diff options
-rw-r--r-- | acconfig.h | 3 | ||||
-rw-r--r-- | configure.in | 9 | ||||
-rw-r--r-- | session.c | 58 |
3 files changed, 69 insertions, 1 deletions
diff --git a/acconfig.h b/acconfig.h index e11bf5e60..4757b66bc 100644 --- a/acconfig.h +++ b/acconfig.h | |||
@@ -6,6 +6,9 @@ | |||
6 | 6 | ||
7 | @TOP@ | 7 | @TOP@ |
8 | 8 | ||
9 | /* Define if you have the getuserattr function. */ | ||
10 | #undef HAVE_GETUSERATTR | ||
11 | |||
9 | /* Work around problematic Linux PAM modules handling of PAM_TTY */ | 12 | /* Work around problematic Linux PAM modules handling of PAM_TTY */ |
10 | #undef PAM_TTY_KLUDGE | 13 | #undef PAM_TTY_KLUDGE |
11 | 14 | ||
diff --git a/configure.in b/configure.in index f496e3934..f4f47cd45 100644 --- a/configure.in +++ b/configure.in | |||
@@ -40,6 +40,8 @@ case "$host" in | |||
40 | mansubdir=cat | 40 | mansubdir=cat |
41 | dnl AIX handles lastlog as part of its login message | 41 | dnl AIX handles lastlog as part of its login message |
42 | AC_DEFINE(DISABLE_LASTLOG) | 42 | AC_DEFINE(DISABLE_LASTLOG) |
43 | MANTYPE='$(CATMAN)' | ||
44 | mansubdir=cat | ||
43 | ;; | 45 | ;; |
44 | *-*-hpux10*) | 46 | *-*-hpux10*) |
45 | if test -z "$GCC"; then | 47 | if test -z "$GCC"; then |
@@ -206,7 +208,7 @@ if test -z "$no_libnsl" ; then | |||
206 | fi | 208 | fi |
207 | 209 | ||
208 | # Checks for header files. | 210 | # Checks for header files. |
209 | AC_CHECK_HEADERS(bstring.h endian.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h util.h utmp.h utmpx.h) | 211 | AC_CHECK_HEADERS(bstring.h endian.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h usersec.h util.h utmp.h utmpx.h) |
210 | 212 | ||
211 | # Checks for library functions. | 213 | # Checks for library functions. |
212 | AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strlcat strlcpy vsnprintf vhangup _getpty __b64_ntop) | 214 | AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strlcat strlcpy vsnprintf vhangup _getpty __b64_ntop) |
@@ -221,6 +223,11 @@ dnl checks for utmpx functions | |||
221 | AC_CHECK_FUNCS(entutxent getutxent getutxid getutxline pututxline ) | 223 | AC_CHECK_FUNCS(entutxent getutxent getutxid getutxline pututxline ) |
222 | AC_CHECK_FUNCS(setutxent utmpxname) | 224 | AC_CHECK_FUNCS(setutxent utmpxname) |
223 | 225 | ||
226 | AC_CHECK_FUNC(getuserattr, | ||
227 | [AC_DEFINE(HAVE_GETUSERATTR)], | ||
228 | [AC_CHECK_LIB(s, getuserattr, [LIBS="$LIBS -ls"; AC_DEFINE(HAVE_GETUSERATTR)])] | ||
229 | ) | ||
230 | |||
224 | AC_CHECK_FUNC(login, | 231 | AC_CHECK_FUNC(login, |
225 | [AC_DEFINE(HAVE_LOGIN)], | 232 | [AC_DEFINE(HAVE_LOGIN)], |
226 | [AC_CHECK_LIB(bsd, login, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_LOGIN)])] | 233 | [AC_CHECK_LIB(bsd, login, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_LOGIN)])] |
@@ -9,6 +9,9 @@ | |||
9 | 9 | ||
10 | #include "includes.h" | 10 | #include "includes.h" |
11 | RCSID("$OpenBSD: session.c,v 1.20 2000/06/18 04:42:54 markus Exp $"); | 11 | RCSID("$OpenBSD: session.c,v 1.20 2000/06/18 04:42:54 markus Exp $"); |
12 | #if defined(HAVE_USERSEC_H) | ||
13 | #include <usersec.h> | ||
14 | #endif | ||
12 | 15 | ||
13 | #include "xmalloc.h" | 16 | #include "xmalloc.h" |
14 | #include "ssh.h" | 17 | #include "ssh.h" |
@@ -789,6 +792,57 @@ void do_pam_environment(char ***env, int *envsize) | |||
789 | } | 792 | } |
790 | #endif /* USE_PAM */ | 793 | #endif /* USE_PAM */ |
791 | 794 | ||
795 | #if defined(HAVE_GETUSERATTR) | ||
796 | /* | ||
797 | * AIX-specific login initialisation | ||
798 | */ | ||
799 | void set_limit(char *user, char *soft, char *hard, int resource, int mult) | ||
800 | { | ||
801 | struct rlimit rlim; | ||
802 | rlim_t tlim; | ||
803 | int mask; | ||
804 | |||
805 | getrlimit(resource, &rlim); | ||
806 | |||
807 | tlim = (rlim_t) 0; | ||
808 | if (getuserattr(user, soft, &tlim, SEC_INT) != -1 && tlim) | ||
809 | rlim.rlim_cur = tlim * mult; | ||
810 | |||
811 | tlim = (rlim_t) 0; | ||
812 | if (getuserattr(user, hard, &tlim, SEC_INT) != -1 && tlim) | ||
813 | rlim.rlim_max = tlim * mult; | ||
814 | |||
815 | if (rlim.rlim_cur > rlim.rlim_max) | ||
816 | rlim.rlim_max = rlim.rlim_cur; | ||
817 | |||
818 | if (setrlimit(resource, &rlim) != 0) | ||
819 | error("setrlimit(%.10s) failed: %.100s", soft, strerror(errno)) | ||
820 | } | ||
821 | |||
822 | void set_limits_from_userattr(char *user) | ||
823 | { | ||
824 | int mask; | ||
825 | char buf[16]; | ||
826 | |||
827 | set_limit(user, S_UFSIZE, S_UFSIZE_HARD, RLIMIT_FSIZE, 512); | ||
828 | set_limit(user, S_UCPU, S_UCPU_HARD, RLIMIT_CPU, 1); | ||
829 | set_limit(user, S_UDATA, S_UDATA_HARD, RLIMIT_DATA, 512); | ||
830 | set_limit(user, S_USTACK, S_USTACK_HARD, RLIMIT_STACK, 512); | ||
831 | set_limit(user, S_URSS, S_URSS_HARD, RLIMIT_RSS, 512); | ||
832 | set_limit(user, S_UCORE, S_UCORE_HARD, RLIMIT_CORE, 512); | ||
833 | #if defined(S_UNOFILE) | ||
834 | set_limit(user, S_UNOFILE, S_UNOFILE_HARD, RLIMIT_NOFILE, 1); | ||
835 | #endif | ||
836 | |||
837 | if (getuserattr(user, S_UMASK, &mask, SEC_INT) != -1) { | ||
838 | /* Convert decimal to octal */ | ||
839 | (void) snprintf(buf, sizeof(buf), "%d", mask); | ||
840 | if (sscanf(buf, "%o", &mask) == 1) | ||
841 | umask(mask); | ||
842 | } | ||
843 | } | ||
844 | #endif /* defined(HAVE_GETUSERATTR) */ | ||
845 | |||
792 | /* | 846 | /* |
793 | * Performs common processing for the child, such as setting up the | 847 | * Performs common processing for the child, such as setting up the |
794 | * environment, closing extra file descriptors, setting the user and group | 848 | * environment, closing extra file descriptors, setting the user and group |
@@ -855,6 +909,10 @@ do_child(const char *command, struct passwd * pw, const char *term, | |||
855 | } | 909 | } |
856 | #else /* HAVE_OSF_SIA */ | 910 | #else /* HAVE_OSF_SIA */ |
857 | if (getuid() == 0 || geteuid() == 0) { | 911 | if (getuid() == 0 || geteuid() == 0) { |
912 | #if defined(HAVE_GETUSERATTR) | ||
913 | set_limits_from_userattr(pw->pw_name); | ||
914 | #endif /* defined(HAVE_GETUSERATTR) */ | ||
915 | |||
858 | if (setgid(pw->pw_gid) < 0) { | 916 | if (setgid(pw->pw_gid) < 0) { |
859 | perror("setgid"); | 917 | perror("setgid"); |
860 | exit(1); | 918 | exit(1); |