diff options
author | Denis Vlasenko <vda.linux@googlemail.com> | 2007-10-20 02:00:49 +0000 |
---|---|---|
committer | Denis Vlasenko <vda.linux@googlemail.com> | 2007-10-20 02:00:49 +0000 |
commit | 2edbc2ab85b96fb01a3862db09df12f40d4382cd (patch) | |
tree | 0637a680a89fb11a986e59657875adda2546ec18 /libbb/update_passwd.c | |
parent | aa7a888e423fc85daa8af0ac3aabe8fc7af86312 (diff) | |
download | busybox-w32-2edbc2ab85b96fb01a3862db09df12f40d4382cd.tar.gz busybox-w32-2edbc2ab85b96fb01a3862db09df12f40d4382cd.tar.bz2 busybox-w32-2edbc2ab85b96fb01a3862db09df12f40d4382cd.zip |
ping: fix breakage from -I fix
passwd: SELinux support by KaiGai Kohei <kaigai@ak.jp.nec.com>
Diffstat (limited to 'libbb/update_passwd.c')
-rw-r--r-- | libbb/update_passwd.c | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/libbb/update_passwd.c b/libbb/update_passwd.c index 8914b8b45..388adf81f 100644 --- a/libbb/update_passwd.c +++ b/libbb/update_passwd.c | |||
@@ -11,6 +11,31 @@ | |||
11 | 11 | ||
12 | #include "libbb.h" | 12 | #include "libbb.h" |
13 | 13 | ||
14 | #if ENABLE_SELINUX | ||
15 | static void check_selinux_update_passwd(const char *username) | ||
16 | { | ||
17 | security_context_t context; | ||
18 | char *seuser; | ||
19 | |||
20 | if (getuid() != (uid_t)0 || is_selinux_enabled() == 0) | ||
21 | return; /* No need to check */ | ||
22 | |||
23 | if (getprevcon_raw(&context) < 0) | ||
24 | bb_perror_msg_and_die("getprevcon failed"); | ||
25 | seuser = strtok(context, ":"); | ||
26 | if (!seuser) | ||
27 | bb_error_msg_and_die("invalid context '%s'", context); | ||
28 | if (strcmp(seuser, username) != 0) { | ||
29 | if (checkPasswdAccess(PASSWD__PASSWD) != 0) | ||
30 | bb_error_msg_and_die("SELinux: access denied"); | ||
31 | } | ||
32 | if (ENABLE_FEATURE_CLEAN_UP) | ||
33 | freecon(context); | ||
34 | } | ||
35 | #else | ||
36 | #define check_selinux_update_passwd(username) ((void)0) | ||
37 | #endif | ||
38 | |||
14 | int update_passwd(const char *filename, const char *username, | 39 | int update_passwd(const char *filename, const char *username, |
15 | const char *new_pw) | 40 | const char *new_pw) |
16 | { | 41 | { |
@@ -27,6 +52,8 @@ int update_passwd(const char *filename, const char *username, | |||
27 | int cnt = 0; | 52 | int cnt = 0; |
28 | int ret = -1; /* failure */ | 53 | int ret = -1; /* failure */ |
29 | 54 | ||
55 | check_selinux_update_passwd(username); | ||
56 | |||
30 | /* New passwd file, "/etc/passwd+" for now */ | 57 | /* New passwd file, "/etc/passwd+" for now */ |
31 | fnamesfx = xasprintf("%s+", filename); | 58 | fnamesfx = xasprintf("%s+", filename); |
32 | sfx_char = &fnamesfx[strlen(fnamesfx)-1]; | 59 | sfx_char = &fnamesfx[strlen(fnamesfx)-1]; |
@@ -38,6 +65,8 @@ int update_passwd(const char *filename, const char *username, | |||
38 | goto free_mem; | 65 | goto free_mem; |
39 | old_fd = fileno(old_fp); | 66 | old_fd = fileno(old_fp); |
40 | 67 | ||
68 | selinux_preserve_fcontext(old_fd); | ||
69 | |||
41 | /* Try to create "/etc/passwd+". Wait if it exists. */ | 70 | /* Try to create "/etc/passwd+". Wait if it exists. */ |
42 | i = 30; | 71 | i = 30; |
43 | do { | 72 | do { |