From nobody@FreeBSD.org  Sun Apr  7 21:44:52 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	by hub.freebsd.org (Postfix) with ESMTP id 2097D703
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  7 Apr 2013 21:44:52 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 11BAF18A
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  7 Apr 2013 21:44:52 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r37Lip4K049585
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 7 Apr 2013 21:44:51 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id r37LipIn049584;
	Sun, 7 Apr 2013 21:44:51 GMT
	(envelope-from nobody)
Message-Id: <201304072144.r37LipIn049584@red.freebsd.org>
Date: Sun, 7 Apr 2013 21:44:51 GMT
From: "Kevin P. Barry" <ta0kira@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] sshd sets the user's MAC label at the same time it attempts to set the login class, which can cause the latter to fail if mac_biba is used.
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         177698
>Category:       kern
>Synopsis:       [libutil] [patch] sshd sets the user's MAC label at the same time it attempts to set the login class, which can cause the latter to fail if mac_biba is used.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 07 21:50:01 UTC 2013
>Closed-Date:    
>Last-Modified:  Fri Apr 12 19:30:00 UTC 2013
>Originator:     Kevin P. Barry
>Release:        9.1-RELEASE amd64
>Organization:
>Environment:
FreeBSD kpbarry 9.1-RELEASE FreeBSD 9.1-RELEASE #0: Tue Mar 19 13:38:14 EDT 2013     root@kpbarry:/usr/obj/usr/src/sys/KPBARRY  amd64
>Description:
When using the mac_biba module, only root processes that are capable of
attaining biba/equal status are considered privileged. Among the privileges
to be lost for processes that cannot attain biba/equal is the ability to
set the login class of the process.

When sshd sets the user's context upon successful authentication
(session.c:1494), both the user's login class and the corresponding MAC
label are set in the same call to setusercontext. Since this isn't an
atomic function, it's possible for the MAC label to be set before the
login class (in my case, this certainly happens.) Therefore, if the
login class of the user logging in has a MAC label in /etc/login.conf
incompatible with biba/equal (e.g. biba/high(high-high)) then the login
class might not be set (in my case it *doesn't* get set.) This can cause
unexpected behavior for tools that can be configured by login class,
e.g. rctl.

My proposed solution is to separate context-setting into two calls to
setusercontext, with the first call setting all but LOGIN_SETMAC, and
the second call setting only LOGIN_SETMAC. I've included a patch, which
works on my system.
>How-To-Repeat:
- Enable mac_biba.
- Set the MAC label of a login class to ":label=biba/high(high-high):"
  in /etc/login.conf and run cap_mkdb. By default, sshd will probably
  run under the "default" login class; therefore, use a different login
  class so that a change in login class is required upon login.
- Log in remotely as a user who is a member of the login class modified
  in the step above. The login should succeed.
- Look at /var/log/messages for a message regarding setloginclass, and/or
  use `ps -o class -aux | grep sshd` to verify that the login class hasn't
  been set properly for the logged-in user.
>Fix:
Patch /usr/src/crypto/openssh/session.c so that the MAC label is explicitly
set after the login class is set.

Patch attached with submission follows:

--- /usr/src/crypto/openssh/session.c.orig	2012-12-03 22:41:51.000000000 -0500
+++ /usr/src/crypto/openssh/session.c	2013-04-07 17:01:32.000000000 -0400
@@ -1491,11 +1491,24 @@
 
 	if (platform_privileged_uidswap()) {
 #ifdef HAVE_LOGIN_CAP
+#ifdef LOGIN_SETMAC
+		/* Set the MAC label second so it doesn't interfere with setting the login class. */
+		if (setusercontext(lc, pw, pw->pw_uid,
+		    (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER|LOGIN_SETMAC))) < 0) {
+			perror("unable to set user context");
+			exit(1);
+		}
+		if (setusercontext(lc, pw, pw->pw_uid,LOGIN_SETMAC) < 0) {
+			perror("unable to set user context");
+			exit(1);
+		}
+#else
 		if (setusercontext(lc, pw, pw->pw_uid,
 		    (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
 			perror("unable to set user context");
 			exit(1);
 		}
+#endif
 #else
 		if (setlogin(pw->pw_name) < 0)
 			error("setlogin failed: %s", strerror(errno));


>Release-Note:
>Audit-Trail:

From: Kevin Barry <ta0kira@gmail.com>
To: bug-followup@FreeBSD.org, ta0kira@gmail.com
Cc:  
Subject: Re: bin/177698: [patch] sshd sets the user's MAC label at the same
 time it attempts to set the login class, which can cause the latter to fail
 if mac_biba is used.
Date: Sun, 7 Apr 2013 23:50:35 -0400

 --001a11c34ab6d5d15504d9d15662
 Content-Type: multipart/alternative; boundary=001a11c34ab6d5d15204d9d15660
 
 --001a11c34ab6d5d15204d9d15660
 Content-Type: text/plain; charset=ISO-8859-1
 
 I submitted this bug report earlier, and since then I've noticed that
 /usr/bin/login suffers from the same problem. I've therefore made a change
 to libutil to make setusercontext set the MAC label right before the uid
 change. I've attached a separate patch that should universally fix the
 problem. This also makes my previous sshd patch obsolete. Incidentally,
 this should be reclassified as a bug in libutil.
 
 --001a11c34ab6d5d15204d9d15660--
 --001a11c34ab6d5d15504d9d15662
 Content-Type: text/plain; charset=US-ASCII; name="login_class.c.txt"
 Content-Disposition: attachment; filename="login_class.c.txt"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_hf93pf171
 
 KioqIC91c3Ivc3JjL2xpYi9saWJ1dGlsL2xvZ2luX2NsYXNzLmMub3JpZwlNb24gRGVjICAzIDE2
 OjM2OjM2IDIwMTIKLS0tIC91c3Ivc3JjL2xpYi9saWJ1dGlsL2xvZ2luX2NsYXNzLmMJU3VuIEFw
 ciAgNyAyMzo0MzoxNyAyMDEzCioqKioqKioqKioqKioqKgoqKiogNDg1LDUxNSAqKioqCiAgCX0K
 ICAgICAgfQogIAotICAgICAvKiBTZXQgdXAgdGhlIHVzZXIncyBNQUMgbGFiZWwuICovCi0gICAg
 IGlmICgoZmxhZ3MgJiBMT0dJTl9TRVRNQUMpICYmIG1hY19pc19wcmVzZW50KE5VTEwpID09IDEp
 IHsKLSAJY29uc3QgY2hhciAqbGFiZWxfc3RyaW5nOwotIAltYWNfdCBsYWJlbDsKLSAKLSAJbGFi
 ZWxfc3RyaW5nID0gbG9naW5fZ2V0Y2Fwc3RyKGxjLCAibGFiZWwiLCBOVUxMLCBOVUxMKTsKLSAJ
 aWYgKGxhYmVsX3N0cmluZyAhPSBOVUxMKSB7Ci0gCSAgICBpZiAobWFjX2Zyb21fdGV4dCgmbGFi
 ZWwsIGxhYmVsX3N0cmluZykgPT0gLTEpIHsKLSAJCXN5c2xvZyhMT0dfRVJSLCAibWFjX2Zyb21f
 dGV4dCgnJXMnKSBmb3IgJXM6ICVtIiwKLSAJCSAgICBwd2QtPnB3X25hbWUsIGxhYmVsX3N0cmlu
 Zyk7Ci0gCQlyZXR1cm4gKC0xKTsKLSAJICAgIH0KLSAJICAgIGlmIChtYWNfc2V0X3Byb2MobGFi
 ZWwpID09IC0xKQotIAkJZXJyb3IgPSBlcnJubzsKLSAJICAgIGVsc2UKLSAJCWVycm9yID0gMDsK
 LSAJICAgIG1hY19mcmVlKGxhYmVsKTsKLSAJICAgIGlmIChlcnJvciAhPSAwKSB7Ci0gCQlzeXNs
 b2coTE9HX0VSUiwgIm1hY19zZXRfcHJvYygnJXMnKSBmb3IgJXM6ICVzIiwKLSAJCSAgICBsYWJl
 bF9zdHJpbmcsIHB3ZC0+cHdfbmFtZSwgc3RyZXJyb3IoZXJyb3IpKTsKLSAJCXJldHVybiAoLTEp
 OwotIAkgICAgfQotIAl9Ci0gICAgIH0KLSAKICAgICAgLyogU2V0IHRoZSBzZXNzaW9ucyBsb2dp
 biAqLwogICAgICBpZiAoKGZsYWdzICYgTE9HSU5fU0VUTE9HSU4pICYmIHNldGxvZ2luKHB3ZC0+
 cHdfbmFtZSkgIT0gMCkgewogIAlzeXNsb2coTE9HX0VSUiwgInNldGxvZ2luKCVzKTogJW0iLCBw
 d2QtPnB3X25hbWUpOwotLS0gNDg1LDQ5MCAtLS0tCioqKioqKioqKioqKioqKgoqKiogNTQyLDU0
 NyAqKioqCi0tLSA1MTcsNTQ3IC0tLS0KICAgICAgbXltYXNrID0gc2V0bG9naW5jb250ZXh0KGxj
 LCBwd2QsIG15bWFzaywgZmxhZ3MpOwogICAgICBsb2dpbl9jbG9zZShsbGMpOwogIAorICAgICAv
 KiBTZXQgdXAgdGhlIHVzZXIncyBNQUMgbGFiZWwuICovCisgICAgIGlmICgoZmxhZ3MgJiBMT0dJ
 Tl9TRVRNQUMpICYmIG1hY19pc19wcmVzZW50KE5VTEwpID09IDEpIHsKKyAJY29uc3QgY2hhciAq
 bGFiZWxfc3RyaW5nOworIAltYWNfdCBsYWJlbDsKKyAKKyAJbGFiZWxfc3RyaW5nID0gbG9naW5f
 Z2V0Y2Fwc3RyKGxjLCAibGFiZWwiLCBOVUxMLCBOVUxMKTsKKyAJaWYgKGxhYmVsX3N0cmluZyAh
 PSBOVUxMKSB7CisgCSAgICBpZiAobWFjX2Zyb21fdGV4dCgmbGFiZWwsIGxhYmVsX3N0cmluZykg
 PT0gLTEpIHsKKyAJCXN5c2xvZyhMT0dfRVJSLCAibWFjX2Zyb21fdGV4dCgnJXMnKSBmb3IgJXM6
 ICVtIiwKKyAJCSAgICBwd2QtPnB3X25hbWUsIGxhYmVsX3N0cmluZyk7CisgCQlyZXR1cm4gKC0x
 KTsKKyAJICAgIH0KKyAJICAgIGlmIChtYWNfc2V0X3Byb2MobGFiZWwpID09IC0xKQorIAkJZXJy
 b3IgPSBlcnJubzsKKyAJICAgIGVsc2UKKyAJCWVycm9yID0gMDsKKyAJICAgIG1hY19mcmVlKGxh
 YmVsKTsKKyAJICAgIGlmIChlcnJvciAhPSAwKSB7CisgCQlzeXNsb2coTE9HX0VSUiwgIm1hY19z
 ZXRfcHJvYygnJXMnKSBmb3IgJXM6ICVzIiwKKyAJCSAgICBsYWJlbF9zdHJpbmcsIHB3ZC0+cHdf
 bmFtZSwgc3RyZXJyb3IoZXJyb3IpKTsKKyAJCXJldHVybiAoLTEpOworIAkgICAgfQorIAl9Cisg
 ICAgIH0KKyAKICAgICAgLyogVGhpcyBuZWVkcyB0byBiZSBkb25lIGFmdGVyIGFueXRoaW5nIHRo
 YXQgbmVlZHMgcm9vdCBwcml2cyAqLwogICAgICBpZiAoKGZsYWdzICYgTE9HSU5fU0VUVVNFUikg
 JiYgc2V0dWlkKHVpZCkgIT0gMCkgewogIAlzeXNsb2coTE9HX0VSUiwgInNldHVpZCglbHUpOiAl
 bSIsICh1X2xvbmcpdWlkKTsK
 --001a11c34ab6d5d15504d9d15662--

From: Kevin Barry <ta0kira@gmail.com>
To: bug-followup@FreeBSD.org, ta0kira@gmail.com
Cc:  
Subject: Re: kern/177698: [libutil] [patch] sshd sets the user's MAC label at
 the same time it attempts to set the login class, which can cause the latter
 to fail if mac_biba is used.
Date: Fri, 12 Apr 2013 15:20:10 -0400

 --001a11c25d96b0514204da2eca64
 Content-Type: multipart/alternative; boundary=001a11c25d96b0513e04da2eca62
 
 --001a11c25d96b0513e04da2eca62
 Content-Type: text/plain; charset=ISO-8859-1
 
 Here's a new patch for login_class.c. As far as I can tell there is no
 reason to require that a passwd entry be specified in order to set the MAC
 label; therefore, I removed that requirement. Additionally, the current
 implementation silently fails to set the MAC label when the pwd argument is
 NULL, and silent failure when it comes to security isn't a good thing.
 While not directly related to the original problem, it's related to the
 underlying issue, which is that the handling of MAC labels in
 setusercontext has several bugs in need of fixing.
 
 --001a11c25d96b0513e04da2eca62
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 <div dir=3D"ltr">Here&#39;s a new patch for login_class.c. As far as I can =
 tell there is no reason to require that a passwd entry be specified in orde=
 r to set the MAC label; therefore, I removed that requirement. Additionally=
 , the current implementation silently fails to set the MAC label when the p=
 wd argument is NULL, and silent failure when it comes to security isn&#39;t=
  a good thing. While not directly related to the original problem, it&#39;s=
  related to the underlying issue, which is that the handling of MAC labels =
 in setusercontext has several bugs in need of fixing.<br>
 </div>
 
 --001a11c25d96b0513e04da2eca62--
 --001a11c25d96b0514204da2eca64
 Content-Type: text/plain; charset=US-ASCII; name="login_class.c.txt"
 Content-Disposition: attachment; filename="login_class.c.txt"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_hffqop530
 
 LS0tIC91c3Ivc3JjL2xpYi9saWJ1dGlsL2xvZ2luX2NsYXNzLmMub3JpZwkyMDEyLTEyLTAzIDE2
 OjM2OjM2LjAwMDAwMDAwMCAtMDUwMAorKysgL3Vzci9zcmMvbGliL2xpYnV0aWwvbG9naW5fY2xh
 c3MuYwkyMDEzLTA0LTEyIDE1OjA5OjQ4LjAwMDAwMDAwMCAtMDQwMApAQCAtNDQwLDcgKzQ0MCw3
 IEBACiAKICAgICAvKiB3ZSBuZWVkIGEgcGFzc3dkIGVudHJ5IHRvIHNldCB0aGVzZSAqLwogICAg
 IGlmIChwd2QgPT0gTlVMTCkKLQlmbGFncyAmPSB+KExPR0lOX1NFVEdST1VQIHwgTE9HSU5fU0VU
 TE9HSU4gfCBMT0dJTl9TRVRNQUMpOworCWZsYWdzICY9IH4oTE9HSU5fU0VUR1JPVVAgfCBMT0dJ
 Tl9TRVRMT0dJTik7CiAKICAgICAvKiBTZXQgdGhlIHByb2Nlc3MgcHJpb3JpdHkgKi8KICAgICBp
 ZiAoZmxhZ3MgJiBMT0dJTl9TRVRQUklPUklUWSkgewpAQCAtNDg1LDMxICs0ODUsNiBAQAogCX0K
 ICAgICB9CiAKLSAgICAvKiBTZXQgdXAgdGhlIHVzZXIncyBNQUMgbGFiZWwuICovCi0gICAgaWYg
 KChmbGFncyAmIExPR0lOX1NFVE1BQykgJiYgbWFjX2lzX3ByZXNlbnQoTlVMTCkgPT0gMSkgewot
 CWNvbnN0IGNoYXIgKmxhYmVsX3N0cmluZzsKLQltYWNfdCBsYWJlbDsKLQotCWxhYmVsX3N0cmlu
 ZyA9IGxvZ2luX2dldGNhcHN0cihsYywgImxhYmVsIiwgTlVMTCwgTlVMTCk7Ci0JaWYgKGxhYmVs
 X3N0cmluZyAhPSBOVUxMKSB7Ci0JICAgIGlmIChtYWNfZnJvbV90ZXh0KCZsYWJlbCwgbGFiZWxf
 c3RyaW5nKSA9PSAtMSkgewotCQlzeXNsb2coTE9HX0VSUiwgIm1hY19mcm9tX3RleHQoJyVzJykg
 Zm9yICVzOiAlbSIsCi0JCSAgICBwd2QtPnB3X25hbWUsIGxhYmVsX3N0cmluZyk7Ci0JCXJldHVy
 biAoLTEpOwotCSAgICB9Ci0JICAgIGlmIChtYWNfc2V0X3Byb2MobGFiZWwpID09IC0xKQotCQll
 cnJvciA9IGVycm5vOwotCSAgICBlbHNlCi0JCWVycm9yID0gMDsKLQkgICAgbWFjX2ZyZWUobGFi
 ZWwpOwotCSAgICBpZiAoZXJyb3IgIT0gMCkgewotCQlzeXNsb2coTE9HX0VSUiwgIm1hY19zZXRf
 cHJvYygnJXMnKSBmb3IgJXM6ICVzIiwKLQkJICAgIGxhYmVsX3N0cmluZywgcHdkLT5wd19uYW1l
 LCBzdHJlcnJvcihlcnJvcikpOwotCQlyZXR1cm4gKC0xKTsKLQkgICAgfQotCX0KLSAgICB9Ci0K
 ICAgICAvKiBTZXQgdGhlIHNlc3Npb25zIGxvZ2luICovCiAgICAgaWYgKChmbGFncyAmIExPR0lO
 X1NFVExPR0lOKSAmJiBzZXRsb2dpbihwd2QtPnB3X25hbWUpICE9IDApIHsKIAlzeXNsb2coTE9H
 X0VSUiwgInNldGxvZ2luKCVzKTogJW0iLCBwd2QtPnB3X25hbWUpOwpAQCAtNTQyLDYgKzUxNywz
 MSBAQAogICAgIG15bWFzayA9IHNldGxvZ2luY29udGV4dChsYywgcHdkLCBteW1hc2ssIGZsYWdz
 KTsKICAgICBsb2dpbl9jbG9zZShsbGMpOwogCisgICAgLyogU2V0IHVwIHRoZSB1c2VyJ3MgTUFD
 IGxhYmVsLiAqLworICAgIGlmICgoZmxhZ3MgJiBMT0dJTl9TRVRNQUMpICYmIG1hY19pc19wcmVz
 ZW50KE5VTEwpID09IDEpIHsKKwljb25zdCBjaGFyICpsYWJlbF9zdHJpbmc7CisJbWFjX3QgbGFi
 ZWw7CisKKwlsYWJlbF9zdHJpbmcgPSBsb2dpbl9nZXRjYXBzdHIobGMsICJsYWJlbCIsIE5VTEws
 IE5VTEwpOworCWlmIChsYWJlbF9zdHJpbmcgIT0gTlVMTCkgeworCSAgICBpZiAobWFjX2Zyb21f
 dGV4dCgmbGFiZWwsIGxhYmVsX3N0cmluZykgPT0gLTEpIHsKKwkJc3lzbG9nKExPR19FUlIsICJt
 YWNfZnJvbV90ZXh0KCclcycpIGZvciAlczogJW0iLAorCQkgICAgcHdkPyBwd2QtPnB3X25hbWUg
 OiAicm9vdCIsIGxhYmVsX3N0cmluZyk7CisJCXJldHVybiAoLTEpOworCSAgICB9CisJICAgIGlm
 IChtYWNfc2V0X3Byb2MobGFiZWwpID09IC0xKQorCQllcnJvciA9IGVycm5vOworCSAgICBlbHNl
 CisJCWVycm9yID0gMDsKKwkgICAgbWFjX2ZyZWUobGFiZWwpOworCSAgICBpZiAoZXJyb3IgIT0g
 MCkgeworCQlzeXNsb2coTE9HX0VSUiwgIm1hY19zZXRfcHJvYygnJXMnKSBmb3IgJXM6ICVzIiwK
 KwkJICAgIGxhYmVsX3N0cmluZywgcHdkPyBwd2QtPnB3X25hbWUgOiAicm9vdCIsIHN0cmVycm9y
 KGVycm9yKSk7CisJCXJldHVybiAoLTEpOworCSAgICB9CisJfQorICAgIH0KKwogICAgIC8qIFRo
 aXMgbmVlZHMgdG8gYmUgZG9uZSBhZnRlciBhbnl0aGluZyB0aGF0IG5lZWRzIHJvb3QgcHJpdnMg
 Ki8KICAgICBpZiAoKGZsYWdzICYgTE9HSU5fU0VUVVNFUikgJiYgc2V0dWlkKHVpZCkgIT0gMCkg
 ewogCXN5c2xvZyhMT0dfRVJSLCAic2V0dWlkKCVsdSk6ICVtIiwgKHVfbG9uZyl1aWQpOwo=
 --001a11c25d96b0514204da2eca64--
>Unformatted:
