7 files changed, 161 insertions, 52 deletions
diff --git a/ChangeLog b/ChangeLog
index 867752050..14f54496b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -98,7 +98,7 @@
     [ssh-keygen.c]
     allow uploading RSA keys for non-default AUT0 (sha1 over passphrase 
     like sectok).
-   - markus@cvs.openbsd.org 2001/08/01 23:38:45
+  - markus@cvs.openbsd.org 2001/08/01 23:38:45
     [scard.c ssh.c]
     support finish rsa keys.
     free public keys after login -> call finish -> close smartcard.
@@ -122,7 +122,7 @@
   - jakob@cvs.openbsd.org 2001/08/02 15:43:57
     [ssh-agent.c ssh.c ssh-keygen.c]
     add /* SMARTCARD */ to #else/#endif. ok markus@
-   - jakob@cvs.openbsd.org 2001/08/02 16:14:05
+  - jakob@cvs.openbsd.org 2001/08/02 16:14:05
     [scard.c ssh-agent.c ssh.c ssh-keygen.c]
     clean up some /* SMARTCARD */. ok markus@
   - mpech@cvs.openbsd.org 2001/08/02 18:37:35
@@ -148,6 +148,8 @@
     [scp.c]
     use alarm vs. setitimer for portable; ok markus@
 - (bal) ssh-keyscan double -lssh hack due to seed_rng().
+ - (bal) Second around of UNICOS patches.  A few other things left. 
+   Patches by William L. Jones <jones@mail.utexas.edu> 
 20010803
 - (djm) Fix interrupted read in entropy gatherer. Spotted by markus@ on
@@ -6258,4 +6260,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1
-$Id: ChangeLog,v 1.1466 2001/08/06 22:56:46 mouring Exp $
+$Id: ChangeLog,v 1.1467 2001/08/06 23:29:16 mouring Exp $
diff --git a/configure.in b/configure.in
index 75b3626d2..4210d3e94 100644
--- a/configure.in
+++ b/configure.in
@@ -1,4 +1,4 @@
-# $Id: configure.in,v 1.304 2001/07/24 17:00:14 mouring Exp $
+# $Id: configure.in,v 1.305 2001/08/06 23:29:17 mouring Exp $
 AC_INIT(ssh.c)
@@ -1453,6 +1453,7 @@ if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then
        OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig)
        OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat)
        OSSH_PATH_ENTROPY_PROG(PROG_PS, ps)
+        OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar)
        OSSH_PATH_ENTROPY_PROG(PROG_W, w)
        OSSH_PATH_ENTROPY_PROG(PROG_WHO, who)
        OSSH_PATH_ENTROPY_PROG(PROG_LAST, last)
diff --git a/loginrec.c b/loginrec.c
index e121ce354..5789aad76 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -163,7 +163,7 @@
 #include "log.h"
 #include "atomicio.h"
-RCSID("$Id: loginrec.c,v 1.33 2001/05/08 20:33:06 mouring Exp $");
+RCSID("$Id: loginrec.c,v 1.34 2001/08/06 23:29:17 mouring Exp $");
 #ifdef HAVE_UTIL_H
 #  include <util.h>
@@ -616,9 +616,15 @@ construct_utmp(struct logininfo *li,
        switch (li->type) {
        case LTYPE_LOGIN:
                ut->ut_type = USER_PROCESS;
+#ifdef _CRAY
+                cray_set_tmpdir(ut);
+#endif
                break;
        case LTYPE_LOGOUT:
                ut->ut_type = DEAD_PROCESS;
+#ifdef _CRAY
+                cray_retain_utmp(ut, li->pid);
+#endif
                break;
        }
 # endif
diff --git a/openbsd-compat/bsd-cray.c b/openbsd-compat/bsd-cray.c
index c887322cb..a11a5b6aa 100644
--- a/openbsd-compat/bsd-cray.c
+++ b/openbsd-compat/bsd-cray.c
@@ -12,18 +12,24 @@
 #include <utmp.h>
 #include <sys/jtab.h>
 #include <signal.h>
+#include <sys/priv.h>
+#include <sys/secparm.h>
+#include <sys/usrv.h>
+#include <sys/sysv.h>
+#include <sys/sectab.h>
 #include <sys/stat.h>
 #include <stdlib.h>
 #include <pwd.h>
 #include <fcntl.h>
 #include <errno.h>
+#include "bsd-cray.h"
 char cray_tmpdir[TPATHSIZ+1];               /* job TMPDIR path */
 /*
 * Functions.
 */
-int cray_setup(uid_t, char *);
 void cray_retain_utmp(struct utmp *, int);
 void cray_create_tmpdir(int, uid_t, gid_t);
 void cray_delete_tmpdir(char *, int , uid_t);
@@ -31,17 +37,17 @@ void cray_job_termination_handler (int);
 void cray_init_job(struct passwd *);
 void cray_set_tmpdir(struct utmp *);
 /* 
 * Orignal written by:
 *     Wayne Schroeder
 *     San Diego Supercomputer Center
 *     schroeder@sdsc.edu
 */
-int 
+void
 cray_setup(uid_t uid, char *username)
 {
        struct udb *p;
-        extern struct udb *getudb();
        extern char *setlimits();
        int i, j;
        int accts[MAXVIDS];
@@ -52,58 +58,83 @@ cray_setup(uid_t uid, char *username)
        struct jtab jbuf;
        int jid;
-        if ((jid = getjtab (&jbuf)) < 0) {
+        if ((jid = getjtab (&jbuf)) < 0) fatal("getjtab: no jid");
-                debug("getjtab");
-                return -1;
-        }
-        /* Find all of the accounts for a particular user */
+        err = setudb();    /* open and rewind the Cray User DataBase */
-        err = setudb();    /* open and rewind the Cray User DataBase */
+        if(err != 0) fatal("UDB open failure");
-        if(err != 0) {
-                debug("UDB open failure");
-                return -1;
-        }
        naccts = 0;
-        while ((p = getudb()) != UDB_NULL) {
+        p = getudbnam(username);
-                if (p->ue_uid == -1) break;
+        if (p == NULL) fatal("No UDB entry for %s", username);
-                if(uid == p->ue_uid) {
+        if(uid != p->ue_uid)  
-                        for(j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) {
+                fatal("UDB etnry %s uid(%d) does not match uid %d\n",
-                                accts[naccts] = p->ue_acids[j];
+                      username, p->ue_uid, uid);
-                                naccts++;
+        for(j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) {
-                        }
+                accts[naccts] = p->ue_acids[j];
-                }
+                naccts++;
-        }
-        endudb();        /* close the udb */
-        if (naccts == 0 || accts[0] == 0) {
-                debug("No Cray accounts found");
-                return -1;
-        }
- 
-        /* Perhaps someday we'll prompt users who have multiple accounts
-           to let them pick one (like CRI's login does), but for now just set 
-           the account to the first entry. */
-        if (acctid(0, accts[0]) < 0) {
-                debug("System call acctid failed, accts[0]=%d",accts[0]);
-                return -1;
        }
+        endudb();        /* close the udb */
+        if (naccts != 0) {
+                /* Perhaps someday we'll prompt users who have multiple accounts
+                   to let them pick one (like CRI's login does), but for now just set 
+                   the account to the first entry. */
+                if (acctid(0, accts[0]) < 0) 
+                        fatal("System call acctid failed, accts[0]=%d",accts[0]);
+        }
 
-        /* Now set limits, including CPU time for the (interactive) job and process,
+        /* Now set limits, including CPU time for the (interactive) job and process,
-           and set up permissions (for chown etc), etc.  This is via an internal CRI
+           and set up permissions (for chown etc), etc.  This is via an internal CRI
-           routine, setlimits, used by CRI's login. */
+           routine, setlimits, used by CRI's login. */
        pid = getpid();
        sr = setlimits(username, C_PROC, pid, UDBRC_INTER);
-        if (sr != NULL) {
+        if (sr != NULL) fatal("%.200s", sr);
-                debug("%.200s", sr);
-                return -1;
-        }
        sr = setlimits(username, C_JOB, jid, UDBRC_INTER);
-        if (sr != NULL) {
+        if (sr != NULL) fatal("%.200s", sr);
-                debug("%.200s", sr);
-                return -1;
-        }
-        return 0;
+}
+/* 
+ * The rc.* and /etc/sdaemon methods of starting a program on unicos/unicosmk
+ * can have pal privileges that sshd can inherit which
+ * could allow a user to su to root with out a password.
+ * This subroutine clears all privileges.
+ */
+void
+drop_cray_privs()
+{
+#if defined(_SC_CRAY_PRIV_SU)
+        priv_proc_t*              privstate;
+        int                       result;
+        extern      int           priv_set_proc();
+        extern      priv_proc_t*  priv_init_proc();
+        struct      usrv          usrv;
+        /*
+         * If ether of theses two flags are not set
+         * then don't allow this version of ssh to run.
+         */
+        if (!sysconf(_SC_CRAY_PRIV_SU)) fatal("Not PRIV_SU system.");
+        if (!sysconf(_SC_CRAY_POSIX_PRIV))  fatal("Not POSIX_PRIV.");
+        debug ("Dropping privileges.");
+        memset(&usrv, 0, sizeof(usrv));
+        if (setusrv(&usrv) < 0) 
+                fatal ("%s(%d): setusrv(): %s\n", __FILE__, __LINE__, strerror(errno));
+        if ((privstate = priv_init_proc()) != NULL) {
+                result = priv_set_proc(privstate);
+                if ( result != 0 ) fatal ("%s(%d): priv_set_proc(): %s\n",
+                                        __FILE__, __LINE__, strerror(errno));
+                priv_free_proc(privstate);
+        }
+        debug ("Privileges should be cleared...");
+#else
+Cray systems must be run with _SC_CRAY_PRIV_SU on! 
+#endif
 }
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index ca7871c0d..ab07315b6 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.11 2001/07/14 03:22:54 djm Exp $ */
+/* $Id: openbsd-compat.h,v 1.12 2001/08/06 23:29:18 mouring Exp $ */
 #ifndef _OPENBSD_H
 #define _OPENBSD_H
@@ -38,4 +38,7 @@
 #include "fake-getnameinfo.h"
 #include "fake-socket.h"
+/* Routines for a single OS platform */
+#include "bsd-cray.h"
 #endif /* _OPENBSD_H */
diff --git a/sshd.c b/sshd.c
index d1c68445d..b6adc38cb 100644
--- a/sshd.c
+++ b/sshd.c
@@ -679,6 +679,13 @@ main(int ac, char **av)
            options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility,
            !inetd_flag);
+#ifdef _CRAY
+        /* Cray can define user privs drop all prives now!
+         * Not needed on PRIV_SU systems!
+         */
+        drop_cray_privs();
+#endif
        seed_rng();
        /* Read server configuration options from the configuration file. */
diff --git a/sshpty.c b/sshpty.c
index 71e16b79e..84572c901 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -162,6 +162,34 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
        }
        return 1;
 #else /* HAVE_DEV_PTS_AND_PTC */
+#ifdef _CRAY
+        char buf[64];
+        int i;
+        int highpty;
+#ifdef _SC_CRAY_NPTY
+        highpty = sysconf(_SC_CRAY_NPTY);
+        if (highpty == -1)
+        highpty = 128;
+#else
+        highpty = 128;
+#endif
+        for (i = 0; i < highpty; i++) {
+                snprintf(buf, sizeof(buf), "/dev/pty/%03d", i);
+                *ptyfd = open(buf, O_RDWR|O_NOCTTY);
+                if (*ptyfd < 0) continue;
+                snprintf(namebuf, namebuflen, "/dev/ttyp%03d", i);
+                /* Open the slave side. */
+                *ttyfd = open(namebuf, O_RDWR|O_NOCTTY);
+                if (*ttyfd < 0) {
+                        error("%.100s: %.100s", namebuf, strerror(errno));
+                        close(*ptyfd);
+                }
+                return 1;
+        }
+        return 0;
+#else
        /* BSD-style pty code. */
        char buf[64];
        int i;
@@ -196,6 +224,7 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
                return 1;
        }
        return 0;
+#endif /* CRAY */
 #endif /* HAVE_DEV_PTS_AND_PTC */
 #endif /* HAVE_DEV_PTMX */
 #endif /* HAVE__GETPTY */
@@ -218,6 +247,35 @@ pty_release(const char *ttyname)
 void
 pty_make_controlling_tty(int *ttyfd, const char *ttyname)
 {
+#ifdef _CRAY
+        int fd;
+        if (setsid() < 0)
+                       error("setsid: %.100s", strerror(errno));
+        fd = open(ttyname, O_RDWR|O_NOCTTY);
+        if (fd >= 0) {
+                signal(SIGHUP, SIG_IGN);
+                ioctl(fd, TCVHUP, (char *)0);
+                 signal(SIGHUP, SIG_DFL);
+                setpgid(0,0);
+                close(fd);
+        } else {
+                error("Failed to disconnect from controlling tty.");
+        }
+         
+        debug("Setting controlling tty using TCSETCTTY.\n");
+        ioctl(*ttyfd, TCSETCTTY, NULL);
+        fd = open("/dev/tty", O_RDWR);
+        if (fd < 0)
+               error("%.100s: %.100s", ttyname, strerror(errno));
+        close(*ttyfd);
+        *ttyfd = fd;
+#else
        int fd;
 #ifdef USE_VHANGUP
        void *old;
@@ -277,6 +335,7 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname)
        else {
                close(fd);
        }
+#endif
 }
 /* Changes the window size associated with the pty. */

diff --git a/ChangeLog b/ChangeLog index 867752050..14f54496b 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -98,7 +98,7 @@
98	[ssh-keygen.c]	98	[ssh-keygen.c]
99	allow uploading RSA keys for non-default AUT0 (sha1 over passphrase	99	allow uploading RSA keys for non-default AUT0 (sha1 over passphrase
100	like sectok).	100	like sectok).
101	- markus@cvs.openbsd.org 2001/08/01 23:38:45	101	- markus@cvs.openbsd.org 2001/08/01 23:38:45
102	[scard.c ssh.c]	102	[scard.c ssh.c]
103	support finish rsa keys.	103	support finish rsa keys.
104	free public keys after login -> call finish -> close smartcard.	104	free public keys after login -> call finish -> close smartcard.
@@ -122,7 +122,7 @@
122	- jakob@cvs.openbsd.org 2001/08/02 15:43:57	122	- jakob@cvs.openbsd.org 2001/08/02 15:43:57
123	[ssh-agent.c ssh.c ssh-keygen.c]	123	[ssh-agent.c ssh.c ssh-keygen.c]
124	add /* SMARTCARD */ to #else/#endif. ok markus@	124	add /* SMARTCARD */ to #else/#endif. ok markus@
125	- jakob@cvs.openbsd.org 2001/08/02 16:14:05	125	- jakob@cvs.openbsd.org 2001/08/02 16:14:05
126	[scard.c ssh-agent.c ssh.c ssh-keygen.c]	126	[scard.c ssh-agent.c ssh.c ssh-keygen.c]
127	clean up some /* SMARTCARD */. ok markus@	127	clean up some /* SMARTCARD */. ok markus@
128	- mpech@cvs.openbsd.org 2001/08/02 18:37:35	128	- mpech@cvs.openbsd.org 2001/08/02 18:37:35
@@ -148,6 +148,8 @@
148	[scp.c]	148	[scp.c]
149	use alarm vs. setitimer for portable; ok markus@	149	use alarm vs. setitimer for portable; ok markus@
150	- (bal) ssh-keyscan double -lssh hack due to seed_rng().	150	- (bal) ssh-keyscan double -lssh hack due to seed_rng().
		151	- (bal) Second around of UNICOS patches. A few other things left.
		152	Patches by William L. Jones <jones@mail.utexas.edu>
151		153
152	20010803	154	20010803
153	- (djm) Fix interrupted read in entropy gatherer. Spotted by markus@ on	155	- (djm) Fix interrupted read in entropy gatherer. Spotted by markus@ on
@@ -6258,4 +6260,4 @@
6258	- Wrote replacements for strlcpy and mkdtemp	6260	- Wrote replacements for strlcpy and mkdtemp
6259	- Released 1.0pre1	6261	- Released 1.0pre1
6260		6262
6261	$Id: ChangeLog,v 1.1466 2001/08/06 22:56:46 mouring Exp $	6263	$Id: ChangeLog,v 1.1467 2001/08/06 23:29:16 mouring Exp $


diff --git a/configure.in b/configure.in index 75b3626d2..4210d3e94 100644 --- a/configure.in +++ b/configure.in
@@ -1,4 +1,4 @@
1	# $Id: configure.in,v 1.304 2001/07/24 17:00:14 mouring Exp $	1	# $Id: configure.in,v 1.305 2001/08/06 23:29:17 mouring Exp $
2		2
3	AC_INIT(ssh.c)	3	AC_INIT(ssh.c)
4		4
@@ -1453,6 +1453,7 @@ if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then
1453	OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig)	1453	OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig)
1454	OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat)	1454	OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat)
1455	OSSH_PATH_ENTROPY_PROG(PROG_PS, ps)	1455	OSSH_PATH_ENTROPY_PROG(PROG_PS, ps)
		1456	OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar)
1456	OSSH_PATH_ENTROPY_PROG(PROG_W, w)	1457	OSSH_PATH_ENTROPY_PROG(PROG_W, w)
1457	OSSH_PATH_ENTROPY_PROG(PROG_WHO, who)	1458	OSSH_PATH_ENTROPY_PROG(PROG_WHO, who)
1458	OSSH_PATH_ENTROPY_PROG(PROG_LAST, last)	1459	OSSH_PATH_ENTROPY_PROG(PROG_LAST, last)


diff --git a/loginrec.c b/loginrec.c index e121ce354..5789aad76 100644 --- a/loginrec.c +++ b/loginrec.c
@@ -163,7 +163,7 @@
163	#include "log.h"	163	#include "log.h"
164	#include "atomicio.h"	164	#include "atomicio.h"
165		165
166	RCSID("$Id: loginrec.c,v 1.33 2001/05/08 20:33:06 mouring Exp $");	166	RCSID("$Id: loginrec.c,v 1.34 2001/08/06 23:29:17 mouring Exp $");
167		167
168	#ifdef HAVE_UTIL_H	168	#ifdef HAVE_UTIL_H
169	# include <util.h>	169	# include <util.h>
@@ -616,9 +616,15 @@ construct_utmp(struct logininfo *li,
616	switch (li->type) {	616	switch (li->type) {
617	case LTYPE_LOGIN:	617	case LTYPE_LOGIN:
618	ut->ut_type = USER_PROCESS;	618	ut->ut_type = USER_PROCESS;
		619	#ifdef _CRAY
		620	cray_set_tmpdir(ut);
		621	#endif
619	break;	622	break;
620	case LTYPE_LOGOUT:	623	case LTYPE_LOGOUT:
621	ut->ut_type = DEAD_PROCESS;	624	ut->ut_type = DEAD_PROCESS;
		625	#ifdef _CRAY
		626	cray_retain_utmp(ut, li->pid);
		627	#endif
622	break;	628	break;
623	}	629	}
624	# endif	630	# endif


diff --git a/openbsd-compat/bsd-cray.c b/openbsd-compat/bsd-cray.c index c887322cb..a11a5b6aa 100644 --- a/openbsd-compat/bsd-cray.c +++ b/openbsd-compat/bsd-cray.c
@@ -12,18 +12,24 @@
12	#include <utmp.h>	12	#include <utmp.h>
13	#include <sys/jtab.h>	13	#include <sys/jtab.h>
14	#include <signal.h>	14	#include <signal.h>
		15	#include <sys/priv.h>
		16	#include <sys/secparm.h>
		17	#include <sys/usrv.h>
		18	#include <sys/sysv.h>
		19	#include <sys/sectab.h>
15	#include <sys/stat.h>	20	#include <sys/stat.h>
16	#include <stdlib.h>	21	#include <stdlib.h>
17	#include <pwd.h>	22	#include <pwd.h>
18	#include <fcntl.h>	23	#include <fcntl.h>
19	#include <errno.h>	24	#include <errno.h>
20		25
		26	#include "bsd-cray.h"
		27
21	char cray_tmpdir[TPATHSIZ+1]; /* job TMPDIR path */	28	char cray_tmpdir[TPATHSIZ+1]; /* job TMPDIR path */
22		29
23	/*	30	/*
24	* Functions.	31	* Functions.
25	*/	32	*/
26	int cray_setup(uid_t, char *);
27	void cray_retain_utmp(struct utmp *, int);	33	void cray_retain_utmp(struct utmp *, int);
28	void cray_create_tmpdir(int, uid_t, gid_t);	34	void cray_create_tmpdir(int, uid_t, gid_t);
29	void cray_delete_tmpdir(char *, int , uid_t);	35	void cray_delete_tmpdir(char *, int , uid_t);
@@ -31,17 +37,17 @@ void cray_job_termination_handler (int);
31	void cray_init_job(struct passwd *);	37	void cray_init_job(struct passwd *);
32	void cray_set_tmpdir(struct utmp *);	38	void cray_set_tmpdir(struct utmp *);
33		39
		40
34	/*	41	/*
35	* Orignal written by:	42	* Orignal written by:
36	* Wayne Schroeder	43	* Wayne Schroeder
37	* San Diego Supercomputer Center	44	* San Diego Supercomputer Center
38	* schroeder@sdsc.edu	45	* schroeder@sdsc.edu
39	*/	46	*/
40	int	47	void
41	cray_setup(uid_t uid, char *username)	48	cray_setup(uid_t uid, char *username)
42	{	49	{
43	struct udb *p;	50	struct udb *p;
44	extern struct udb *getudb();
45	extern char *setlimits();	51	extern char *setlimits();
46	int i, j;	52	int i, j;
47	int accts[MAXVIDS];	53	int accts[MAXVIDS];
@@ -52,58 +58,83 @@ cray_setup(uid_t uid, char *username)
52	struct jtab jbuf;	58	struct jtab jbuf;
53	int jid;	59	int jid;
54		60
55	if ((jid = getjtab (&jbuf)) < 0) {	61	if ((jid = getjtab (&jbuf)) < 0) fatal("getjtab: no jid");
56	debug("getjtab");
57	return -1;
58	}
59		62
60	/* Find all of the accounts for a particular user */	63	err = setudb(); /* open and rewind the Cray User DataBase */
61	err = setudb(); /* open and rewind the Cray User DataBase */	64	if(err != 0) fatal("UDB open failure");
62	if(err != 0) {
63	debug("UDB open failure");
64	return -1;
65	}
66	naccts = 0;	65	naccts = 0;
67	while ((p = getudb()) != UDB_NULL) {	66	p = getudbnam(username);
68	if (p->ue_uid == -1) break;	67	if (p == NULL) fatal("No UDB entry for %s", username);
69	if(uid == p->ue_uid) {	68	if(uid != p->ue_uid)
70	for(j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) {	69	fatal("UDB etnry %s uid(%d) does not match uid %d\n",
71	accts[naccts] = p->ue_acids[j];	70	username, p->ue_uid, uid);
72	naccts++;	71	for(j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) {
73	}	72	accts[naccts] = p->ue_acids[j];
74	}	73	naccts++;
75	}
76	endudb(); /* close the udb */
77	if (naccts == 0 \|\| accts[0] == 0) {
78	debug("No Cray accounts found");
79	return -1;
80	}
81
82	/* Perhaps someday we'll prompt users who have multiple accounts
83	to let them pick one (like CRI's login does), but for now just set
84	the account to the first entry. */
85	if (acctid(0, accts[0]) < 0) {
86	debug("System call acctid failed, accts[0]=%d",accts[0]);
87	return -1;
88	}	74	}
		75	endudb(); /* close the udb */
		76
		77	if (naccts != 0) {
		78	/* Perhaps someday we'll prompt users who have multiple accounts
		79	to let them pick one (like CRI's login does), but for now just set
		80	the account to the first entry. */
		81	if (acctid(0, accts[0]) < 0)
		82	fatal("System call acctid failed, accts[0]=%d",accts[0]);
		83	}
89		84
90	/* Now set limits, including CPU time for the (interactive) job and process,	85	/* Now set limits, including CPU time for the (interactive) job and process,
91	and set up permissions (for chown etc), etc. This is via an internal CRI	86	and set up permissions (for chown etc), etc. This is via an internal CRI
92	routine, setlimits, used by CRI's login. */	87	routine, setlimits, used by CRI's login. */
93		88
94	pid = getpid();	89	pid = getpid();
95	sr = setlimits(username, C_PROC, pid, UDBRC_INTER);	90	sr = setlimits(username, C_PROC, pid, UDBRC_INTER);
96	if (sr != NULL) {	91	if (sr != NULL) fatal("%.200s", sr);
97	debug("%.200s", sr);	92
98	return -1;
99	}
100	sr = setlimits(username, C_JOB, jid, UDBRC_INTER);	93	sr = setlimits(username, C_JOB, jid, UDBRC_INTER);
101	if (sr != NULL) {	94	if (sr != NULL) fatal("%.200s", sr);
102	debug("%.200s", sr);
103	return -1;
104	}
105		95
106	return 0;	96	}
		97
		98
		99	/*
		100	* The rc.* and /etc/sdaemon methods of starting a program on unicos/unicosmk
		101	* can have pal privileges that sshd can inherit which
		102	* could allow a user to su to root with out a password.
		103	* This subroutine clears all privileges.
		104	*/
		105	void
		106	drop_cray_privs()
		107	{
		108	#if defined(_SC_CRAY_PRIV_SU)
		109	priv_proc_t* privstate;
		110	int result;
		111	extern int priv_set_proc();
		112	extern priv_proc_t* priv_init_proc();
		113	struct usrv usrv;
		114
		115	/*
		116	* If ether of theses two flags are not set
		117	* then don't allow this version of ssh to run.
		118	*/
		119	if (!sysconf(_SC_CRAY_PRIV_SU)) fatal("Not PRIV_SU system.");
		120	if (!sysconf(_SC_CRAY_POSIX_PRIV)) fatal("Not POSIX_PRIV.");
		121
		122	debug ("Dropping privileges.");
		123
		124	memset(&usrv, 0, sizeof(usrv));
		125	if (setusrv(&usrv) < 0)
		126	fatal ("%s(%d): setusrv(): %s\n", __FILE__, __LINE__, strerror(errno));
		127
		128	if ((privstate = priv_init_proc()) != NULL) {
		129	result = priv_set_proc(privstate);
		130	if ( result != 0 ) fatal ("%s(%d): priv_set_proc(): %s\n",
		131	__FILE__, __LINE__, strerror(errno));
		132	priv_free_proc(privstate);
		133	}
		134	debug ("Privileges should be cleared...");
		135	#else
		136	Cray systems must be run with _SC_CRAY_PRIV_SU on!
		137	#endif
107	}	138	}
108		139
109		140


diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index ca7871c0d..ab07315b6 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
1	/* $Id: openbsd-compat.h,v 1.11 2001/07/14 03:22:54 djm Exp $ */	1	/* $Id: openbsd-compat.h,v 1.12 2001/08/06 23:29:18 mouring Exp $ */
2		2
3	#ifndef _OPENBSD_H	3	#ifndef _OPENBSD_H
4	#define _OPENBSD_H	4	#define _OPENBSD_H
@@ -38,4 +38,7 @@
38	#include "fake-getnameinfo.h"	38	#include "fake-getnameinfo.h"
39	#include "fake-socket.h"	39	#include "fake-socket.h"
40		40
		41	/* Routines for a single OS platform */
		42	#include "bsd-cray.h"
		43
41	#endif /* _OPENBSD_H */	44	#endif /* _OPENBSD_H */


diff --git a/sshd.c b/sshd.c index d1c68445d..b6adc38cb 100644 --- a/sshd.c +++ b/sshd.c
@@ -679,6 +679,13 @@ main(int ac, char **av)
679	options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility,	679	options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility,
680	!inetd_flag);	680	!inetd_flag);
681		681
		682	#ifdef _CRAY
		683	/* Cray can define user privs drop all prives now!
		684	* Not needed on PRIV_SU systems!
		685	*/
		686	drop_cray_privs();
		687	#endif
		688
682	seed_rng();	689	seed_rng();
683		690
684	/* Read server configuration options from the configuration file. */	691	/* Read server configuration options from the configuration file. */


diff --git a/sshpty.c b/sshpty.c index 71e16b79e..84572c901 100644 --- a/sshpty.c +++ b/sshpty.c
@@ -162,6 +162,34 @@ pty_allocate(int ptyfd, int ttyfd, char *namebuf, int namebuflen)
162	}	162	}
163	return 1;	163	return 1;
164	#else /* HAVE_DEV_PTS_AND_PTC */	164	#else /* HAVE_DEV_PTS_AND_PTC */
		165	#ifdef _CRAY
		166	char buf[64];
		167	int i;
		168	int highpty;
		169
		170	#ifdef _SC_CRAY_NPTY
		171	highpty = sysconf(_SC_CRAY_NPTY);
		172	if (highpty == -1)
		173	highpty = 128;
		174	#else
		175	highpty = 128;
		176	#endif
		177
		178	for (i = 0; i < highpty; i++) {
		179	snprintf(buf, sizeof(buf), "/dev/pty/%03d", i);
		180	*ptyfd = open(buf, O_RDWR\|O_NOCTTY);
		181	if (*ptyfd < 0) continue;
		182	snprintf(namebuf, namebuflen, "/dev/ttyp%03d", i);
		183	/* Open the slave side. */
		184	*ttyfd = open(namebuf, O_RDWR\|O_NOCTTY);
		185	if (*ttyfd < 0) {
		186	error("%.100s: %.100s", namebuf, strerror(errno));
		187	close(*ptyfd);
		188	}
		189	return 1;
		190	}
		191	return 0;
		192	#else
165	/* BSD-style pty code. */	193	/* BSD-style pty code. */
166	char buf[64];	194	char buf[64];
167	int i;	195	int i;
@@ -196,6 +224,7 @@ pty_allocate(int ptyfd, int ttyfd, char *namebuf, int namebuflen)
196	return 1;	224	return 1;
197	}	225	}
198	return 0;	226	return 0;
		227	#endif /* CRAY */
199	#endif /* HAVE_DEV_PTS_AND_PTC */	228	#endif /* HAVE_DEV_PTS_AND_PTC */
200	#endif /* HAVE_DEV_PTMX */	229	#endif /* HAVE_DEV_PTMX */
201	#endif /* HAVE__GETPTY */	230	#endif /* HAVE__GETPTY */
@@ -218,6 +247,35 @@ pty_release(const char *ttyname)
218	void	247	void
219	pty_make_controlling_tty(int ttyfd, const char ttyname)	248	pty_make_controlling_tty(int ttyfd, const char ttyname)
220	{	249	{
		250	#ifdef _CRAY
		251	int fd;
		252
		253	if (setsid() < 0)
		254	error("setsid: %.100s", strerror(errno));
		255
		256	fd = open(ttyname, O_RDWR\|O_NOCTTY);
		257	if (fd >= 0) {
		258	signal(SIGHUP, SIG_IGN);
		259	ioctl(fd, TCVHUP, (char *)0);
		260	signal(SIGHUP, SIG_DFL);
		261	setpgid(0,0);
		262	close(fd);
		263	} else {
		264	error("Failed to disconnect from controlling tty.");
		265	}
		266
		267
		268	debug("Setting controlling tty using TCSETCTTY.\n");
		269	ioctl(*ttyfd, TCSETCTTY, NULL);
		270
		271	fd = open("/dev/tty", O_RDWR);
		272
		273	if (fd < 0)
		274	error("%.100s: %.100s", ttyname, strerror(errno));
		275
		276	close(*ttyfd);
		277	*ttyfd = fd;
		278	#else
221	int fd;	279	int fd;
222	#ifdef USE_VHANGUP	280	#ifdef USE_VHANGUP
223	void *old;	281	void *old;
@@ -277,6 +335,7 @@ pty_make_controlling_tty(int ttyfd, const char ttyname)
277	else {	335	else {
278	close(fd);	336	close(fd);
279	}	337	}
		338	#endif
280	}	339	}
281		340
282	/* Changes the window size associated with the pty. */	341	/* Changes the window size associated with the pty. */