kern/177698: [libutil] [patch] sshd sets the user's MAC label at the same time it attempts to set the login class, which can cause the latter to fail if mac_biba is used.
Kevin Barry
ta0kira at gmail.com
Fri Apr 12 19:30:01 UTC 2013
The following reply was made to PR kern/177698; it has been noted by GNATS.
From: Kevin Barry <ta0kira at gmail.com>
To: bug-followup at FreeBSD.org, ta0kira at gmail.com
Cc:
Subject: Re: kern/177698: [libutil] [patch] sshd sets the user's MAC label at
the same time it attempts to set the login class, which can cause the latter
to fail if mac_biba is used.
Date: Fri, 12 Apr 2013 15:20:10 -0400
--001a11c25d96b0514204da2eca64
Content-Type: multipart/alternative; boundary=001a11c25d96b0513e04da2eca62
--001a11c25d96b0513e04da2eca62
Content-Type: text/plain; charset=ISO-8859-1
Here's a new patch for login_class.c. As far as I can tell there is no
reason to require that a passwd entry be specified in order to set the MAC
label; therefore, I removed that requirement. Additionally, the current
implementation silently fails to set the MAC label when the pwd argument is
NULL, and silent failure when it comes to security isn't a good thing.
While not directly related to the original problem, it's related to the
underlying issue, which is that the handling of MAC labels in
setusercontext has several bugs in need of fixing.
--001a11c25d96b0513e04da2eca62
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Here's a new patch for login_class.c. As far as I can =
tell there is no reason to require that a passwd entry be specified in orde=
r to set the MAC label; therefore, I removed that requirement. Additionally=
, the current implementation silently fails to set the MAC label when the p=
wd argument is NULL, and silent failure when it comes to security isn't=
a good thing. While not directly related to the original problem, it's=
related to the underlying issue, which is that the handling of MAC labels =
in setusercontext has several bugs in need of fixing.<br>
</div>
--001a11c25d96b0513e04da2eca62--
--001a11c25d96b0514204da2eca64
Content-Type: text/plain; charset=US-ASCII; name="login_class.c.txt"
Content-Disposition: attachment; filename="login_class.c.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_hffqop530
LS0tIC91c3Ivc3JjL2xpYi9saWJ1dGlsL2xvZ2luX2NsYXNzLmMub3JpZwkyMDEyLTEyLTAzIDE2
OjM2OjM2LjAwMDAwMDAwMCAtMDUwMAorKysgL3Vzci9zcmMvbGliL2xpYnV0aWwvbG9naW5fY2xh
c3MuYwkyMDEzLTA0LTEyIDE1OjA5OjQ4LjAwMDAwMDAwMCAtMDQwMApAQCAtNDQwLDcgKzQ0MCw3
IEBACiAKICAgICAvKiB3ZSBuZWVkIGEgcGFzc3dkIGVudHJ5IHRvIHNldCB0aGVzZSAqLwogICAg
IGlmIChwd2QgPT0gTlVMTCkKLQlmbGFncyAmPSB+KExPR0lOX1NFVEdST1VQIHwgTE9HSU5fU0VU
TE9HSU4gfCBMT0dJTl9TRVRNQUMpOworCWZsYWdzICY9IH4oTE9HSU5fU0VUR1JPVVAgfCBMT0dJ
Tl9TRVRMT0dJTik7CiAKICAgICAvKiBTZXQgdGhlIHByb2Nlc3MgcHJpb3JpdHkgKi8KICAgICBp
ZiAoZmxhZ3MgJiBMT0dJTl9TRVRQUklPUklUWSkgewpAQCAtNDg1LDMxICs0ODUsNiBAQAogCX0K
ICAgICB9CiAKLSAgICAvKiBTZXQgdXAgdGhlIHVzZXIncyBNQUMgbGFiZWwuICovCi0gICAgaWYg
KChmbGFncyAmIExPR0lOX1NFVE1BQykgJiYgbWFjX2lzX3ByZXNlbnQoTlVMTCkgPT0gMSkgewot
CWNvbnN0IGNoYXIgKmxhYmVsX3N0cmluZzsKLQltYWNfdCBsYWJlbDsKLQotCWxhYmVsX3N0cmlu
ZyA9IGxvZ2luX2dldGNhcHN0cihsYywgImxhYmVsIiwgTlVMTCwgTlVMTCk7Ci0JaWYgKGxhYmVs
X3N0cmluZyAhPSBOVUxMKSB7Ci0JICAgIGlmIChtYWNfZnJvbV90ZXh0KCZsYWJlbCwgbGFiZWxf
c3RyaW5nKSA9PSAtMSkgewotCQlzeXNsb2coTE9HX0VSUiwgIm1hY19mcm9tX3RleHQoJyVzJykg
Zm9yICVzOiAlbSIsCi0JCSAgICBwd2QtPnB3X25hbWUsIGxhYmVsX3N0cmluZyk7Ci0JCXJldHVy
biAoLTEpOwotCSAgICB9Ci0JICAgIGlmIChtYWNfc2V0X3Byb2MobGFiZWwpID09IC0xKQotCQll
cnJvciA9IGVycm5vOwotCSAgICBlbHNlCi0JCWVycm9yID0gMDsKLQkgICAgbWFjX2ZyZWUobGFi
ZWwpOwotCSAgICBpZiAoZXJyb3IgIT0gMCkgewotCQlzeXNsb2coTE9HX0VSUiwgIm1hY19zZXRf
cHJvYygnJXMnKSBmb3IgJXM6ICVzIiwKLQkJICAgIGxhYmVsX3N0cmluZywgcHdkLT5wd19uYW1l
LCBzdHJlcnJvcihlcnJvcikpOwotCQlyZXR1cm4gKC0xKTsKLQkgICAgfQotCX0KLSAgICB9Ci0K
ICAgICAvKiBTZXQgdGhlIHNlc3Npb25zIGxvZ2luICovCiAgICAgaWYgKChmbGFncyAmIExPR0lO
X1NFVExPR0lOKSAmJiBzZXRsb2dpbihwd2QtPnB3X25hbWUpICE9IDApIHsKIAlzeXNsb2coTE9H
X0VSUiwgInNldGxvZ2luKCVzKTogJW0iLCBwd2QtPnB3X25hbWUpOwpAQCAtNTQyLDYgKzUxNywz
MSBAQAogICAgIG15bWFzayA9IHNldGxvZ2luY29udGV4dChsYywgcHdkLCBteW1hc2ssIGZsYWdz
KTsKICAgICBsb2dpbl9jbG9zZShsbGMpOwogCisgICAgLyogU2V0IHVwIHRoZSB1c2VyJ3MgTUFD
IGxhYmVsLiAqLworICAgIGlmICgoZmxhZ3MgJiBMT0dJTl9TRVRNQUMpICYmIG1hY19pc19wcmVz
ZW50KE5VTEwpID09IDEpIHsKKwljb25zdCBjaGFyICpsYWJlbF9zdHJpbmc7CisJbWFjX3QgbGFi
ZWw7CisKKwlsYWJlbF9zdHJpbmcgPSBsb2dpbl9nZXRjYXBzdHIobGMsICJsYWJlbCIsIE5VTEws
IE5VTEwpOworCWlmIChsYWJlbF9zdHJpbmcgIT0gTlVMTCkgeworCSAgICBpZiAobWFjX2Zyb21f
dGV4dCgmbGFiZWwsIGxhYmVsX3N0cmluZykgPT0gLTEpIHsKKwkJc3lzbG9nKExPR19FUlIsICJt
YWNfZnJvbV90ZXh0KCclcycpIGZvciAlczogJW0iLAorCQkgICAgcHdkPyBwd2QtPnB3X25hbWUg
OiAicm9vdCIsIGxhYmVsX3N0cmluZyk7CisJCXJldHVybiAoLTEpOworCSAgICB9CisJICAgIGlm
IChtYWNfc2V0X3Byb2MobGFiZWwpID09IC0xKQorCQllcnJvciA9IGVycm5vOworCSAgICBlbHNl
CisJCWVycm9yID0gMDsKKwkgICAgbWFjX2ZyZWUobGFiZWwpOworCSAgICBpZiAoZXJyb3IgIT0g
MCkgeworCQlzeXNsb2coTE9HX0VSUiwgIm1hY19zZXRfcHJvYygnJXMnKSBmb3IgJXM6ICVzIiwK
KwkJICAgIGxhYmVsX3N0cmluZywgcHdkPyBwd2QtPnB3X25hbWUgOiAicm9vdCIsIHN0cmVycm9y
KGVycm9yKSk7CisJCXJldHVybiAoLTEpOworCSAgICB9CisJfQorICAgIH0KKwogICAgIC8qIFRo
aXMgbmVlZHMgdG8gYmUgZG9uZSBhZnRlciBhbnl0aGluZyB0aGF0IG5lZWRzIHJvb3QgcHJpdnMg
Ki8KICAgICBpZiAoKGZsYWdzICYgTE9HSU5fU0VUVVNFUikgJiYgc2V0dWlkKHVpZCkgIT0gMCkg
ewogCXN5c2xvZyhMT0dfRVJSLCAic2V0dWlkKCVsdSk6ICVtIiwgKHVfbG9uZyl1aWQpOwo=
--001a11c25d96b0514204da2eca64--
More information about the freebsd-bugs
mailing list