyAJaWYgKGxhYmVsX3N0cmluZyAh
 PSBOVUxMKSB7CisgCSAgICBpZiAobWFjX2Zyb21fdGV4dCgmbGFiZWwsIGxhYmVsX3N0cmluZykg
 PT0gLTEpIHsKKyAJCXN5c2xvZyhMT0dfRVJSLCAibWFjX2Zyb21fdGV4dCgnJXMnKSBmb3IgJXM6
 ICVtIiwKKyAJCSAgICBwd2QtPnB3X25hbWUsIGxhYmVsX3N0cmluZyk7CisgCQlyZXR1cm4gKC0x
 KTsKKyAJICAgIH0KKyAJICAgIGlmIChtYWNfc2V0X3Byb2MobGFiZWwpID09IC0xKQorIAkJZXJy
 b3IgPSBlcnJubzsKKyAJICAgIGVsc2UKKyAJCWVycm9yID0gMDsKKyAJICAgIG1hY19mcmVlKGxh
 YmVsKTsKKyAJICAgIGlmIChlcnJvciAhPSAwKSB7CisgCQlzeXNsb2coTE9HX0VSUiwgIm1hY19z
 ZXRfcHJvYygnJXMnKSBmb3IgJXM6ICVzIiwKKyAJCSAgICBsYWJlbF9zdHJpbmcsIHB3ZC0+cHdf
 bmFtZSwgc3RyZXJyb3IoZXJyb3IpKTsKKyAJCXJldHVybiAoLTEpOworIAkgICAgfQorIAl9Cisg
 ICAgIH0KKyAKICAgICAgLyogVGhpcyBuZWVkcyB0byBiZSBkb25lIGFmdGVyIGFueXRoaW5nIHRo
 YXQgbmVlZHMgcm9vdCBwcml2cyAqLwogICAgICBpZiAoKGZsYWdzICYgTE9HSU5fU0VUVVNFUikg
 JiYgc2V0dWlkKHVpZCkgIT0gMCkgewogIAlzeXNsb2coTE9HX0VSUiwgInNldHVpZCglbHUpOiAl
 bSIsICh1X2xvbmcpdWlkKTsK
 --001a11c34ab6d5d15504d9d15662--