diff options
Diffstat (limited to 'openbsd-compat')
-rw-r--r-- | openbsd-compat/bsd-cray.c | 123 | ||||
-rw-r--r-- | openbsd-compat/openbsd-compat.h | 5 |
2 files changed, 81 insertions, 47 deletions
diff --git a/openbsd-compat/bsd-cray.c b/openbsd-compat/bsd-cray.c index c887322cb..a11a5b6aa 100644 --- a/openbsd-compat/bsd-cray.c +++ b/openbsd-compat/bsd-cray.c | |||
@@ -12,18 +12,24 @@ | |||
12 | #include <utmp.h> | 12 | #include <utmp.h> |
13 | #include <sys/jtab.h> | 13 | #include <sys/jtab.h> |
14 | #include <signal.h> | 14 | #include <signal.h> |
15 | #include <sys/priv.h> | ||
16 | #include <sys/secparm.h> | ||
17 | #include <sys/usrv.h> | ||
18 | #include <sys/sysv.h> | ||
19 | #include <sys/sectab.h> | ||
15 | #include <sys/stat.h> | 20 | #include <sys/stat.h> |
16 | #include <stdlib.h> | 21 | #include <stdlib.h> |
17 | #include <pwd.h> | 22 | #include <pwd.h> |
18 | #include <fcntl.h> | 23 | #include <fcntl.h> |
19 | #include <errno.h> | 24 | #include <errno.h> |
20 | 25 | ||
26 | #include "bsd-cray.h" | ||
27 | |||
21 | char cray_tmpdir[TPATHSIZ+1]; /* job TMPDIR path */ | 28 | char cray_tmpdir[TPATHSIZ+1]; /* job TMPDIR path */ |
22 | 29 | ||
23 | /* | 30 | /* |
24 | * Functions. | 31 | * Functions. |
25 | */ | 32 | */ |
26 | int cray_setup(uid_t, char *); | ||
27 | void cray_retain_utmp(struct utmp *, int); | 33 | void cray_retain_utmp(struct utmp *, int); |
28 | void cray_create_tmpdir(int, uid_t, gid_t); | 34 | void cray_create_tmpdir(int, uid_t, gid_t); |
29 | void cray_delete_tmpdir(char *, int , uid_t); | 35 | void cray_delete_tmpdir(char *, int , uid_t); |
@@ -31,17 +37,17 @@ void cray_job_termination_handler (int); | |||
31 | void cray_init_job(struct passwd *); | 37 | void cray_init_job(struct passwd *); |
32 | void cray_set_tmpdir(struct utmp *); | 38 | void cray_set_tmpdir(struct utmp *); |
33 | 39 | ||
40 | |||
34 | /* | 41 | /* |
35 | * Orignal written by: | 42 | * Orignal written by: |
36 | * Wayne Schroeder | 43 | * Wayne Schroeder |
37 | * San Diego Supercomputer Center | 44 | * San Diego Supercomputer Center |
38 | * schroeder@sdsc.edu | 45 | * schroeder@sdsc.edu |
39 | */ | 46 | */ |
40 | int | 47 | void |
41 | cray_setup(uid_t uid, char *username) | 48 | cray_setup(uid_t uid, char *username) |
42 | { | 49 | { |
43 | struct udb *p; | 50 | struct udb *p; |
44 | extern struct udb *getudb(); | ||
45 | extern char *setlimits(); | 51 | extern char *setlimits(); |
46 | int i, j; | 52 | int i, j; |
47 | int accts[MAXVIDS]; | 53 | int accts[MAXVIDS]; |
@@ -52,58 +58,83 @@ cray_setup(uid_t uid, char *username) | |||
52 | struct jtab jbuf; | 58 | struct jtab jbuf; |
53 | int jid; | 59 | int jid; |
54 | 60 | ||
55 | if ((jid = getjtab (&jbuf)) < 0) { | 61 | if ((jid = getjtab (&jbuf)) < 0) fatal("getjtab: no jid"); |
56 | debug("getjtab"); | ||
57 | return -1; | ||
58 | } | ||
59 | 62 | ||
60 | /* Find all of the accounts for a particular user */ | 63 | err = setudb(); /* open and rewind the Cray User DataBase */ |
61 | err = setudb(); /* open and rewind the Cray User DataBase */ | 64 | if(err != 0) fatal("UDB open failure"); |
62 | if(err != 0) { | ||
63 | debug("UDB open failure"); | ||
64 | return -1; | ||
65 | } | ||
66 | naccts = 0; | 65 | naccts = 0; |
67 | while ((p = getudb()) != UDB_NULL) { | 66 | p = getudbnam(username); |
68 | if (p->ue_uid == -1) break; | 67 | if (p == NULL) fatal("No UDB entry for %s", username); |
69 | if(uid == p->ue_uid) { | 68 | if(uid != p->ue_uid) |
70 | for(j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) { | 69 | fatal("UDB etnry %s uid(%d) does not match uid %d\n", |
71 | accts[naccts] = p->ue_acids[j]; | 70 | username, p->ue_uid, uid); |
72 | naccts++; | 71 | for(j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) { |
73 | } | 72 | accts[naccts] = p->ue_acids[j]; |
74 | } | 73 | naccts++; |
75 | } | ||
76 | endudb(); /* close the udb */ | ||
77 | if (naccts == 0 || accts[0] == 0) { | ||
78 | debug("No Cray accounts found"); | ||
79 | return -1; | ||
80 | } | ||
81 | |||
82 | /* Perhaps someday we'll prompt users who have multiple accounts | ||
83 | to let them pick one (like CRI's login does), but for now just set | ||
84 | the account to the first entry. */ | ||
85 | if (acctid(0, accts[0]) < 0) { | ||
86 | debug("System call acctid failed, accts[0]=%d",accts[0]); | ||
87 | return -1; | ||
88 | } | 74 | } |
75 | endudb(); /* close the udb */ | ||
76 | |||
77 | if (naccts != 0) { | ||
78 | /* Perhaps someday we'll prompt users who have multiple accounts | ||
79 | to let them pick one (like CRI's login does), but for now just set | ||
80 | the account to the first entry. */ | ||
81 | if (acctid(0, accts[0]) < 0) | ||
82 | fatal("System call acctid failed, accts[0]=%d",accts[0]); | ||
83 | } | ||
89 | 84 | ||
90 | /* Now set limits, including CPU time for the (interactive) job and process, | 85 | /* Now set limits, including CPU time for the (interactive) job and process, |
91 | and set up permissions (for chown etc), etc. This is via an internal CRI | 86 | and set up permissions (for chown etc), etc. This is via an internal CRI |
92 | routine, setlimits, used by CRI's login. */ | 87 | routine, setlimits, used by CRI's login. */ |
93 | 88 | ||
94 | pid = getpid(); | 89 | pid = getpid(); |
95 | sr = setlimits(username, C_PROC, pid, UDBRC_INTER); | 90 | sr = setlimits(username, C_PROC, pid, UDBRC_INTER); |
96 | if (sr != NULL) { | 91 | if (sr != NULL) fatal("%.200s", sr); |
97 | debug("%.200s", sr); | 92 | |
98 | return -1; | ||
99 | } | ||
100 | sr = setlimits(username, C_JOB, jid, UDBRC_INTER); | 93 | sr = setlimits(username, C_JOB, jid, UDBRC_INTER); |
101 | if (sr != NULL) { | 94 | if (sr != NULL) fatal("%.200s", sr); |
102 | debug("%.200s", sr); | ||
103 | return -1; | ||
104 | } | ||
105 | 95 | ||
106 | return 0; | 96 | } |
97 | |||
98 | |||
99 | /* | ||
100 | * The rc.* and /etc/sdaemon methods of starting a program on unicos/unicosmk | ||
101 | * can have pal privileges that sshd can inherit which | ||
102 | * could allow a user to su to root with out a password. | ||
103 | * This subroutine clears all privileges. | ||
104 | */ | ||
105 | void | ||
106 | drop_cray_privs() | ||
107 | { | ||
108 | #if defined(_SC_CRAY_PRIV_SU) | ||
109 | priv_proc_t* privstate; | ||
110 | int result; | ||
111 | extern int priv_set_proc(); | ||
112 | extern priv_proc_t* priv_init_proc(); | ||
113 | struct usrv usrv; | ||
114 | |||
115 | /* | ||
116 | * If ether of theses two flags are not set | ||
117 | * then don't allow this version of ssh to run. | ||
118 | */ | ||
119 | if (!sysconf(_SC_CRAY_PRIV_SU)) fatal("Not PRIV_SU system."); | ||
120 | if (!sysconf(_SC_CRAY_POSIX_PRIV)) fatal("Not POSIX_PRIV."); | ||
121 | |||
122 | debug ("Dropping privileges."); | ||
123 | |||
124 | memset(&usrv, 0, sizeof(usrv)); | ||
125 | if (setusrv(&usrv) < 0) | ||
126 | fatal ("%s(%d): setusrv(): %s\n", __FILE__, __LINE__, strerror(errno)); | ||
127 | |||
128 | if ((privstate = priv_init_proc()) != NULL) { | ||
129 | result = priv_set_proc(privstate); | ||
130 | if ( result != 0 ) fatal ("%s(%d): priv_set_proc(): %s\n", | ||
131 | __FILE__, __LINE__, strerror(errno)); | ||
132 | priv_free_proc(privstate); | ||
133 | } | ||
134 | debug ("Privileges should be cleared..."); | ||
135 | #else | ||
136 | Cray systems must be run with _SC_CRAY_PRIV_SU on! | ||
137 | #endif | ||
107 | } | 138 | } |
108 | 139 | ||
109 | 140 | ||
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index ca7871c0d..ab07315b6 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: openbsd-compat.h,v 1.11 2001/07/14 03:22:54 djm Exp $ */ | 1 | /* $Id: openbsd-compat.h,v 1.12 2001/08/06 23:29:18 mouring Exp $ */ |
2 | 2 | ||
3 | #ifndef _OPENBSD_H | 3 | #ifndef _OPENBSD_H |
4 | #define _OPENBSD_H | 4 | #define _OPENBSD_H |
@@ -38,4 +38,7 @@ | |||
38 | #include "fake-getnameinfo.h" | 38 | #include "fake-getnameinfo.h" |
39 | #include "fake-socket.h" | 39 | #include "fake-socket.h" |
40 | 40 | ||
41 | /* Routines for a single OS platform */ | ||
42 | #include "bsd-cray.h" | ||
43 | |||
41 | #endif /* _OPENBSD_H */ | 44 | #endif /* _OPENBSD_H */ |