- (djm) AIX getuserattr() session initialisation from Tom Bertelson
<tbert@abac.com>
This commit is contained in:
Damien Miller
parent
31abc9addb
commit
5fc8565d20
|
|
@ -6,6 +6,9 @@
|
|||
|
||||
@TOP@
|
||||
|
||||
/* Define if you have the getuserattr function. */
|
||||
#undef HAVE_GETUSERATTR
|
||||
|
||||
/* Work around problematic Linux PAM modules handling of PAM_TTY */
|
||||
#undef PAM_TTY_KLUDGE
|
||||
|
||||
|
|
|
|||
|
|
@ -40,6 +40,8 @@ case "$host" in
|
|||
mansubdir=cat
|
||||
dnl AIX handles lastlog as part of its login message
|
||||
AC_DEFINE(DISABLE_LASTLOG)
|
||||
MANTYPE='$(CATMAN)'
|
||||
mansubdir=cat
|
||||
;;
|
||||
*-*-hpux10*)
|
||||
if test -z "$GCC"; then
|
||||
|
|
@ -206,7 +208,7 @@ if test -z "$no_libnsl" ; then
|
|||
fi
|
||||
|
||||
# Checks for header files.
|
||||
AC_CHECK_HEADERS(bstring.h endian.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h util.h utmp.h utmpx.h)
|
||||
AC_CHECK_HEADERS(bstring.h endian.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h usersec.h util.h utmp.h utmpx.h)
|
||||
|
||||
# Checks for library functions.
|
||||
AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strlcat strlcpy vsnprintf vhangup _getpty __b64_ntop)
|
||||
|
|
@ -221,6 +223,11 @@ dnl checks for utmpx functions
|
|||
AC_CHECK_FUNCS(entutxent getutxent getutxid getutxline pututxline )
|
||||
AC_CHECK_FUNCS(setutxent utmpxname)
|
||||
|
||||
AC_CHECK_FUNC(getuserattr,
|
||||
[AC_DEFINE(HAVE_GETUSERATTR)],
|
||||
[AC_CHECK_LIB(s, getuserattr, [LIBS="$LIBS -ls"; AC_DEFINE(HAVE_GETUSERATTR)])]
|
||||
)
|
||||
|
||||
AC_CHECK_FUNC(login,
|
||||
[AC_DEFINE(HAVE_LOGIN)],
|
||||
[AC_CHECK_LIB(bsd, login, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_LOGIN)])]
|
||||
|
|
|
|||
58
session.c
58
session.c
|
|
@ -9,6 +9,9 @@
|
|||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: session.c,v 1.20 2000/06/18 04:42:54 markus Exp $");
|
||||
#if defined(HAVE_USERSEC_H)
|
||||
#include <usersec.h>
|
||||
#endif
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
|
|
@ -789,6 +792,57 @@ void do_pam_environment(char ***env, int *envsize)
|
|||
}
|
||||
#endif /* USE_PAM */
|
||||
|
||||
#if defined(HAVE_GETUSERATTR)
|
||||
/*
|
||||
* AIX-specific login initialisation
|
||||
*/
|
||||
void set_limit(char *user, char *soft, char *hard, int resource, int mult)
|
||||
{
|
||||
struct rlimit rlim;
|
||||
rlim_t tlim;
|
||||
int mask;
|
||||
|
||||
getrlimit(resource, &rlim);
|
||||
|
||||
tlim = (rlim_t) 0;
|
||||
if (getuserattr(user, soft, &tlim, SEC_INT) != -1 && tlim)
|
||||
rlim.rlim_cur = tlim * mult;
|
||||
|
||||
tlim = (rlim_t) 0;
|
||||
if (getuserattr(user, hard, &tlim, SEC_INT) != -1 && tlim)
|
||||
rlim.rlim_max = tlim * mult;
|
||||
|
||||
if (rlim.rlim_cur > rlim.rlim_max)
|
||||
rlim.rlim_max = rlim.rlim_cur;
|
||||
|
||||
if (setrlimit(resource, &rlim) != 0)
|
||||
error("setrlimit(%.10s) failed: %.100s", soft, strerror(errno))
|
||||
}
|
||||
|
||||
void set_limits_from_userattr(char *user)
|
||||
{
|
||||
int mask;
|
||||
char buf[16];
|
||||
|
||||
set_limit(user, S_UFSIZE, S_UFSIZE_HARD, RLIMIT_FSIZE, 512);
|
||||
set_limit(user, S_UCPU, S_UCPU_HARD, RLIMIT_CPU, 1);
|
||||
set_limit(user, S_UDATA, S_UDATA_HARD, RLIMIT_DATA, 512);
|
||||
set_limit(user, S_USTACK, S_USTACK_HARD, RLIMIT_STACK, 512);
|
||||
set_limit(user, S_URSS, S_URSS_HARD, RLIMIT_RSS, 512);
|
||||
set_limit(user, S_UCORE, S_UCORE_HARD, RLIMIT_CORE, 512);
|
||||
#if defined(S_UNOFILE)
|
||||
set_limit(user, S_UNOFILE, S_UNOFILE_HARD, RLIMIT_NOFILE, 1);
|
||||
#endif
|
||||
|
||||
if (getuserattr(user, S_UMASK, &mask, SEC_INT) != -1) {
|
||||
/* Convert decimal to octal */
|
||||
(void) snprintf(buf, sizeof(buf), "%d", mask);
|
||||
if (sscanf(buf, "%o", &mask) == 1)
|
||||
umask(mask);
|
||||
}
|
||||
}
|
||||
#endif /* defined(HAVE_GETUSERATTR) */
|
||||
|
||||
/*
|
||||
* Performs common processing for the child, such as setting up the
|
||||
* environment, closing extra file descriptors, setting the user and group
|
||||
|
|
@ -855,6 +909,10 @@ do_child(const char *command, struct passwd * pw, const char *term,
|
|||
}
|
||||
#else /* HAVE_OSF_SIA */
|
||||
if (getuid() == 0 || geteuid() == 0) {
|
||||
#if defined(HAVE_GETUSERATTR)
|
||||
set_limits_from_userattr(pw->pw_name);
|
||||
#endif /* defined(HAVE_GETUSERATTR) */
|
||||
|
||||
if (setgid(pw->pw_gid) < 0) {
|
||||
perror("setgid");
|
||||
exit(1);
|
||||
|
|
|
|||
Loading…
Reference in New Issue