- (djm) AIX getuserattr() session initialisation from Tom Bertelson

<tbert@abac.com>
author: Damien Miller <djm@mindrot.org> 2000-07-09 23:53:07 +1000
committer: Damien Miller <djm@mindrot.org> 2000-07-09 23:53:07 +1000
commit: 5fc8565d2088322eb8bf6fedf44ad15511028c08 (patch)
tree: 09b2e0ec0a8288711a7b69b6d2f11084e04a9bc3
parent: 31abc9addbf23675eb094638c83c6279437b6a50 (diff)
3 files changed, 69 insertions, 1 deletions
diff --git a/acconfig.h b/acconfig.h
index e11bf5e60..4757b66bc 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -6,6 +6,9 @@
 @TOP@
+/* Define if you have the getuserattr function.  */
+#undef HAVE_GETUSERATTR
 /* Work around problematic Linux PAM modules handling of PAM_TTY */
 #undef PAM_TTY_KLUDGE
diff --git a/configure.in b/configure.in
index f496e3934..f4f47cd45 100644
--- a/configure.in
+++ b/configure.in
@@ -40,6 +40,8 @@ case "$host" in
        mansubdir=cat
        dnl AIX handles lastlog as part of its login message
        AC_DEFINE(DISABLE_LASTLOG)
+        MANTYPE='$(CATMAN)'
+        mansubdir=cat
        ;;
 *-*-hpux10*)
        if test -z "$GCC"; then
@@ -206,7 +208,7 @@ if test -z "$no_libnsl" ; then
 fi
 # Checks for header files.
-AC_CHECK_HEADERS(bstring.h endian.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h util.h utmp.h utmpx.h)
+AC_CHECK_HEADERS(bstring.h endian.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h usersec.h util.h utmp.h utmpx.h)
 # Checks for library functions.
 AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strlcat strlcpy vsnprintf vhangup _getpty __b64_ntop)
@@ -221,6 +223,11 @@ dnl    checks for utmpx functions
 AC_CHECK_FUNCS(entutxent getutxent getutxid getutxline pututxline )
 AC_CHECK_FUNCS(setutxent utmpxname)
+AC_CHECK_FUNC(getuserattr, 
+        [AC_DEFINE(HAVE_GETUSERATTR)],
+        [AC_CHECK_LIB(s, getuserattr, [LIBS="$LIBS -ls"; AC_DEFINE(HAVE_GETUSERATTR)])]
+)
 AC_CHECK_FUNC(login, 
        [AC_DEFINE(HAVE_LOGIN)],
        [AC_CHECK_LIB(bsd, login, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_LOGIN)])]
diff --git a/session.c b/session.c
index 29956777f..1f0d227d0 100644
--- a/session.c
+++ b/session.c
@@ -9,6 +9,9 @@
 #include "includes.h"
 RCSID("$OpenBSD: session.c,v 1.20 2000/06/18 04:42:54 markus Exp $");
+#if defined(HAVE_USERSEC_H)
+#include <usersec.h>
+#endif
 #include "xmalloc.h"
 #include "ssh.h"
@@ -789,6 +792,57 @@ void do_pam_environment(char ***env, int *envsize)
 }
 #endif /* USE_PAM */
+#if defined(HAVE_GETUSERATTR)
+/*
+ * AIX-specific login initialisation
+ */
+void set_limit(char *user, char *soft, char *hard, int resource, int mult)
+{
+        struct rlimit rlim;
+        rlim_t tlim;
+        int mask;
+        getrlimit(resource, &rlim);
+        tlim = (rlim_t) 0;
+        if (getuserattr(user, soft, &tlim, SEC_INT) != -1 && tlim)
+                rlim.rlim_cur = tlim * mult;
+        tlim = (rlim_t) 0;
+        if (getuserattr(user, hard, &tlim, SEC_INT) != -1 && tlim)
+                rlim.rlim_max = tlim * mult;
+        if (rlim.rlim_cur > rlim.rlim_max)
+                rlim.rlim_max = rlim.rlim_cur;
+        if (setrlimit(resource, &rlim) != 0)
+                error("setrlimit(%.10s) failed: %.100s", soft, strerror(errno))
+}
+void set_limits_from_userattr(char *user)
+{
+        int mask;
+        char buf[16];
+        set_limit(user, S_UFSIZE, S_UFSIZE_HARD, RLIMIT_FSIZE, 512);
+        set_limit(user, S_UCPU, S_UCPU_HARD, RLIMIT_CPU, 1);
+        set_limit(user, S_UDATA, S_UDATA_HARD, RLIMIT_DATA, 512);
+        set_limit(user, S_USTACK, S_USTACK_HARD, RLIMIT_STACK, 512);
+        set_limit(user, S_URSS, S_URSS_HARD, RLIMIT_RSS, 512);
+        set_limit(user, S_UCORE, S_UCORE_HARD, RLIMIT_CORE, 512);
+#if defined(S_UNOFILE)
+        set_limit(user, S_UNOFILE, S_UNOFILE_HARD, RLIMIT_NOFILE, 1);
+#endif
+        if (getuserattr(user, S_UMASK, &mask, SEC_INT) != -1) {
+                /* Convert decimal to octal */
+                (void) snprintf(buf, sizeof(buf), "%d", mask);
+                if (sscanf(buf, "%o", &mask) == 1)
+                        umask(mask);
+        }
+}
+#endif /* defined(HAVE_GETUSERATTR) */
 /*
 * Performs common processing for the child, such as setting up the
 * environment, closing extra file descriptors, setting the user and group
@@ -855,6 +909,10 @@ do_child(const char *command, struct passwd * pw, const char *term,
                }
 #else /* HAVE_OSF_SIA */
                if (getuid() == 0 || geteuid() == 0) {
+#if defined(HAVE_GETUSERATTR)
+                        set_limits_from_userattr(pw->pw_name);
+#endif /* defined(HAVE_GETUSERATTR) */
                        if (setgid(pw->pw_gid) < 0) {
                                perror("setgid");
                                exit(1);
author	Damien Miller <djm@mindrot.org>	2000-07-09 23:53:07 +1000
committer	Damien Miller <djm@mindrot.org>	2000-07-09 23:53:07 +1000
commit	5fc8565d2088322eb8bf6fedf44ad15511028c08 (patch)
tree	09b2e0ec0a8288711a7b69b6d2f11084e04a9bc3
parent	31abc9addbf23675eb094638c83c6279437b6a50 (diff)

diff --git a/acconfig.h b/acconfig.h index e11bf5e60..4757b66bc 100644 --- a/acconfig.h +++ b/acconfig.h
@@ -6,6 +6,9 @@
6		6
7	@TOP@	7	@TOP@
8		8
		9	/* Define if you have the getuserattr function. */
		10	#undef HAVE_GETUSERATTR
		11
9	/* Work around problematic Linux PAM modules handling of PAM_TTY */	12	/* Work around problematic Linux PAM modules handling of PAM_TTY */
10	#undef PAM_TTY_KLUDGE	13	#undef PAM_TTY_KLUDGE
11		14


diff --git a/configure.in b/configure.in index f496e3934..f4f47cd45 100644 --- a/configure.in +++ b/configure.in
@@ -40,6 +40,8 @@ case "$host" in
40	mansubdir=cat	40	mansubdir=cat
41	dnl AIX handles lastlog as part of its login message	41	dnl AIX handles lastlog as part of its login message
42	AC_DEFINE(DISABLE_LASTLOG)	42	AC_DEFINE(DISABLE_LASTLOG)
		43	MANTYPE='$(CATMAN)'
		44	mansubdir=cat
43	;;	45	;;
44	--hpux10*)	46	--hpux10*)
45	if test -z "$GCC"; then	47	if test -z "$GCC"; then
@@ -206,7 +208,7 @@ if test -z "$no_libnsl" ; then
206	fi	208	fi
207		209
208	# Checks for header files.	210	# Checks for header files.
209	AC_CHECK_HEADERS(bstring.h endian.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h util.h utmp.h utmpx.h)	211	AC_CHECK_HEADERS(bstring.h endian.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h usersec.h util.h utmp.h utmpx.h)
210		212
211	# Checks for library functions.	213	# Checks for library functions.
212	AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strlcat strlcpy vsnprintf vhangup _getpty __b64_ntop)	214	AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strlcat strlcpy vsnprintf vhangup _getpty __b64_ntop)
@@ -221,6 +223,11 @@ dnl checks for utmpx functions
221	AC_CHECK_FUNCS(entutxent getutxent getutxid getutxline pututxline )	223	AC_CHECK_FUNCS(entutxent getutxent getutxid getutxline pututxline )
222	AC_CHECK_FUNCS(setutxent utmpxname)	224	AC_CHECK_FUNCS(setutxent utmpxname)
223		225
		226	AC_CHECK_FUNC(getuserattr,
		227	[AC_DEFINE(HAVE_GETUSERATTR)],
		228	[AC_CHECK_LIB(s, getuserattr, [LIBS="$LIBS -ls"; AC_DEFINE(HAVE_GETUSERATTR)])]
		229	)
		230
224	AC_CHECK_FUNC(login,	231	AC_CHECK_FUNC(login,
225	[AC_DEFINE(HAVE_LOGIN)],	232	[AC_DEFINE(HAVE_LOGIN)],
226	[AC_CHECK_LIB(bsd, login, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_LOGIN)])]	233	[AC_CHECK_LIB(bsd, login, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_LOGIN)])]


diff --git a/session.c b/session.c index 29956777f..1f0d227d0 100644 --- a/session.c +++ b/session.c
@@ -9,6 +9,9 @@
9		9
10	#include "includes.h"	10	#include "includes.h"
11	RCSID("$OpenBSD: session.c,v 1.20 2000/06/18 04:42:54 markus Exp $");	11	RCSID("$OpenBSD: session.c,v 1.20 2000/06/18 04:42:54 markus Exp $");
		12	#if defined(HAVE_USERSEC_H)
		13	#include <usersec.h>
		14	#endif
12		15
13	#include "xmalloc.h"	16	#include "xmalloc.h"
14	#include "ssh.h"	17	#include "ssh.h"
@@ -789,6 +792,57 @@ void do_pam_environment(char **env, int envsize)
789	}	792	}
790	#endif /* USE_PAM */	793	#endif /* USE_PAM */
791		794
		795	#if defined(HAVE_GETUSERATTR)
		796	/*
		797	* AIX-specific login initialisation
		798	*/
		799	void set_limit(char user, char soft, char *hard, int resource, int mult)
		800	{
		801	struct rlimit rlim;
		802	rlim_t tlim;
		803	int mask;
		804
		805	getrlimit(resource, &rlim);
		806
		807	tlim = (rlim_t) 0;
		808	if (getuserattr(user, soft, &tlim, SEC_INT) != -1 && tlim)
		809	rlim.rlim_cur = tlim * mult;
		810
		811	tlim = (rlim_t) 0;
		812	if (getuserattr(user, hard, &tlim, SEC_INT) != -1 && tlim)
		813	rlim.rlim_max = tlim * mult;
		814
		815	if (rlim.rlim_cur > rlim.rlim_max)
		816	rlim.rlim_max = rlim.rlim_cur;
		817
		818	if (setrlimit(resource, &rlim) != 0)
		819	error("setrlimit(%.10s) failed: %.100s", soft, strerror(errno))
		820	}
		821
		822	void set_limits_from_userattr(char *user)
		823	{
		824	int mask;
		825	char buf[16];
		826
		827	set_limit(user, S_UFSIZE, S_UFSIZE_HARD, RLIMIT_FSIZE, 512);
		828	set_limit(user, S_UCPU, S_UCPU_HARD, RLIMIT_CPU, 1);
		829	set_limit(user, S_UDATA, S_UDATA_HARD, RLIMIT_DATA, 512);
		830	set_limit(user, S_USTACK, S_USTACK_HARD, RLIMIT_STACK, 512);
		831	set_limit(user, S_URSS, S_URSS_HARD, RLIMIT_RSS, 512);
		832	set_limit(user, S_UCORE, S_UCORE_HARD, RLIMIT_CORE, 512);
		833	#if defined(S_UNOFILE)
		834	set_limit(user, S_UNOFILE, S_UNOFILE_HARD, RLIMIT_NOFILE, 1);
		835	#endif
		836
		837	if (getuserattr(user, S_UMASK, &mask, SEC_INT) != -1) {
		838	/* Convert decimal to octal */
		839	(void) snprintf(buf, sizeof(buf), "%d", mask);
		840	if (sscanf(buf, "%o", &mask) == 1)
		841	umask(mask);
		842	}
		843	}
		844	#endif /* defined(HAVE_GETUSERATTR) */
		845
792	/*	846	/*
793	* Performs common processing for the child, such as setting up the	847	* Performs common processing for the child, such as setting up the
794	* environment, closing extra file descriptors, setting the user and group	848	* environment, closing extra file descriptors, setting the user and group
@@ -855,6 +909,10 @@ do_child(const char command, struct passwd pw, const char *term,
855	}	909	}
856	#else /* HAVE_OSF_SIA */	910	#else /* HAVE_OSF_SIA */
857	if (getuid() == 0 \|\| geteuid() == 0) {	911	if (getuid() == 0 \|\| geteuid() == 0) {
		912	#if defined(HAVE_GETUSERATTR)
		913	set_limits_from_userattr(pw->pw_name);
		914	#endif /* defined(HAVE_GETUSERATTR) */
		915
858	if (setgid(pw->pw_gid) < 0) {	916	if (setgid(pw->pw_gid) < 0) {
859	perror("setgid");	917	perror("setgid");
860	exit(1);	918	exit(1);