summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog8
-rw-r--r--configure.in3
-rw-r--r--loginrec.c8
-rw-r--r--openbsd-compat/bsd-cray.c123
-rw-r--r--openbsd-compat/openbsd-compat.h5
-rw-r--r--sshd.c7
-rw-r--r--sshpty.c59
7 files changed, 161 insertions, 52 deletions
diff --git a/ChangeLog b/ChangeLog
index 86775205..14f54496 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -98,7 +98,7 @@
[ssh-keygen.c]
allow uploading RSA keys for non-default AUT0 (sha1 over passphrase
like sectok).
- - markus@cvs.openbsd.org 2001/08/01 23:38:45
+ - markus@cvs.openbsd.org 2001/08/01 23:38:45
[scard.c ssh.c]
support finish rsa keys.
free public keys after login -> call finish -> close smartcard.
@@ -122,7 +122,7 @@
- jakob@cvs.openbsd.org 2001/08/02 15:43:57
[ssh-agent.c ssh.c ssh-keygen.c]
add /* SMARTCARD */ to #else/#endif. ok markus@
- - jakob@cvs.openbsd.org 2001/08/02 16:14:05
+ - jakob@cvs.openbsd.org 2001/08/02 16:14:05
[scard.c ssh-agent.c ssh.c ssh-keygen.c]
clean up some /* SMARTCARD */. ok markus@
- mpech@cvs.openbsd.org 2001/08/02 18:37:35
@@ -148,6 +148,8 @@
[scp.c]
use alarm vs. setitimer for portable; ok markus@
- (bal) ssh-keyscan double -lssh hack due to seed_rng().
+ - (bal) Second around of UNICOS patches. A few other things left.
+ Patches by William L. Jones <jones@mail.utexas.edu>
20010803
- (djm) Fix interrupted read in entropy gatherer. Spotted by markus@ on
@@ -6258,4 +6260,4 @@
- Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1
-$Id: ChangeLog,v 1.1466 2001/08/06 22:56:46 mouring Exp $
+$Id: ChangeLog,v 1.1467 2001/08/06 23:29:16 mouring Exp $
diff --git a/configure.in b/configure.in
index 75b3626d..4210d3e9 100644
--- a/configure.in
+++ b/configure.in
@@ -1,4 +1,4 @@
-# $Id: configure.in,v 1.304 2001/07/24 17:00:14 mouring Exp $
+# $Id: configure.in,v 1.305 2001/08/06 23:29:17 mouring Exp $
AC_INIT(ssh.c)
@@ -1453,6 +1453,7 @@ if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then
OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig)
OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat)
OSSH_PATH_ENTROPY_PROG(PROG_PS, ps)
+ OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar)
OSSH_PATH_ENTROPY_PROG(PROG_W, w)
OSSH_PATH_ENTROPY_PROG(PROG_WHO, who)
OSSH_PATH_ENTROPY_PROG(PROG_LAST, last)
diff --git a/loginrec.c b/loginrec.c
index e121ce35..5789aad7 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -163,7 +163,7 @@
#include "log.h"
#include "atomicio.h"
-RCSID("$Id: loginrec.c,v 1.33 2001/05/08 20:33:06 mouring Exp $");
+RCSID("$Id: loginrec.c,v 1.34 2001/08/06 23:29:17 mouring Exp $");
#ifdef HAVE_UTIL_H
# include <util.h>
@@ -616,9 +616,15 @@ construct_utmp(struct logininfo *li,
switch (li->type) {
case LTYPE_LOGIN:
ut->ut_type = USER_PROCESS;
+#ifdef _CRAY
+ cray_set_tmpdir(ut);
+#endif
break;
case LTYPE_LOGOUT:
ut->ut_type = DEAD_PROCESS;
+#ifdef _CRAY
+ cray_retain_utmp(ut, li->pid);
+#endif
break;
}
# endif
diff --git a/openbsd-compat/bsd-cray.c b/openbsd-compat/bsd-cray.c
index c887322c..a11a5b6a 100644
--- a/openbsd-compat/bsd-cray.c
+++ b/openbsd-compat/bsd-cray.c
@@ -12,18 +12,24 @@
#include <utmp.h>
#include <sys/jtab.h>
#include <signal.h>
+#include <sys/priv.h>
+#include <sys/secparm.h>
+#include <sys/usrv.h>
+#include <sys/sysv.h>
+#include <sys/sectab.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <pwd.h>
#include <fcntl.h>
#include <errno.h>
+#include "bsd-cray.h"
+
char cray_tmpdir[TPATHSIZ+1]; /* job TMPDIR path */
/*
* Functions.
*/
-int cray_setup(uid_t, char *);
void cray_retain_utmp(struct utmp *, int);
void cray_create_tmpdir(int, uid_t, gid_t);
void cray_delete_tmpdir(char *, int , uid_t);
@@ -31,17 +37,17 @@ void cray_job_termination_handler (int);
void cray_init_job(struct passwd *);
void cray_set_tmpdir(struct utmp *);
+
/*
* Orignal written by:
* Wayne Schroeder
* San Diego Supercomputer Center
* schroeder@sdsc.edu
*/
-int
+void
cray_setup(uid_t uid, char *username)
{
struct udb *p;
- extern struct udb *getudb();
extern char *setlimits();
int i, j;
int accts[MAXVIDS];
@@ -52,58 +58,83 @@ cray_setup(uid_t uid, char *username)
struct jtab jbuf;
int jid;
- if ((jid = getjtab (&jbuf)) < 0) {
- debug("getjtab");
- return -1;
- }
+ if ((jid = getjtab (&jbuf)) < 0) fatal("getjtab: no jid");
- /* Find all of the accounts for a particular user */
- err = setudb(); /* open and rewind the Cray User DataBase */
- if(err != 0) {
- debug("UDB open failure");
- return -1;
- }
+ err = setudb(); /* open and rewind the Cray User DataBase */
+ if(err != 0) fatal("UDB open failure");
naccts = 0;
- while ((p = getudb()) != UDB_NULL) {
- if (p->ue_uid == -1) break;
- if(uid == p->ue_uid) {
- for(j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) {
- accts[naccts] = p->ue_acids[j];
- naccts++;
- }
- }
- }
- endudb(); /* close the udb */
- if (naccts == 0 || accts[0] == 0) {
- debug("No Cray accounts found");
- return -1;
- }
-
- /* Perhaps someday we'll prompt users who have multiple accounts
- to let them pick one (like CRI's login does), but for now just set
- the account to the first entry. */
- if (acctid(0, accts[0]) < 0) {
- debug("System call acctid failed, accts[0]=%d",accts[0]);
- return -1;
+ p = getudbnam(username);
+ if (p == NULL) fatal("No UDB entry for %s", username);
+ if(uid != p->ue_uid)
+ fatal("UDB etnry %s uid(%d) does not match uid %d\n",
+ username, p->ue_uid, uid);
+ for(j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) {
+ accts[naccts] = p->ue_acids[j];
+ naccts++;
}
+ endudb(); /* close the udb */
+
+ if (naccts != 0) {
+ /* Perhaps someday we'll prompt users who have multiple accounts
+ to let them pick one (like CRI's login does), but for now just set
+ the account to the first entry. */
+ if (acctid(0, accts[0]) < 0)
+ fatal("System call acctid failed, accts[0]=%d",accts[0]);
+ }
- /* Now set limits, including CPU time for the (interactive) job and process,
- and set up permissions (for chown etc), etc. This is via an internal CRI
- routine, setlimits, used by CRI's login. */
+ /* Now set limits, including CPU time for the (interactive) job and process,
+ and set up permissions (for chown etc), etc. This is via an internal CRI
+ routine, setlimits, used by CRI's login. */
pid = getpid();
sr = setlimits(username, C_PROC, pid, UDBRC_INTER);
- if (sr != NULL) {
- debug("%.200s", sr);
- return -1;
- }
+ if (sr != NULL) fatal("%.200s", sr);
+
sr = setlimits(username, C_JOB, jid, UDBRC_INTER);
- if (sr != NULL) {
- debug("%.200s", sr);
- return -1;
- }
+ if (sr != NULL) fatal("%.200s", sr);
- return 0;
+}
+
+
+/*
+ * The rc.* and /etc/sdaemon methods of starting a program on unicos/unicosmk
+ * can have pal privileges that sshd can inherit which
+ * could allow a user to su to root with out a password.
+ * This subroutine clears all privileges.
+ */
+void
+drop_cray_privs()
+{
+#if defined(_SC_CRAY_PRIV_SU)
+ priv_proc_t* privstate;
+ int result;
+ extern int priv_set_proc();
+ extern priv_proc_t* priv_init_proc();
+ struct usrv usrv;
+
+ /*
+ * If ether of theses two flags are not set
+ * then don't allow this version of ssh to run.
+ */
+ if (!sysconf(_SC_CRAY_PRIV_SU)) fatal("Not PRIV_SU system.");
+ if (!sysconf(_SC_CRAY_POSIX_PRIV)) fatal("Not POSIX_PRIV.");
+
+ debug ("Dropping privileges.");
+
+ memset(&usrv, 0, sizeof(usrv));
+ if (setusrv(&usrv) < 0)
+ fatal ("%s(%d): setusrv(): %s\n", __FILE__, __LINE__, strerror(errno));
+
+ if ((privstate = priv_init_proc()) != NULL) {
+ result = priv_set_proc(privstate);
+ if ( result != 0 ) fatal ("%s(%d): priv_set_proc(): %s\n",
+ __FILE__, __LINE__, strerror(errno));
+ priv_free_proc(privstate);
+ }
+ debug ("Privileges should be cleared...");
+#else
+Cray systems must be run with _SC_CRAY_PRIV_SU on!
+#endif
}
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index ca7871c0..ab07315b 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.11 2001/07/14 03:22:54 djm Exp $ */
+/* $Id: openbsd-compat.h,v 1.12 2001/08/06 23:29:18 mouring Exp $ */
#ifndef _OPENBSD_H
#define _OPENBSD_H
@@ -38,4 +38,7 @@
#include "fake-getnameinfo.h"
#include "fake-socket.h"
+/* Routines for a single OS platform */
+#include "bsd-cray.h"
+
#endif /* _OPENBSD_H */
diff --git a/sshd.c b/sshd.c
index d1c68445..b6adc38c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -679,6 +679,13 @@ main(int ac, char **av)
options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility,
!inetd_flag);
+#ifdef _CRAY
+ /* Cray can define user privs drop all prives now!
+ * Not needed on PRIV_SU systems!
+ */
+ drop_cray_privs();
+#endif
+
seed_rng();
/* Read server configuration options from the configuration file. */
diff --git a/sshpty.c b/sshpty.c
index 71e16b79..84572c90 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -162,6 +162,34 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
}
return 1;
#else /* HAVE_DEV_PTS_AND_PTC */
+#ifdef _CRAY
+ char buf[64];
+ int i;
+ int highpty;
+
+#ifdef _SC_CRAY_NPTY
+ highpty = sysconf(_SC_CRAY_NPTY);
+ if (highpty == -1)
+ highpty = 128;
+#else
+ highpty = 128;
+#endif
+
+ for (i = 0; i < highpty; i++) {
+ snprintf(buf, sizeof(buf), "/dev/pty/%03d", i);
+ *ptyfd = open(buf, O_RDWR|O_NOCTTY);
+ if (*ptyfd < 0) continue;
+ snprintf(namebuf, namebuflen, "/dev/ttyp%03d", i);
+ /* Open the slave side. */
+ *ttyfd = open(namebuf, O_RDWR|O_NOCTTY);
+ if (*ttyfd < 0) {
+ error("%.100s: %.100s", namebuf, strerror(errno));
+ close(*ptyfd);
+ }
+ return 1;
+ }
+ return 0;
+#else
/* BSD-style pty code. */
char buf[64];
int i;
@@ -196,6 +224,7 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
return 1;
}
return 0;
+#endif /* CRAY */
#endif /* HAVE_DEV_PTS_AND_PTC */
#endif /* HAVE_DEV_PTMX */
#endif /* HAVE__GETPTY */
@@ -218,6 +247,35 @@ pty_release(const char *ttyname)
void
pty_make_controlling_tty(int *ttyfd, const char *ttyname)
{
+#ifdef _CRAY
+ int fd;
+
+ if (setsid() < 0)
+ error("setsid: %.100s", strerror(errno));
+
+ fd = open(ttyname, O_RDWR|O_NOCTTY);
+ if (fd >= 0) {
+ signal(SIGHUP, SIG_IGN);
+ ioctl(fd, TCVHUP, (char *)0);
+ signal(SIGHUP, SIG_DFL);
+ setpgid(0,0);
+ close(fd);
+ } else {
+ error("Failed to disconnect from controlling tty.");
+ }
+
+
+ debug("Setting controlling tty using TCSETCTTY.\n");
+ ioctl(*ttyfd, TCSETCTTY, NULL);
+
+ fd = open("/dev/tty", O_RDWR);
+
+ if (fd < 0)
+ error("%.100s: %.100s", ttyname, strerror(errno));
+
+ close(*ttyfd);
+ *ttyfd = fd;
+#else
int fd;
#ifdef USE_VHANGUP
void *old;
@@ -277,6 +335,7 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname)
else {
close(fd);
}
+#endif
}
/* Changes the window size associated with the pty. */