diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | openbsd-compat/bsd-cray.c | 613 | ||||
-rw-r--r-- | openbsd-compat/bsd-cray.h | 17 |
3 files changed, 571 insertions, 64 deletions
@@ -1,3 +1,6 @@ | |||
1 | 20020723 | ||
2 | - (bal) [bsd-cray.c bsd-cray.h] Part 2 of Cray merger. | ||
3 | |||
1 | 20020722 | 4 | 20020722 |
2 | - (bal) AIX tty data limiting patch fix by leigh@solinno.co.uk | 5 | - (bal) AIX tty data limiting patch fix by leigh@solinno.co.uk |
3 | - (stevesk) [xmmap.c] missing prototype for fatal() | 6 | - (stevesk) [xmmap.c] missing prototype for fatal() |
@@ -1420,4 +1423,4 @@ | |||
1420 | - (stevesk) entropy.c: typo in debug message | 1423 | - (stevesk) entropy.c: typo in debug message |
1421 | - (djm) ssh-keygen -i needs seeded RNG; report from markus@ | 1424 | - (djm) ssh-keygen -i needs seeded RNG; report from markus@ |
1422 | 1425 | ||
1423 | $Id: ChangeLog,v 1.2393 2002/07/23 00:51:53 stevesk Exp $ | 1426 | $Id: ChangeLog,v 1.2394 2002/07/23 21:00:17 mouring Exp $ |
diff --git a/openbsd-compat/bsd-cray.c b/openbsd-compat/bsd-cray.c index 9bab75b41..8a14b0807 100644 --- a/openbsd-compat/bsd-cray.c +++ b/openbsd-compat/bsd-cray.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * $Id: bsd-cray.c,v 1.6 2002/05/15 16:39:51 mouring Exp $ | 2 | * $Id: bsd-cray.c,v 1.7 2002/07/23 21:00:18 mouring Exp $ |
3 | * | 3 | * |
4 | * bsd-cray.c | 4 | * bsd-cray.c |
5 | * | 5 | * |
@@ -34,8 +34,8 @@ | |||
34 | * on UNICOS systems. | 34 | * on UNICOS systems. |
35 | * | 35 | * |
36 | */ | 36 | */ |
37 | #if defined(_CRAY) && !defined(_CRAYSV2) | ||
37 | 38 | ||
38 | #ifdef _CRAY | ||
39 | #include <udb.h> | 39 | #include <udb.h> |
40 | #include <tmpdir.h> | 40 | #include <tmpdir.h> |
41 | #include <unistd.h> | 41 | #include <unistd.h> |
@@ -45,19 +45,33 @@ | |||
45 | #include <signal.h> | 45 | #include <signal.h> |
46 | #include <sys/priv.h> | 46 | #include <sys/priv.h> |
47 | #include <sys/secparm.h> | 47 | #include <sys/secparm.h> |
48 | #include <sys/tfm.h> | ||
48 | #include <sys/usrv.h> | 49 | #include <sys/usrv.h> |
49 | #include <sys/sysv.h> | 50 | #include <sys/sysv.h> |
50 | #include <sys/sectab.h> | 51 | #include <sys/sectab.h> |
52 | #include <sys/secstat.h> | ||
51 | #include <sys/stat.h> | 53 | #include <sys/stat.h> |
54 | #include <sys/session.h> | ||
52 | #include <stdlib.h> | 55 | #include <stdlib.h> |
53 | #include <pwd.h> | 56 | #include <pwd.h> |
54 | #include <fcntl.h> | 57 | #include <fcntl.h> |
55 | #include <errno.h> | 58 | #include <errno.h> |
56 | 59 | #include <ia.h> | |
60 | #include <urm.h> | ||
61 | #include "ssh.h" | ||
62 | #include "log.h" | ||
63 | #include "servconf.h" | ||
57 | #include "bsd-cray.h" | 64 | #include "bsd-cray.h" |
58 | 65 | ||
66 | #define MAXACID 80 | ||
67 | |||
68 | extern ServerOptions options; | ||
69 | |||
59 | char cray_tmpdir[TPATHSIZ+1]; /* job TMPDIR path */ | 70 | char cray_tmpdir[TPATHSIZ+1]; /* job TMPDIR path */ |
60 | 71 | ||
72 | struct sysv sysv; /* system security structure */ | ||
73 | struct usrv usrv; /* user security structure */ | ||
74 | |||
61 | /* | 75 | /* |
62 | * Functions. | 76 | * Functions. |
63 | */ | 77 | */ |
@@ -65,68 +79,538 @@ void cray_retain_utmp(struct utmp *, int); | |||
65 | void cray_delete_tmpdir(char *, int, uid_t); | 79 | void cray_delete_tmpdir(char *, int, uid_t); |
66 | void cray_init_job(struct passwd *); | 80 | void cray_init_job(struct passwd *); |
67 | void cray_set_tmpdir(struct utmp *); | 81 | void cray_set_tmpdir(struct utmp *); |
82 | void cray_login_failure(char *, int); | ||
83 | int cray_setup(uid_t, char *, const char *); | ||
84 | int cray_access_denied(char *); | ||
85 | |||
86 | void | ||
87 | cray_login_failure(char *username, int errcode) | ||
88 | { | ||
89 | struct udb *ueptr; /* UDB pointer for username */ | ||
90 | ia_failure_t fsent; /* ia_failure structure */ | ||
91 | ia_failure_ret_t fret; /* ia_failure return stuff */ | ||
92 | struct jtab jtab; /* job table structure */ | ||
93 | int jid = 0; /* job id */ | ||
94 | |||
95 | if ((jid = getjtab(&jtab)) < 0) { | ||
96 | debug("cray_login_failure(): getjtab error"); | ||
97 | } | ||
98 | getsysudb(); | ||
99 | if ((ueptr = getudbnam(username)) == UDB_NULL) { | ||
100 | debug("cray_login_failure(): getudbname() returned NULL"); | ||
101 | } | ||
102 | endudb(); | ||
103 | fsent.revision = 0; | ||
104 | fsent.uname = username; | ||
105 | fsent.host = (char *)get_canonical_hostname(options.verify_reverse_mapping); | ||
106 | fsent.ttyn = "sshd"; | ||
107 | fsent.caller = IA_SSHD; | ||
108 | fsent.flags = IA_INTERACTIVE; | ||
109 | fsent.ueptr = ueptr; | ||
110 | fsent.jid = jid; | ||
111 | fsent.errcode = errcode; | ||
112 | fsent.pwdp = NULL; | ||
113 | fsent.exitcode = 0; /* dont exit in ia_failure() */ | ||
114 | |||
115 | fret.revision = 0; | ||
116 | fret.normal = 0; | ||
68 | 117 | ||
118 | /* | ||
119 | * Call ia_failure because of an login failure. | ||
120 | */ | ||
121 | ia_failure(&fsent,&fret); | ||
122 | } | ||
69 | 123 | ||
70 | /* | 124 | /* |
71 | * Orignal written by: | 125 | * Cray access denied |
72 | * Wayne Schroeder | 126 | */ |
73 | * San Diego Supercomputer Center | 127 | int |
74 | * schroeder@sdsc.edu | 128 | cray_access_denied(char *username) |
75 | */ | ||
76 | void | ||
77 | cray_setup(uid_t uid, char *username) | ||
78 | { | 129 | { |
79 | struct udb *p; | 130 | struct udb *ueptr; /* UDB pointer for username */ |
131 | int errcode; /* IA errorcode */ | ||
132 | |||
133 | errcode = 0; | ||
134 | getsysudb(); | ||
135 | if ((ueptr = getudbnam(username)) == UDB_NULL) { | ||
136 | debug("cray_login_failure(): getudbname() returned NULL"); | ||
137 | } | ||
138 | endudb(); | ||
139 | if (ueptr && ueptr->ue_disabled) | ||
140 | errcode = IA_DISABLED; | ||
141 | if (errcode) | ||
142 | cray_login_failure(username, errcode); | ||
143 | return (errcode); | ||
144 | } | ||
145 | |||
146 | int | ||
147 | cray_setup (uid_t uid, char *username, const char *command) | ||
148 | { | ||
149 | extern struct udb *getudb(); | ||
80 | extern char *setlimits(); | 150 | extern char *setlimits(); |
81 | int i, j; | ||
82 | int accts[MAXVIDS]; | ||
83 | int naccts; | ||
84 | int err; | ||
85 | char *sr; | ||
86 | int pid; | ||
87 | struct jtab jbuf; | ||
88 | int jid; | ||
89 | 151 | ||
90 | if ((jid = getjtab(&jbuf)) < 0) | 152 | int err; /* error return */ |
91 | fatal("getjtab: no jid"); | 153 | time_t system_time; /* current system clock */ |
92 | 154 | time_t expiration_time; /* password expiration time */ | |
93 | err = setudb(); /* open and rewind the Cray User DataBase */ | 155 | int maxattempts; /* maximum no. of failed login attempts */ |
94 | if (err != 0) | 156 | int SecureSys; /* unicos security flag */ |
95 | fatal("UDB open failure"); | 157 | int minslevel = 0; /* system minimum security level */ |
96 | naccts = 0; | 158 | int i, j; |
97 | p = getudbnam(username); | 159 | int valid_acct = -1; /* flag for reading valid acct */ |
98 | if (p == NULL) | 160 | char acct_name[MAXACID] = { "" }; /* used to read acct name */ |
99 | fatal("No UDB entry for %.100s", username); | 161 | struct jtab jtab; /* Job table struct */ |
100 | if (uid != p->ue_uid) | 162 | struct udb ue; /* udb entry for logging-in user */ |
101 | fatal("UDB entry %.100s uid(%d) does not match uid %d", | 163 | struct udb *up; /* pointer to UDB entry */ |
102 | username, (int) p->ue_uid, (int) uid); | 164 | struct secstat secinfo; /* file security attributes */ |
103 | for (j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) { | 165 | struct servprov init_info; /* used for sesscntl() call */ |
104 | accts[naccts] = p->ue_acids[j]; | 166 | int jid; /* job ID */ |
105 | naccts++; | 167 | int pid; /* process ID */ |
168 | char *sr; /* status return from setlimits() */ | ||
169 | char *ttyn = NULL; /* ttyname or command name*/ | ||
170 | char hostname[MAXHOSTNAMELEN]; | ||
171 | passwd_t pwdacm, | ||
172 | pwddialup, | ||
173 | pwdudb, | ||
174 | pwdwal, | ||
175 | pwddce; /* passwd stuff for ia_user */ | ||
176 | ia_user_ret_t uret; /* stuff returned from ia_user */ | ||
177 | ia_user_t usent; /* ia_user main structure */ | ||
178 | int ia_rcode; /* ia_user return code */ | ||
179 | ia_failure_t fsent; /* ia_failure structure */ | ||
180 | ia_failure_ret_t fret; /* ia_failure return stuff */ | ||
181 | ia_success_t ssent; /* ia_success structure */ | ||
182 | ia_success_ret_t sret; /* ia_success return stuff */ | ||
183 | int ia_mlsrcode; /* ia_mlsuser return code */ | ||
184 | int secstatrc; /* [f]secstat return code */ | ||
185 | |||
186 | if (SecureSys = (int)sysconf(_SC_CRAY_SECURE_SYS)) { | ||
187 | getsysv(&sysv, sizeof(struct sysv)); | ||
188 | minslevel = sysv.sy_minlvl; | ||
189 | if (getusrv(&usrv) < 0) { | ||
190 | debug("getusrv() failed, errno = %d",errno); | ||
191 | exit(1); | ||
192 | } | ||
106 | } | 193 | } |
107 | endudb(); /* close the udb */ | 194 | hostname[0] = '\0'; |
108 | 195 | strncpy(hostname, | |
109 | if (naccts != 0) { | 196 | (char *)get_canonical_hostname(options.verify_reverse_mapping), |
110 | /* Perhaps someday we'll prompt users who have multiple accounts | 197 | MAXHOSTNAMELEN); |
111 | to let them pick one (like CRI's login does), but for now just set | 198 | /* |
112 | the account to the first entry. */ | 199 | * Fetch user's UDB entry. |
113 | if (acctid(0, accts[0]) < 0) | 200 | */ |
114 | fatal("System call acctid failed, accts[0]=%d", accts[0]); | 201 | getsysudb(); |
202 | if ((up = getudbnam(username)) == UDB_NULL) { | ||
203 | debug("cannot fetch user's UDB entry"); | ||
204 | exit(1); | ||
205 | } | ||
206 | |||
207 | /* | ||
208 | * Prevent any possible fudging so perform a data | ||
209 | * safety check and compare the supplied uid against | ||
210 | * the udb's uid. | ||
211 | */ | ||
212 | if (up->ue_uid != uid) { | ||
213 | debug("IA uid missmatch"); | ||
214 | exit(1); | ||
215 | } | ||
216 | endudb(); | ||
217 | |||
218 | if ((jid = getjtab (&jtab)) < 0) { | ||
219 | debug("getjtab"); | ||
220 | return -1; | ||
221 | } | ||
222 | pid = getpid(); | ||
223 | ttyn = ttyname(0); | ||
224 | if (SecureSys) { | ||
225 | if (ttyn) { | ||
226 | secstatrc = secstat(ttyn, &secinfo); | ||
227 | } else { | ||
228 | secstatrc = fsecstat(1, &secinfo); | ||
229 | } | ||
230 | if (secstatrc == 0) { | ||
231 | debug("[f]secstat() successful"); | ||
232 | } else { | ||
233 | debug("[f]secstat() error, rc = %d", secstatrc); | ||
234 | exit(1); | ||
235 | } | ||
236 | } | ||
237 | if ((ttyn == NULL) && ((char *)command != NULL)) | ||
238 | ttyn = (char *)command; | ||
239 | /* | ||
240 | * Initialize all structures to call ia_user | ||
241 | */ | ||
242 | usent.revision = 0; | ||
243 | usent.uname = username; | ||
244 | usent.host = hostname; | ||
245 | usent.ttyn = ttyn; | ||
246 | usent.caller = IA_SSHD; | ||
247 | usent.pswdlist = &pwdacm; | ||
248 | usent.ueptr = &ue; | ||
249 | usent.flags = IA_INTERACTIVE | IA_FFLAG; | ||
250 | pwdacm.atype = IA_SECURID; | ||
251 | pwdacm.pwdp = NULL; | ||
252 | pwdacm.next = &pwdudb; | ||
253 | |||
254 | pwdudb.atype = IA_UDB; | ||
255 | pwdudb.pwdp = NULL; | ||
256 | pwdudb.next = &pwddce; | ||
257 | |||
258 | pwddce.atype = IA_DCE; | ||
259 | pwddce.pwdp = NULL; | ||
260 | pwddce.next = &pwddialup; | ||
261 | |||
262 | pwddialup.atype = IA_DIALUP; | ||
263 | pwddialup.pwdp = NULL; | ||
264 | /* pwddialup.next = &pwdwal; */ | ||
265 | pwddialup.next = NULL; | ||
266 | |||
267 | pwdwal.atype = IA_WAL; | ||
268 | pwdwal.pwdp = NULL; | ||
269 | pwdwal.next = NULL; | ||
270 | |||
271 | uret.revision = 0; | ||
272 | uret.pswd = NULL; | ||
273 | uret.normal = 0; | ||
274 | |||
275 | ia_rcode = ia_user(&usent, &uret); | ||
276 | |||
277 | switch (ia_rcode) { | ||
278 | /* | ||
279 | * These are acceptable return codes from ia_user() | ||
280 | */ | ||
281 | case IA_UDBWEEK: /* Password Expires in 1 week */ | ||
282 | expiration_time = ue.ue_pwage.time + ue.ue_pwage.maxage; | ||
283 | printf ("WARNING - your current password will expire %s\n", | ||
284 | ctime((const time_t *)&expiration_time)); | ||
285 | break; | ||
286 | case IA_UDBEXPIRED: | ||
287 | if (ttyname(0) != NULL) { | ||
288 | /* Force a password change */ | ||
289 | printf("Your password has expired; Choose a new one.\n"); | ||
290 | execl("/bin/passwd", "passwd", username, 0); | ||
291 | exit(9); | ||
292 | } | ||
293 | |||
294 | break; | ||
295 | case IA_NORMAL: /* Normal Return Code */ | ||
296 | break; | ||
297 | case IA_BACKDOOR: | ||
298 | strcpy(ue.ue_name, "root"); | ||
299 | strcpy(ue.ue_passwd, ""); | ||
300 | strcpy(ue.ue_dir, "/"); | ||
301 | strcpy(ue.ue_shell, "/bin/sh"); | ||
302 | strcpy(ue.ue_age, ""); | ||
303 | strcpy(ue.ue_comment, ""); | ||
304 | strcpy(ue.ue_loghost, ""); | ||
305 | strcpy(ue.ue_logline, ""); | ||
306 | ue.ue_uid=-1; | ||
307 | ue.ue_nice[UDBRC_INTER]=0; | ||
308 | for (i=0;i<MAXVIDS;i++) | ||
309 | ue.ue_gids[i]=0; | ||
310 | ue.ue_logfails=0; | ||
311 | ue.ue_minlvl=minslevel; | ||
312 | ue.ue_maxlvl=minslevel; | ||
313 | ue.ue_deflvl=minslevel; | ||
314 | ue.ue_defcomps=0; | ||
315 | ue.ue_comparts=0; | ||
316 | ue.ue_permits=0; | ||
317 | ue.ue_trap=0; | ||
318 | ue.ue_disabled=0; | ||
319 | ue.ue_logtime=0; | ||
320 | break; | ||
321 | case IA_CONSOLE: /* Superuser not from Console */ | ||
322 | case IA_TRUSTED: /* Trusted user */ | ||
323 | if (options.permit_root_login > PERMIT_NO) | ||
324 | break; /* Accept root login */ | ||
325 | default: | ||
326 | /* | ||
327 | * These are failed return codes from ia_user() | ||
328 | */ | ||
329 | switch (ia_rcode) | ||
330 | { | ||
331 | case IA_BADAUTH: | ||
332 | printf ("Bad authorization, access denied.\n"); | ||
333 | break; | ||
334 | case IA_DIALUPERR: | ||
335 | break; | ||
336 | case IA_DISABLED: | ||
337 | printf ("Your login has been disabled. Contact the system "); | ||
338 | printf ("administrator for assistance.\n"); | ||
339 | break; | ||
340 | case IA_GETSYSV: | ||
341 | printf ("getsysv() failed - errno = %d\n", errno); | ||
342 | break; | ||
343 | case IA_LOCALHOST: | ||
344 | break; | ||
345 | case IA_MAXLOGS: | ||
346 | printf ("Maximum number of failed login attempts exceeded.\n"); | ||
347 | printf ("Access denied.\n"); | ||
348 | break; | ||
349 | case IA_NOPASS: | ||
350 | break; | ||
351 | case IA_PUBLIC: | ||
352 | break; | ||
353 | case IA_SECURIDERR: | ||
354 | break; | ||
355 | case IA_CONSOLE: | ||
356 | break; | ||
357 | case IA_TRUSTED: | ||
358 | break; | ||
359 | case IA_UDBERR: | ||
360 | break; | ||
361 | case IA_UDBPWDNULL: | ||
362 | /* | ||
363 | * NULL password not allowed on MLS systems | ||
364 | */ | ||
365 | if (SecureSys) { | ||
366 | printf("NULL Password not allowed on MLS systems.\n"); | ||
367 | } | ||
368 | break; | ||
369 | case IA_UNKNOWN: | ||
370 | break; | ||
371 | case IA_UNKNOWNYP: | ||
372 | break; | ||
373 | case IA_WALERR: | ||
374 | break; | ||
375 | default: | ||
376 | /* nothing special */ | ||
377 | ; | ||
378 | } /* 2. switch (ia_rcode) */ | ||
379 | /* | ||
380 | * Authentication failed. | ||
381 | */ | ||
382 | printf("sshd: Login incorrect, (0%o)\n", | ||
383 | ia_rcode-IA_ERRORCODE); | ||
384 | |||
385 | /* | ||
386 | * Initialize structure for ia_failure | ||
387 | * which will exit. | ||
388 | */ | ||
389 | fsent.revision = 0; | ||
390 | fsent.uname = username; | ||
391 | fsent.host = hostname; | ||
392 | fsent.ttyn = ttyn; | ||
393 | fsent.caller = IA_SSHD; | ||
394 | fsent.flags = IA_INTERACTIVE; | ||
395 | fsent.ueptr = &ue; | ||
396 | fsent.jid = jid; | ||
397 | fsent.errcode = ia_rcode; | ||
398 | fsent.pwdp = uret.pswd; | ||
399 | fsent.exitcode = 1; | ||
400 | |||
401 | fret.revision = 0; | ||
402 | fret.normal = 0; | ||
403 | |||
404 | /* | ||
405 | * Call ia_failure because of an IA failure. | ||
406 | * There is no return because ia_failure exits. | ||
407 | */ | ||
408 | |||
409 | ia_failure(&fsent,&fret); | ||
410 | |||
411 | exit(1); | ||
412 | } /* 1. switch (ia_rcode) */ | ||
413 | ia_mlsrcode = IA_NORMAL; | ||
414 | if (SecureSys) { | ||
415 | debug("calling ia_mlsuser()"); | ||
416 | ia_mlsrcode = ia_mlsuser (&ue, &secinfo, &usrv, NULL, 0); | ||
417 | } | ||
418 | if (ia_mlsrcode != IA_NORMAL) { | ||
419 | printf("sshd: Login incorrect, (0%o)\n", | ||
420 | ia_mlsrcode-IA_ERRORCODE); | ||
421 | /* | ||
422 | * Initialize structure for ia_failure | ||
423 | * which will exit. | ||
424 | */ | ||
425 | fsent.revision = 0; | ||
426 | fsent.uname = username; | ||
427 | fsent.host = hostname; | ||
428 | fsent.ttyn = ttyn; | ||
429 | fsent.caller = IA_SSHD; | ||
430 | fsent.flags = IA_INTERACTIVE; | ||
431 | fsent.ueptr = &ue; | ||
432 | fsent.jid = jid; | ||
433 | fsent.errcode = ia_mlsrcode; | ||
434 | fsent.pwdp = uret.pswd; | ||
435 | fsent.exitcode = 1; | ||
436 | fret.revision = 0; | ||
437 | fret.normal = 0; | ||
438 | |||
439 | /* | ||
440 | * Call ia_failure because of an IA failure. | ||
441 | * There is no return because ia_failure exits. | ||
442 | */ | ||
443 | ia_failure(&fsent,&fret); | ||
444 | exit(1); | ||
115 | } | 445 | } |
116 | 446 | ||
117 | /* Now set limits, including CPU time for the (interactive) job and process, | 447 | /* Provide login status information */ |
118 | and set up permissions (for chown etc), etc. This is via an internal CRI | 448 | if (options.print_lastlog && ue.ue_logtime != 0) { |
119 | routine, setlimits, used by CRI's login. */ | 449 | printf("Last successful login was : %.*s ", |
450 | 19, (char *)ctime(&ue.ue_logtime)); | ||
451 | |||
452 | if (*ue.ue_loghost != '\0') | ||
453 | printf("from %.*s\n", sizeof(ue.ue_loghost), ue.ue_loghost); | ||
454 | |||
455 | else printf("on %.*s\n", sizeof(ue.ue_logline), ue.ue_logline); | ||
456 | |||
457 | if ( SecureSys && (ue.ue_logfails != 0)) | ||
458 | printf(" followed by %d failed attempts\n", ue.ue_logfails); | ||
459 | } | ||
460 | |||
461 | |||
462 | /* | ||
463 | * Call ia_success to process successful I/A. | ||
464 | */ | ||
465 | ssent.revision = 0; | ||
466 | ssent.uname = username; | ||
467 | ssent.host = hostname; | ||
468 | ssent.ttyn = ttyn; | ||
469 | ssent.caller = IA_SSHD; | ||
470 | ssent.flags = IA_INTERACTIVE; | ||
471 | ssent.ueptr = &ue; | ||
472 | ssent.jid = jid; | ||
473 | ssent.errcode = ia_rcode; | ||
474 | ssent.us = NULL; | ||
475 | ssent.time = 1; /* Set ue_logtime */ | ||
476 | |||
477 | sret.revision = 0; | ||
478 | sret.normal = 0; | ||
479 | |||
480 | ia_success(&ssent,&sret); | ||
481 | |||
482 | /* | ||
483 | * Query for account, iff > 1 valid acid & askacid permbit | ||
484 | */ | ||
485 | if (((ue.ue_permbits & PERMBITS_ACCTID) || | ||
486 | (ue.ue_acids[0] >= 0) && (ue.ue_acids[1] >= 0)) && | ||
487 | ue.ue_permbits & PERMBITS_ASKACID) { | ||
488 | if (ttyname(0) != NULL) { | ||
489 | debug("cray_setup: ttyname true case, %.100s", ttyname); | ||
490 | while (valid_acct == -1) { | ||
491 | printf("Account (? for available accounts)" | ||
492 | " [%s]: ", acid2nam(ue.ue_acids[0])); | ||
493 | gets(acct_name); | ||
494 | switch (acct_name[0]) { | ||
495 | case EOF: | ||
496 | exit(0); | ||
497 | break; | ||
498 | case '\0': | ||
499 | valid_acct = ue.ue_acids[0]; | ||
500 | strcpy(acct_name, acid2nam(valid_acct)); | ||
501 | break; | ||
502 | case '?': | ||
503 | /* Print the list 3 wide */ | ||
504 | for (i = 0, j = 0; i < MAXVIDS; i++) { | ||
505 | if (ue.ue_acids[i] == -1) { | ||
506 | printf("\n"); | ||
507 | break; | ||
508 | } | ||
509 | if (++j == 4) { | ||
510 | j = 1; | ||
511 | printf("\n"); | ||
512 | } | ||
513 | printf(" %s", | ||
514 | acid2nam(ue.ue_acids[i])); | ||
515 | } | ||
516 | if (ue.ue_permbits & PERMBITS_ACCTID) | ||
517 | printf("\"acctid\" permbit also allows" | ||
518 | " you to select any valid " | ||
519 | "account name.\n"); | ||
520 | printf("\n"); | ||
521 | break; | ||
522 | default: | ||
523 | if ((valid_acct = nam2acid(acct_name)) == -1) printf("Account id not found for" | ||
524 | " account name \"%s\"\n\n", | ||
525 | acct_name); | ||
526 | break; | ||
527 | } | ||
528 | /* | ||
529 | * If an account was given, search the user's | ||
530 | * acids array to verify they can use this account. | ||
531 | */ | ||
532 | if ((valid_acct != -1) && | ||
533 | !(ue.ue_permbits & PERMBITS_ACCTID)) { | ||
534 | for (i = 0; i < MAXVIDS; i++) { | ||
535 | if (ue.ue_acids[i] == -1) | ||
536 | break; | ||
537 | if (valid_acct == ue.ue_acids[i]) | ||
538 | break; | ||
539 | } | ||
540 | if (i == MAXVIDS || | ||
541 | ue.ue_acids[i] == -1) { | ||
542 | fprintf(stderr, "Cannot set" | ||
543 | " account name to " | ||
544 | "\"%s\", permission " | ||
545 | "denied\n\n", acct_name); | ||
546 | valid_acct = -1; | ||
547 | } | ||
548 | } | ||
549 | } | ||
550 | } else { | ||
551 | /* | ||
552 | * The client isn't connected to a terminal and can't | ||
553 | * respond to an acid prompt. Use default acid. | ||
554 | */ | ||
555 | debug("cray_setup: ttyname false case, %.100s", ttyname); | ||
556 | valid_acct = ue.ue_acids[0]; | ||
557 | } | ||
558 | } else { | ||
559 | /* | ||
560 | * The user doesn't have the askacid permbit set or | ||
561 | * only has one valid account to use. | ||
562 | */ | ||
563 | valid_acct = ue.ue_acids[0]; | ||
564 | } | ||
565 | if (acctid(0, valid_acct) < 0) { | ||
566 | printf ("Bad account id: %d\n", valid_acct); | ||
567 | exit(1); | ||
568 | } | ||
569 | |||
570 | /* set up shares and quotas */ | ||
571 | /* Now set shares, quotas, limits, including CPU time for the (interactive) | ||
572 | * job and process, and set up permissions (for chown etc), etc. | ||
573 | */ | ||
574 | if (setshares(ue.ue_uid, valid_acct, printf, 0, 0)) { | ||
575 | printf("Unable to give %d shares to <%s>(%d/%d)\n", ue.ue_shares, ue.ue_name, ue.ue_uid, valid_acct); | ||
576 | exit(1); | ||
577 | } | ||
120 | 578 | ||
121 | pid = getpid(); | ||
122 | sr = setlimits(username, C_PROC, pid, UDBRC_INTER); | 579 | sr = setlimits(username, C_PROC, pid, UDBRC_INTER); |
123 | if (sr != NULL) | 580 | if (sr != NULL) { |
124 | fatal("%.200s", sr); | 581 | debug("%.200s", sr); |
125 | 582 | exit(1); | |
583 | } | ||
126 | sr = setlimits(username, C_JOB, jid, UDBRC_INTER); | 584 | sr = setlimits(username, C_JOB, jid, UDBRC_INTER); |
127 | if (sr != NULL) | 585 | if (sr != NULL) { |
128 | fatal("%.200s", sr); | 586 | debug("%.200s", sr); |
587 | exit(1); | ||
588 | } | ||
589 | /* | ||
590 | * Place the service provider information into | ||
591 | * the session table (Unicos) or job table (Unicos/mk). | ||
592 | * There exist double defines for the job/session table in | ||
593 | * unicos/mk (jtab.h) so no need for a compile time switch. | ||
594 | */ | ||
595 | bzero((char *)&init_info, sizeof(struct servprov)); | ||
596 | init_info.s_sessinit.si_id = URM_SPT_LOGIN; | ||
597 | init_info.s_sessinit.si_pid = getpid(); | ||
598 | init_info.s_sessinit.si_sid = jid; | ||
599 | init_info.s_routing.seqno = 0; | ||
600 | init_info.s_routing.iadrs = 0; | ||
601 | sesscntl(0, S_SETSERVPO, (int)&init_info); | ||
129 | 602 | ||
603 | /* | ||
604 | * Set user and controlling tty security attributes. | ||
605 | */ | ||
606 | if (SecureSys) { | ||
607 | if (setusrv(&usrv) == -1) { | ||
608 | debug("setusrv() failed, errno = %d",errno); | ||
609 | exit(1); | ||
610 | } | ||
611 | } | ||
612 | |||
613 | return(0); | ||
130 | } | 614 | } |
131 | 615 | ||
132 | /* | 616 | /* |
@@ -143,7 +627,6 @@ drop_cray_privs() | |||
143 | int result; | 627 | int result; |
144 | extern int priv_set_proc(); | 628 | extern int priv_set_proc(); |
145 | extern priv_proc_t* priv_init_proc(); | 629 | extern priv_proc_t* priv_init_proc(); |
146 | struct usrv usrv; | ||
147 | 630 | ||
148 | /* | 631 | /* |
149 | * If ether of theses two flags are not set | 632 | * If ether of theses two flags are not set |
@@ -154,9 +637,23 @@ drop_cray_privs() | |||
154 | if (!sysconf(_SC_CRAY_POSIX_PRIV)) | 637 | if (!sysconf(_SC_CRAY_POSIX_PRIV)) |
155 | fatal("Not POSIX_PRIV."); | 638 | fatal("Not POSIX_PRIV."); |
156 | 639 | ||
157 | debug("Dropping privileges."); | 640 | debug("Setting MLS labels.");; |
641 | |||
642 | if (sysconf(_SC_CRAY_SECURE_MAC)) { | ||
643 | usrv.sv_minlvl = SYSLOW; | ||
644 | usrv.sv_actlvl = SYSHIGH; | ||
645 | usrv.sv_maxlvl = SYSHIGH; | ||
646 | } else { | ||
647 | usrv.sv_minlvl = sysv.sy_minlvl; | ||
648 | usrv.sv_actlvl = sysv.sy_minlvl; | ||
649 | usrv.sv_maxlvl = sysv.sy_maxlvl; | ||
650 | } | ||
651 | usrv.sv_actcmp = 0; | ||
652 | usrv.sv_valcmp = sysv.sy_valcmp; | ||
653 | |||
654 | usrv.sv_intcat = TFM_SYSTEM; | ||
655 | usrv.sv_valcat |= (TFM_SYSTEM | TFM_SYSFILE); | ||
158 | 656 | ||
159 | memset(&usrv, 0, sizeof(usrv)); | ||
160 | if (setusrv(&usrv) < 0) | 657 | if (setusrv(&usrv) < 0) |
161 | fatal("%s(%d): setusrv(): %s", __FILE__, __LINE__, | 658 | fatal("%s(%d): setusrv(): %s", __FILE__, __LINE__, |
162 | strerror(errno)); | 659 | strerror(errno)); |
@@ -189,7 +686,6 @@ cray_retain_utmp(struct utmp *ut, int pid) | |||
189 | while (read(fd, (char *)&utmp, sizeof(utmp)) == sizeof(utmp)) { | 686 | while (read(fd, (char *)&utmp, sizeof(utmp)) == sizeof(utmp)) { |
190 | if (pid == utmp.ut_pid) { | 687 | if (pid == utmp.ut_pid) { |
191 | ut->ut_jid = utmp.ut_jid; | 688 | ut->ut_jid = utmp.ut_jid; |
192 | /* XXX: MIN_SIZEOF here? can this go in loginrec? */ | ||
193 | strncpy(ut->ut_tpath, utmp.ut_tpath, sizeof(utmp.ut_tpath)); | 689 | strncpy(ut->ut_tpath, utmp.ut_tpath, sizeof(utmp.ut_tpath)); |
194 | strncpy(ut->ut_host, utmp.ut_host, sizeof(utmp.ut_host)); | 690 | strncpy(ut->ut_host, utmp.ut_host, sizeof(utmp.ut_host)); |
195 | strncpy(ut->ut_name, utmp.ut_name, sizeof(utmp.ut_name)); | 691 | strncpy(ut->ut_name, utmp.ut_name, sizeof(utmp.ut_name)); |
@@ -198,7 +694,8 @@ cray_retain_utmp(struct utmp *ut, int pid) | |||
198 | } | 694 | } |
199 | close(fd); | 695 | close(fd); |
200 | } | 696 | } |
201 | /* XXX: error message? */ | 697 | else |
698 | fatal("Unable to open utmp file"); | ||
202 | } | 699 | } |
203 | 700 | ||
204 | /* | 701 | /* |
@@ -245,7 +742,7 @@ cray_job_termination_handler(int sig) | |||
245 | char *login = NULL; | 742 | char *login = NULL; |
246 | struct jtab jtab; | 743 | struct jtab jtab; |
247 | 744 | ||
248 | debug("Received SIG JOB."); | 745 | debug("received signal %d",sig); |
249 | 746 | ||
250 | if ((jid = waitjob(&jtab)) == -1 || | 747 | if ((jid = waitjob(&jtab)) == -1 || |
251 | (login = uid2nam(jtab.j_uid)) == NULL) | 748 | (login = uid2nam(jtab.j_uid)) == NULL) |
diff --git a/openbsd-compat/bsd-cray.h b/openbsd-compat/bsd-cray.h index 9067a389a..0b75b2268 100644 --- a/openbsd-compat/bsd-cray.h +++ b/openbsd-compat/bsd-cray.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * $Id: bsd-cray.h,v 1.3 2002/05/15 16:39:52 mouring Exp $ | 2 | * $Id: bsd-cray.h,v 1.4 2002/07/23 21:00:18 mouring Exp $ |
3 | * | 3 | * |
4 | * bsd-cray.h | 4 | * bsd-cray.h |
5 | * | 5 | * |
@@ -37,11 +37,18 @@ | |||
37 | #ifndef _BSD_CRAY_H | 37 | #ifndef _BSD_CRAY_H |
38 | #define _BSD_CRAY_H | 38 | #define _BSD_CRAY_H |
39 | 39 | ||
40 | #ifdef _CRAY | 40 | #if defined(_CRAY) && !defined(_CRAYSV2) |
41 | void cray_init_job(struct passwd *); /* init cray job */ | 41 | void cray_init_job(struct passwd *); /* init cray job */ |
42 | void cray_job_termination_handler(int); /* process end of job signal */ | 42 | void cray_job_termination_handler(int); /* process end of job signal */ |
43 | void cray_setup(uid_t, char *); /* set cray limits */ | 43 | void cray_login_failure(char *username, int errcode); |
44 | int cray_access_denied(char *username); | ||
44 | extern char cray_tmpdir[]; /* cray tmpdir */ | 45 | extern char cray_tmpdir[]; /* cray tmpdir */ |
46 | #ifndef IA_SSHD | ||
47 | #define IA_SSHD IA_LOGIN | ||
48 | #endif | ||
49 | #ifndef MAXHOSTNAMELEN | ||
50 | #define MAXHOSTNAMELEN 64 | ||
51 | #endif | ||
45 | #endif | 52 | #endif |
46 | 53 | ||
47 | #endif /* _BSD_CRAY_H */ | 54 | #endif /* _BSD_CRAY_H */ |