diff options
| author | Ben Lindstrom <mouring@eviladmin.org> | 2001-08-06 23:29:16 +0000 |
|---|---|---|
| committer | Ben Lindstrom <mouring@eviladmin.org> | 2001-08-06 23:29:16 +0000 |
| commit | 6db66ff3877f52110cda3104e798d91091af7200 (patch) | |
| tree | 29ce760512a91bdd7bdc6a7961e3d851404afeff /openbsd-compat | |
| parent | ff2866cf5198be7669423641538bb910080ee029 (diff) | |
- (bal) Second around of UNICOS patches. A few other things left.
Patches by William L. Jones <jones@mail.utexas.edu>
Diffstat (limited to 'openbsd-compat')
| -rw-r--r-- | openbsd-compat/bsd-cray.c | 123 | ||||
| -rw-r--r-- | openbsd-compat/openbsd-compat.h | 5 |
2 files changed, 81 insertions, 47 deletions
diff --git a/openbsd-compat/bsd-cray.c b/openbsd-compat/bsd-cray.c index c887322c..a11a5b6a 100644 --- a/openbsd-compat/bsd-cray.c +++ b/openbsd-compat/bsd-cray.c @@ -12,18 +12,24 @@ #include <utmp.h> #include <sys/jtab.h> #include <signal.h> +#include <sys/priv.h> +#include <sys/secparm.h> +#include <sys/usrv.h> +#include <sys/sysv.h> +#include <sys/sectab.h> #include <sys/stat.h> #include <stdlib.h> #include <pwd.h> #include <fcntl.h> #include <errno.h> +#include "bsd-cray.h" + char cray_tmpdir[TPATHSIZ+1]; /* job TMPDIR path */ /* * Functions. */ -int cray_setup(uid_t, char *); void cray_retain_utmp(struct utmp *, int); void cray_create_tmpdir(int, uid_t, gid_t); void cray_delete_tmpdir(char *, int , uid_t); @@ -31,17 +37,17 @@ void cray_job_termination_handler (int); void cray_init_job(struct passwd *); void cray_set_tmpdir(struct utmp *); + /* * Orignal written by: * Wayne Schroeder * San Diego Supercomputer Center * schroeder@sdsc.edu */ -int +void cray_setup(uid_t uid, char *username) { struct udb *p; - extern struct udb *getudb(); extern char *setlimits(); int i, j; int accts[MAXVIDS]; @@ -52,58 +58,83 @@ cray_setup(uid_t uid, char *username) struct jtab jbuf; int jid; - if ((jid = getjtab (&jbuf)) < 0) { - debug("getjtab"); - return -1; - } + if ((jid = getjtab (&jbuf)) < 0) fatal("getjtab: no jid"); - /* Find all of the accounts for a particular user */ - err = setudb(); /* open and rewind the Cray User DataBase */ - if(err != 0) { - debug("UDB open failure"); - return -1; - } + err = setudb(); /* open and rewind the Cray User DataBase */ + if(err != 0) fatal("UDB open failure"); naccts = 0; - while ((p = getudb()) != UDB_NULL) { - if (p->ue_uid == -1) break; - if(uid == p->ue_uid) { - for(j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) { - accts[naccts] = p->ue_acids[j]; - naccts++; - } - } - } - endudb(); /* close the udb */ - if (naccts == 0 || accts[0] == 0) { - debug("No Cray accounts found"); - return -1; - } - - /* Perhaps someday we'll prompt users who have multiple accounts - to let them pick one (like CRI's login does), but for now just set - the account to the first entry. */ - if (acctid(0, accts[0]) < 0) { - debug("System call acctid failed, accts[0]=%d",accts[0]); - return -1; + p = getudbnam(username); + if (p == NULL) fatal("No UDB entry for %s", username); + if(uid != p->ue_uid) + fatal("UDB etnry %s uid(%d) does not match uid %d\n", + username, p->ue_uid, uid); + for(j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) { + accts[naccts] = p->ue_acids[j]; + naccts++; } + endudb(); /* close the udb */ + + if (naccts != 0) { + /* Perhaps someday we'll prompt users who have multiple accounts + to let them pick one (like CRI's login does), but for now just set + the account to the first entry. */ + if (acctid(0, accts[0]) < 0) + fatal("System call acctid failed, accts[0]=%d",accts[0]); + } - /* Now set limits, including CPU time for the (interactive) job and process, - and set up permissions (for chown etc), etc. This is via an internal CRI - routine, setlimits, used by CRI's login. */ + /* Now set limits, including CPU time for the (interactive) job and process, + and set up permissions (for chown etc), etc. This is via an internal CRI + routine, setlimits, used by CRI's login. */ pid = getpid(); sr = setlimits(username, C_PROC, pid, UDBRC_INTER); - if (sr != NULL) { - debug("%.200s", sr); - return -1; - } + if (sr != NULL) fatal("%.200s", sr); + sr = setlimits(username, C_JOB, jid, UDBRC_INTER); - if (sr != NULL) { - debug("%.200s", sr); - return -1; - } + if (sr != NULL) fatal("%.200s", sr); - return 0; +} + + +/* + * The rc.* and /etc/sdaemon methods of starting a program on unicos/unicosmk + * can have pal privileges that sshd can inherit which + * could allow a user to su to root with out a password. + * This subroutine clears all privileges. + */ +void +drop_cray_privs() +{ +#if defined(_SC_CRAY_PRIV_SU) + priv_proc_t* privstate; + int result; + extern int priv_set_proc(); + extern priv_proc_t* priv_init_proc(); + struct usrv usrv; + + /* + * If ether of theses two flags are not set + * then don't allow this version of ssh to run. + */ + if (!sysconf(_SC_CRAY_PRIV_SU)) fatal("Not PRIV_SU system."); + if (!sysconf(_SC_CRAY_POSIX_PRIV)) fatal("Not POSIX_PRIV."); + + debug ("Dropping privileges."); + + memset(&usrv, 0, sizeof(usrv)); + if (setusrv(&usrv) < 0) + fatal ("%s(%d): setusrv(): %s\n", __FILE__, __LINE__, strerror(errno)); + + if ((privstate = priv_init_proc()) != NULL) { + result = priv_set_proc(privstate); + if ( result != 0 ) fatal ("%s(%d): priv_set_proc(): %s\n", + __FILE__, __LINE__, strerror(errno)); + priv_free_proc(privstate); + } + debug ("Privileges should be cleared..."); +#else +Cray systems must be run with _SC_CRAY_PRIV_SU on! +#endif } diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index ca7871c0..ab07315b 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.11 2001/07/14 03:22:54 djm Exp $ */ +/* $Id: openbsd-compat.h,v 1.12 2001/08/06 23:29:18 mouring Exp $ */ #ifndef _OPENBSD_H #define _OPENBSD_H @@ -38,4 +38,7 @@ #include "fake-getnameinfo.h" #include "fake-socket.h" +/* Routines for a single OS platform */ +#include "bsd-cray.h" + #endif /* _OPENBSD_H */ |