platform.c

   1 /* $Id: platform.c,v 1.13 2010/11/05 02:32:53 dtucker Exp $ */
   2
   3 /*
   4  * Copyright (c) 2006 Darren Tucker.  All rights reserved.
   5  *
   6  * Permission to use, copy, modify, and distribute this software for any
   7  * purpose with or without fee is hereby granted, provided that the above
   8  * copyright notice and this permission notice appear in all copies.
   9  *
  10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  17  */
  18
  19 #include "config.h"
  20 #include "platform.h"
  21
  22 #include "openbsd-compat/openbsd-compat.h"
  23
  24 extern int use_privsep;
  25
  26 void
  27 platform_pre_listen(void)
  28 {
  29 #ifdef LINUX_OOM_ADJUST
  30         /* Adjust out-of-memory killer so listening process is not killed */
  31         oom_adjust_setup();
  32 #endif
  33 }
  34
  35 void
  36 platform_pre_fork(void)
  37 {
  38 #ifdef USE_SOLARIS_PROCESS_CONTRACTS
  39         solaris_contract_pre_fork();
  40 #endif
  41 }
  42
  43 void
  44 platform_post_fork_parent(pid_t child_pid)
  45 {
  46 #ifdef USE_SOLARIS_PROCESS_CONTRACTS
  47         solaris_contract_post_fork_parent(child_pid);
  48 #endif
  49 }
  50
  51 void
  52 platform_post_fork_child(void)
  53 {
  54 #ifdef USE_SOLARIS_PROCESS_CONTRACTS
  55         solaris_contract_post_fork_child();
  56 #endif
  57 #ifdef LINUX_OOM_ADJUST
  58         oom_adjust_restore();
  59 #endif
  60 }
  61
  62 /*
  63  * This gets called before switching UIDs, and is called even when sshd is
  64  * not running as root.
  65  */
  66 void
  67 platform_setusercontext(struct passwd *pw)
  68 {
  69 #ifdef WITH_SELINUX
  70         /* Cache selinux status for later use */
  71         (void)ssh_selinux_enabled();
  72 #endif
  73
  74 #ifdef USE_SOLARIS_PROJECTS
  75         /* if solaris projects were detected, set the default now */
  76         if (getuid() == 0 || geteuid() == 0)
  77                 solaris_set_default_project(pw);
  78 #endif
  79
  80 #if defined(HAVE_LOGIN_CAP) && defined (__bsdi__)
  81         if (getuid() == 0 || geteuid() == 0)
  82                 setpgid(0, 0);
  83 # endif
  84
  85 #if defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
  86         /*
  87          * If we have both LOGIN_CAP and PAM, we want to establish creds
  88          * before calling setusercontext (in session.c:do_setusercontext).
  89          */
  90         if (getuid() == 0 || geteuid() == 0) {
  91                 if (options.use_pam) {
  92                         do_pam_setcred(use_privsep);
  93                 }
  94         }
  95 # endif /* USE_PAM */
  96 }
  97
  98 /*
  99  * This gets called after we've established the user's groups, and is only
 100  * called if sshd is running as root.
 101  */
 102 void
 103 platform_setusercontext_post_groups(struct passwd *pw)
 104 {
 105 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
 106         /*
 107          * PAM credentials may take the form of supplementary groups.
 108          * These will have been wiped by the above initgroups() call.
 109          * Reestablish them here.
 110          */
 111         if (options.use_pam) {
 112                 do_pam_setcred(use_privsep);
 113         }
 114 #endif /* USE_PAM */
 115
 116 #if !defined(HAVE_LOGIN_CAP) && (defined(WITH_IRIX_PROJECT) || \
 117     defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY))
 118         irix_setusercontext(pw);
 119 #endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
 120
 121 #ifdef _AIX
 122         aix_usrinfo(pw);
 123 #endif /* _AIX */
 124
 125 #if !defined(HAVE_LOGIN_CAP) && defined(USE_LIBIAF)
 126         if (set_id(pw->pw_name) != 0) {
 127                 exit(1);
 128         }
 129 # endif /* USE_LIBIAF */
 130
 131 #ifdef HAVE_SETPCRED
 132         /*
 133          * If we have a chroot directory, we set all creds except real
 134          * uid which we will need for chroot.  If we don't have a
 135          * chroot directory, we don't override anything.
 136          */
 137         {
 138                 char **creds = NULL, *chroot_creds[] =
 139                     { "REAL_USER=root", NULL };
 140
 141                 if (options.chroot_directory != NULL &&
 142                     strcasecmp(options.chroot_directory, "none") != 0)
 143                         creds = chroot_creds;
 144
 145                 if (setpcred(pw->pw_name, creds) == -1)
 146                         fatal("Failed to set process credentials");
 147         }
 148 #endif /* HAVE_SETPCRED */
 149 #ifdef WITH_SELINUX
 150         ssh_selinux_setup_exec_context(pw->pw_name);
 151 #endif
 152 }
 153
 154 char *
 155 platform_krb5_get_principal_name(const char *pw_name)
 156 {
 157 #ifdef USE_AIX_KRB_NAME
 158         return aix_krb5_get_principal_name(pw_name);
 159 #else
 160         return NULL;
 161 #endif
 162 }