13 files changed, 332 insertions, 12 deletions

diff --git a/CREDITS b/CREDITS
index 82b9f2210..eaf105a91 100644
--- a/CREDITS
+++ b/CREDITS
@@ -25,6 +25,7 @@ Chris, the Young One <cky@pobox.com> - Password auth fixes
 Christos Zoulas <christos@zoulas.com> - Autoconf fixes
 Chun-Chung Chen <cjj@u.washington.edu> - RPM fixes
 Corinna Vinschen <vinschen@redhat.com> - Cygwin support
+Chad Mynhier <mynhier@interstel.net> - Solaris Process Contract support
 Dan Brosemer <odin@linuxfreak.com> - Autoconf support, build fixes
 Darren Hall <dhall@virage.org> - AIX patches
 Darren Tucker <dtucker@zip.com.au> - AIX BFF package scripts
@@ -100,5 +101,5 @@ Apologies to anyone I have missed.
 
 Damien Miller <djm@mindrot.org>
 
-$Id: CREDITS,v 1.80 2005/08/26 20:15:20 tim Exp $
+$Id: CREDITS,v 1.81 2006/08/30 17:24:41 djm Exp $
 
diff --git a/ChangeLog b/ChangeLog
index d9aa6f6d5..0a702d3fb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+20060831
+ - (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ]
+   [platform.c platform.h sshd.c openbsd-compat/Makefile.in]
+   [openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c]
+   [openbsd-compat/port-solaris.h] Add support for Solaris process
+   contracts, enabled with --use-solaris-contracts. Patch from Chad
+   Mynhier, tweaked by dtucker@ and myself; ok dtucker@
+
 20060830
  - (djm) OpenBSD CVS Sync
    - dtucker@cvs.openbsd.org 2006/08/21 08:14:01
@@ -5338,4 +5346,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4518 2006/08/30 12:33:09 dtucker Exp $
+$Id: ChangeLog,v 1.4519 2006/08/30 17:24:41 djm Exp $
diff --git a/LICENCE b/LICENCE
index 17d94aef5..0c2ff067a 100644
--- a/LICENCE
+++ b/LICENCE
@@ -288,6 +288,7 @@ OpenSSH contains no GPL code.
         Internet Software Consortium.
         Todd C. Miller
         Reyk Floeter
+        Chad Mynhier
 
         * Permission to use, copy, modify, and distribute this software for any
         * purpose with or without fee is hereby granted, provided that the above
diff --git a/Makefile.in b/Makefile.in
index e1f86dbef..525b08eba 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.280 2006/08/22 12:24:11 dtucker Exp $
+# $Id: Makefile.in,v 1.281 2006/08/30 17:24:41 djm Exp $
 
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -44,6 +44,7 @@ CFLAGS=@CFLAGS@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
 LIBSELINUX=@LIBSELINUX@
+SSHDLIBS=@SSHDLIBS@
 LIBEDIT=@LIBEDIT@
 LIBPAM=@LIBPAM@
 LIBWRAP=@LIBWRAP@
@@ -87,7 +88,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
         auth-krb5.o \
         auth2-gss.o gss-serv.o gss-serv-krb5.o \
         loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
-        audit.o audit-bsm.o
+        audit.o audit-bsm.o platform.o
 
 MANPAGES        = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN     = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
@@ -137,7 +138,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
         $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
-        $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
+        $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
 
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
         $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff --git a/configure.ac b/configure.ac
index 90cfbea9a..3aba414a2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.355 2006/08/20 11:43:19 dtucker Exp $
+# $Id: configure.ac,v 1.356 2006/08/30 17:24:41 djm Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
-AC_REVISION($Revision: 1.355 $)
+AC_REVISION($Revision: 1.356 $)
 AC_CONFIG_SRCDIR([ssh.c])
 
 AC_CONFIG_HEADER(config.h)
@@ -127,6 +127,10 @@ AC_ARG_WITH(rpath,
         ]
 )
 
+# Messages for features tested for in target-specific section
+SIA_MSG="no"
+SPC_MSG="no"
+
 # Check for some target-specific stuff
 case "$host" in
 *-*-aix*)
@@ -438,6 +442,17 @@ mips-sony-bsd|mips-sony-newsos4)
         else
                 AC_MSG_RESULT(no)
         fi
+        AC_ARG_WITH(solaris-contracts,
+                [  --with-solaris-contracts Enable Solaris process contracts (experimental)],
+                [
+                AC_CHECK_LIB(contract, ct_tmpl_activate,
+                        [ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1,
+                                [Define if you have Solaris process contracts])
+                          SSHDLIBS="$SSHDLIBS -lcontract"
+                          AC_SUBST(SSHDLIBS)
+                          SPC_MSG="yes" ], )
+                ],
+        )
         ;;
 *-*-sunos4*)
         CPPFLAGS="$CPPFLAGS -DSUNOS4"
@@ -586,6 +601,7 @@ mips-sony-bsd|mips-sony-newsos4)
                                 system's login() call])
                         AC_DEFINE(DISABLE_FD_PASSING)
                         LIBS="$LIBS -lsecurity -ldb -lm -laud"
+                        SIA_MSG="yes"
                 else
                         AC_MSG_RESULT(no)
                         AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin",
@@ -3905,6 +3921,7 @@ echo "          sshd superuser user PATH: $J"
 fi
 echo "                    Manpage format: $MANTYPE"
 echo "                       PAM support: $PAM_MSG"
+echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
@@ -3912,6 +3929,7 @@ echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
+echo "  Solaris process contract support: $SPC_MSG"
 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
diff --git a/includes.h b/includes.h
index 8e600567d..03665a3d3 100644
--- a/includes.h
+++ b/includes.h
@@ -160,6 +160,7 @@
 
 #include "defines.h"
 
+#include "platform.h"
 #include "openbsd-compat/openbsd-compat.h"
 #include "openbsd-compat/bsd-nextstep.h"
 
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 67e521bfe..9f06605d7 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.39 2006/04/22 11:26:08 djm Exp $
+# $Id: Makefile.in,v 1.40 2006/08/30 17:24:41 djm Exp $
 
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgroupl
 
 COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
 
-PORTS=port-irix.o port-linux.o port-aix.o port-uw.o port-tun.o
+PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
 
 .c.o:
         $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 18249d81e..278ac71d9 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.40 2006/07/12 13:10:34 dtucker Exp $ */
+/* $Id: openbsd-compat.h,v 1.41 2006/08/30 17:24:42 djm Exp $ */
 
 /*
  * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -190,10 +190,12 @@ char *shadow_pw(struct passwd *pw);
 /* Routines for a single OS platform */
 #include "bsd-cray.h"
 #include "bsd-cygwin_util.h"
+
+#include "port-aix.h"
 #include "port-irix.h"
 #include "port-linux.h"
-#include "port-aix.h"
-#include "port-uw.h"
+#include "port-solaris.h"
 #include "port-tun.h"
+#include "port-uw.h"
 
 #endif /* _OPENBSD_COMPAT_H */
diff --git a/openbsd-compat/port-solaris.c b/openbsd-compat/port-solaris.c
new file mode 100644
index 000000000..f31f0c6ea
--- /dev/null
+++ b/openbsd-compat/port-solaris.c
@@ -0,0 +1,189 @@
+/* $Id: port-solaris.c,v 1.1 2006/08/30 17:24:42 djm Exp $ */
+
+/*
+ * Copyright (c) 2006 Chad Mynhier.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "config.h"
+#include "includes.h"
+
+#ifdef USE_SOLARIS_PROCESS_CONTRACTS
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/param.h>
+
+#include <errno.h>
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+#include <string.h>
+#include <unistd.h>
+
+#include <libcontract.h>
+#include <sys/contract/process.h>
+#include <sys/ctfs.h>
+
+#include "log.h"
+
+#define CT_TEMPLATE     CTFS_ROOT "/process/template"
+#define CT_LATEST       CTFS_ROOT "/process/latest"
+
+static int tmpl_fd = -1;
+
+/* Lookup the latest process contract */
+static ctid_t
+get_active_process_contract_id(void)
+{
+        int stat_fd;
+        ctid_t ctid = -1;
+        ct_stathdl_t stathdl;
+
+        if ((stat_fd = open64(CT_LATEST, O_RDONLY)) == -1) {
+                error("%s: Error opening 'latest' process "
+                    "contract: %s", __func__, strerror(errno));
+                return -1;
+        }
+        if (ct_status_read(stat_fd, CTD_COMMON, &stathdl) != 0) {
+                error("%s: Error reading process contract "
+                    "status: %s", __func__, strerror(errno));
+                goto out;
+        }
+        if ((ctid = ct_status_get_id(stathdl)) < 0) {
+                error("%s: Error getting process contract id: %s",
+                    __func__, strerror(errno));
+                goto out;
+        }
+
+        ct_status_free(stathdl);
+ out:
+        close(stat_fd);
+        return ctid;
+}
+
+void
+solaris_contract_pre_fork(void)
+{
+        if ((tmpl_fd = open64(CT_TEMPLATE, O_RDWR)) == -1) {
+                error("%s: open %s: %s", __func__,
+                    CT_TEMPLATE, strerror(errno));
+                return;
+        }
+
+        debug2("%s: setting up process contract template on fd %d",
+            __func__, tmpl_fd);
+
+        /* We have to set certain attributes before activating the template */
+        if (ct_pr_tmpl_set_fatal(tmpl_fd,
+            CT_PR_EV_HWERR|CT_PR_EV_SIGNAL|CT_PR_EV_CORE) != 0) {
+                error("%s: Error setting process contract template "
+                    "fatal events: %s", __func__, strerror(errno));
+                goto fail;
+        }
+        if (ct_tmpl_set_critical(tmpl_fd, CT_PR_EV_HWERR) != 0) {
+                error("%s: Error setting process contract template "
+                    "critical events: %s", __func__, strerror(errno));
+                goto fail;
+        }
+
+        /* Now make this the active template for this process. */
+        if (ct_tmpl_activate(tmpl_fd) != 0) {
+                error("%s: Error activating process contract "
+                    "template: %s", __func__, strerror(errno));
+                goto fail;
+        }
+        return;
+
+ fail:
+        if (tmpl_fd != -1) {
+                close(tmpl_fd);
+                tmpl_fd = -1;
+        }
+}
+
+void
+solaris_contract_post_fork_child()
+{
+        debug2("%s: clearing process contract template on fd %d",
+            __func__, tmpl_fd);
+
+        /* Clear the active template. */
+        if (ct_tmpl_clear(tmpl_fd) != 0)
+                error("%s: Error clearing active process contract "
+                    "template: %s", __func__, strerror(errno));
+
+        close(tmpl_fd);
+        tmpl_fd = -1;
+}
+
+void
+solaris_contract_post_fork_parent(pid_t pid)
+{
+        ctid_t ctid;
+        char ctl_path[256];
+        int r, ctl_fd = -1, stat_fd = -1;
+
+        debug2("%s: clearing template (fd %d)", __func__, tmpl_fd);
+
+        if (tmpl_fd == -1)
+                return;
+
+        /* First clear the active template. */
+        if ((r = ct_tmpl_clear(tmpl_fd)) != 0)
+                error("%s: Error clearing active process contract "
+                    "template: %s", __func__, strerror(errno));
+
+        close(tmpl_fd);
+        tmpl_fd = -1;
+
+        /*
+         * If either the fork didn't succeed (pid < 0), or clearing
+         * th active contract failed (r != 0), then we have nothing
+         * more do.
+         */
+        if (r != 0 || pid <= 0)
+                return;
+
+        /* Now lookup and abandon the contract we've created. */
+        ctid = get_active_process_contract_id();
+
+        debug2("%s: abandoning contract id %ld", __func__, ctid);
+
+        snprintf(ctl_path, sizeof(ctl_path),
+            CTFS_ROOT "/process/%ld/ctl", ctid);
+        if ((ctl_fd = open64(ctl_path, O_WRONLY)) < 0) {
+                error("%s: Error opening process contract "
+                    "ctl file: %s", __func__, strerror(errno));
+                goto fail;
+        }
+        if (ct_ctl_abandon(ctl_fd) < 0) {
+                error("%s: Error abandoning process contract: %s",
+                    __func__, strerror(errno));
+                goto fail;
+        }
+        close(ctl_fd);
+        return;
+
+ fail:
+        if (tmpl_fd != -1) {
+                close(tmpl_fd);
+                tmpl_fd = -1;
+        }
+        if (stat_fd != -1)
+                close(stat_fd);
+        if (ctl_fd != -1)
+                close(ctl_fd);
+}
+#endif
diff --git a/openbsd-compat/port-solaris.h b/openbsd-compat/port-solaris.h
new file mode 100644
index 000000000..4c324871e
--- /dev/null
+++ b/openbsd-compat/port-solaris.h
@@ -0,0 +1,27 @@
+/* $Id: port-solaris.h,v 1.1 2006/08/30 17:24:42 djm Exp $ */
+
+/*
+ * Copyright (c) 2006 Chad Mynhier.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _PORT_SOLARIS_H
+
+#include <sys/types.h>
+
+void solaris_contract_pre_fork(void);
+void solaris_contract_post_fork_child(void);
+void solaris_contract_post_fork_parent(pid_t pid);
+
+#endif
diff --git a/platform.c b/platform.c
new file mode 100644
index 000000000..aee4b01e7
--- /dev/null
+++ b/platform.c
@@ -0,0 +1,46 @@
+/* $Id: platform.c,v 1.1 2006/08/30 17:24:41 djm Exp $ */
+
+/*
+ * Copyright (c) 2006 Darren Tucker.  All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "config.h"
+#include "platform.h"
+
+#include "openbsd-compat/openbsd-compat.h"
+
+void
+platform_pre_fork(void)
+{
+#ifdef USE_SOLARIS_PROCESS_CONTRACTS
+        solaris_contract_pre_fork();
+#endif
+}
+
+void
+platform_post_fork_parent(pid_t child_pid)
+{
+#ifdef USE_SOLARIS_PROCESS_CONTRACTS
+        solaris_contract_post_fork_parent(child_pid);
+#endif
+}
+
+void
+platform_post_fork_child(void)
+{
+#ifdef USE_SOLARIS_PROCESS_CONTRACTS
+        solaris_contract_post_fork_child();
+#endif
+}
diff --git a/platform.h b/platform.h
new file mode 100644
index 000000000..cf93bc57c
--- /dev/null
+++ b/platform.h
@@ -0,0 +1,23 @@
+/* $Id: platform.h,v 1.1 2006/08/30 17:24:41 djm Exp $ */
+
+/*
+ * Copyright (c) 2006 Darren Tucker.  All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+
+void platform_pre_fork(void);
+void platform_post_fork_parent(pid_t child_pid);
+void platform_post_fork_child(void);
diff --git a/sshd.c b/sshd.c
index dcc626589..ee588ff8a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1154,6 +1154,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
                          * the child process the connection. The
                          * parent continues listening.
                          */
+                        platform_pre_fork();
                         if ((pid = fork()) == 0) {
                                 /*
                                  * Child.  Close the listening and
@@ -1163,6 +1164,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
                                  * We break out of the loop to handle
                                  * the connection.
                                  */
+                                platform_post_fork_child();
                                 startup_pipe = startup_p[1];
                                 close_startup_pipes();
                                 close_listen_socks();
@@ -1178,6 +1180,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
                         }
 
                         /* Parent.  Stay in the loop. */
+                        platform_post_fork_parent(pid);
                         if (pid < 0)
                                 error("fork: %.100s", strerror(errno));
                         else