From 5fc8565d2088322eb8bf6fedf44ad15511028c08 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Sun, 9 Jul 2000 23:53:07 +1000
Subject:  - (djm) AIX getuserattr() session initialisation from Tom Bertelson 
   <tbert@abac.com>

---
 acconfig.h   |  3 +++
 configure.in |  9 ++++++++-
 session.c    | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 1 deletion(-)

diff --git a/acconfig.h b/acconfig.h
index e11bf5e60..4757b66bc 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -6,6 +6,9 @@
 
 @TOP@
 
+/* Define if you have the getuserattr function.  */
+#undef HAVE_GETUSERATTR
+
 /* Work around problematic Linux PAM modules handling of PAM_TTY */
 #undef PAM_TTY_KLUDGE
 
diff --git a/configure.in b/configure.in
index f496e3934..f4f47cd45 100644
--- a/configure.in
+++ b/configure.in
@@ -40,6 +40,8 @@ case "$host" in
 	mansubdir=cat
 	dnl AIX handles lastlog as part of its login message
 	AC_DEFINE(DISABLE_LASTLOG)
+	MANTYPE='$(CATMAN)'
+	mansubdir=cat
 	;;
 *-*-hpux10*)
 	if test -z "$GCC"; then
@@ -206,7 +208,7 @@ if test -z "$no_libnsl" ; then
 fi
 
 # Checks for header files.
-AC_CHECK_HEADERS(bstring.h endian.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h util.h utmp.h utmpx.h)
+AC_CHECK_HEADERS(bstring.h endian.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h usersec.h util.h utmp.h utmpx.h)
 
 # Checks for library functions.
 AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strlcat strlcpy vsnprintf vhangup _getpty __b64_ntop)
@@ -221,6 +223,11 @@ dnl    checks for utmpx functions
 AC_CHECK_FUNCS(entutxent getutxent getutxid getutxline pututxline )
 AC_CHECK_FUNCS(setutxent utmpxname)
 
+AC_CHECK_FUNC(getuserattr, 
+	[AC_DEFINE(HAVE_GETUSERATTR)],
+	[AC_CHECK_LIB(s, getuserattr, [LIBS="$LIBS -ls"; AC_DEFINE(HAVE_GETUSERATTR)])]
+)
+
 AC_CHECK_FUNC(login, 
 	[AC_DEFINE(HAVE_LOGIN)],
 	[AC_CHECK_LIB(bsd, login, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_LOGIN)])]
diff --git a/session.c b/session.c
index 29956777f..1f0d227d0 100644
--- a/session.c
+++ b/session.c
@@ -9,6 +9,9 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: session.c,v 1.20 2000/06/18 04:42:54 markus Exp $");
+#if defined(HAVE_USERSEC_H)
+#include <usersec.h>
+#endif
 
 #include "xmalloc.h"
 #include "ssh.h"
@@ -789,6 +792,57 @@ void do_pam_environment(char ***env, int *envsize)
 }
 #endif /* USE_PAM */
 
+#if defined(HAVE_GETUSERATTR)
+/*
+ * AIX-specific login initialisation
+ */
+void set_limit(char *user, char *soft, char *hard, int resource, int mult)
+{
+	struct rlimit rlim;
+	rlim_t tlim;
+	int mask;
+
+	getrlimit(resource, &rlim);
+
+	tlim = (rlim_t) 0;
+	if (getuserattr(user, soft, &tlim, SEC_INT) != -1 && tlim)
+		rlim.rlim_cur = tlim * mult;
+
+	tlim = (rlim_t) 0;
+	if (getuserattr(user, hard, &tlim, SEC_INT) != -1 && tlim)
+		rlim.rlim_max = tlim * mult;
+
+	if (rlim.rlim_cur > rlim.rlim_max)
+		rlim.rlim_max = rlim.rlim_cur;
+
+	if (setrlimit(resource, &rlim) != 0)
+		error("setrlimit(%.10s) failed: %.100s", soft, strerror(errno))
+}
+
+void set_limits_from_userattr(char *user)
+{
+	int mask;
+	char buf[16];
+
+	set_limit(user, S_UFSIZE, S_UFSIZE_HARD, RLIMIT_FSIZE, 512);
+	set_limit(user, S_UCPU, S_UCPU_HARD, RLIMIT_CPU, 1);
+	set_limit(user, S_UDATA, S_UDATA_HARD, RLIMIT_DATA, 512);
+	set_limit(user, S_USTACK, S_USTACK_HARD, RLIMIT_STACK, 512);
+	set_limit(user, S_URSS, S_URSS_HARD, RLIMIT_RSS, 512);
+	set_limit(user, S_UCORE, S_UCORE_HARD, RLIMIT_CORE, 512);
+#if defined(S_UNOFILE)
+	set_limit(user, S_UNOFILE, S_UNOFILE_HARD, RLIMIT_NOFILE, 1);
+#endif
+
+	if (getuserattr(user, S_UMASK, &mask, SEC_INT) != -1) {
+		/* Convert decimal to octal */
+		(void) snprintf(buf, sizeof(buf), "%d", mask);
+		if (sscanf(buf, "%o", &mask) == 1)
+			umask(mask);
+	}
+}
+#endif /* defined(HAVE_GETUSERATTR) */
+
 /*
  * Performs common processing for the child, such as setting up the
  * environment, closing extra file descriptors, setting the user and group
@@ -855,6 +909,10 @@ do_child(const char *command, struct passwd * pw, const char *term,
 		}
 #else /* HAVE_OSF_SIA */
 		if (getuid() == 0 || geteuid() == 0) {
+#if defined(HAVE_GETUSERATTR)
+			set_limits_from_userattr(pw->pw_name);
+#endif /* defined(HAVE_GETUSERATTR) */
+
 			if (setgid(pw->pw_gid) < 0) {
 				perror("setgid");
 				exit(1);
-- 
cgit v1.2.3