Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 4cb855b070a814b0148ae0f3f5cbd5f8e255c8be / . / platform.c
blob: a455472b3f542557116aa4362820e71ee8bb036f [file] [log] [blame]
Damien Miller81ad4b12011-01-11 17:02:23 +1100[diff] [blame]1/* $Id: platform.c,v 1.18 2011/01/11 06:02:25 djm Exp $ */
Damien Miller1b06dc32006-08-31 03:24:41 +1000[diff] [blame]2
3/*
4 * Copyright (c) 2006 Darren Tucker. All rights reserved.
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
Darren Tuckerd1ece6e2010-11-07 18:05:54 +1100[diff] [blame]19#include "includes.h"
Darren Tuckerb12fe272010-11-05 14:47:01 +1100[diff] [blame]20
21#include <sys/types.h>
Darren Tucker9283d8c2010-11-05 18:56:08 +1100[diff] [blame]22
23#include <stdarg.h>
Darren Tuckerb12fe272010-11-05 14:47:01 +1100[diff] [blame]24#include <unistd.h>
25
Darren Tucker9283d8c2010-11-05 18:56:08 +1100[diff] [blame]26#include "log.h"
27#include "buffer.h"
28#include "servconf.h"
Damien Miller81ad4b12011-01-11 17:02:23 +1100[diff] [blame]29#include "key.h"
30#include "hostfile.h"
31#include "auth.h"
32#include "auth-pam.h"
Damien Miller1b06dc32006-08-31 03:24:41 +1000[diff] [blame]33#include "platform.h"
34
35#include "openbsd-compat/openbsd-compat.h"
36
Darren Tucker728d8372010-11-05 13:00:05 +1100[diff] [blame]37extern int use_privsep;
Darren Tucker9283d8c2010-11-05 18:56:08 +1100[diff] [blame]38extern ServerOptions options;
Darren Tucker728d8372010-11-05 13:00:05 +1100[diff] [blame]39
Damien Miller1b06dc32006-08-31 03:24:41 +1000[diff] [blame]40void
Darren Tuckerc8802aa2009-12-08 13:39:48 +1100[diff] [blame]41platform_pre_listen(void)
42{
43#ifdef LINUX_OOM_ADJUST
44 /* Adjust out-of-memory killer so listening process is not killed */
45 oom_adjust_setup();
46#endif
47}
48
49void
Damien Miller1b06dc32006-08-31 03:24:41 +1000[diff] [blame]50platform_pre_fork(void)
51{
52#ifdef USE_SOLARIS_PROCESS_CONTRACTS
53 solaris_contract_pre_fork();
54#endif
55}
56
57void
58platform_post_fork_parent(pid_t child_pid)
59{
60#ifdef USE_SOLARIS_PROCESS_CONTRACTS
61 solaris_contract_post_fork_parent(child_pid);
62#endif
63}
64
65void
66platform_post_fork_child(void)
67{
68#ifdef USE_SOLARIS_PROCESS_CONTRACTS
69 solaris_contract_post_fork_child();
70#endif
Darren Tuckerc8802aa2009-12-08 13:39:48 +1100[diff] [blame]71#ifdef LINUX_OOM_ADJUST
72 oom_adjust_restore();
73#endif
Damien Miller1b06dc32006-08-31 03:24:41 +1000[diff] [blame]74}
Darren Tucker1bf35032009-12-21 10:49:21 +1100[diff] [blame]75
Darren Tuckerb12fe272010-11-05 14:47:01 +1100[diff] [blame]76/* return 1 if we are running with privilege to swap UIDs, 0 otherwise */
77int
78platform_privileged_uidswap(void)
79{
80#ifdef HAVE_CYGWIN
81 /* uid 0 is not special on Cygwin so always try */
82 return 1;
83#else
84 return (getuid() == 0 || geteuid() == 0);
85#endif
86}
87
Darren Tucker920612e2010-11-05 12:36:15 +1100[diff] [blame]88/*
89 * This gets called before switching UIDs, and is called even when sshd is
90 * not running as root.
91 */
Darren Tucker97528352010-11-05 12:03:05 +1100[diff] [blame]92void
93platform_setusercontext(struct passwd *pw)
94{
Darren Tucker920612e2010-11-05 12:36:15 +1100[diff] [blame]95#ifdef WITH_SELINUX
96 /* Cache selinux status for later use */
97 (void)ssh_selinux_enabled();
98#endif
99
Darren Tucker97528352010-11-05 12:03:05 +1100[diff] [blame]100#ifdef USE_SOLARIS_PROJECTS
101 /* if solaris projects were detected, set the default now */
102 if (getuid() == 0 || geteuid() == 0)
103 solaris_set_default_project(pw);
104#endif
Darren Tucker44a97be2010-11-05 12:45:18 +1100[diff] [blame]105
106#if defined(HAVE_LOGIN_CAP) && defined (__bsdi__)
Darren Tuckerfd4d8aa2010-11-05 12:50:41 +1100[diff] [blame]107 if (getuid() == 0 || geteuid() == 0)
108 setpgid(0, 0);
Darren Tucker44a97be2010-11-05 12:45:18 +1100[diff] [blame]109# endif
Darren Tucker728d8372010-11-05 13:00:05 +1100[diff] [blame]110
111#if defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
112 /*
113 * If we have both LOGIN_CAP and PAM, we want to establish creds
114 * before calling setusercontext (in session.c:do_setusercontext).
115 */
116 if (getuid() == 0 || geteuid() == 0) {
117 if (options.use_pam) {
118 do_pam_setcred(use_privsep);
119 }
120 }
121# endif /* USE_PAM */
Darren Tuckerd9957122010-11-24 10:09:13 +1100[diff] [blame]122
123#if !defined(HAVE_LOGIN_CAP) && defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
124 if (getuid() == 0 || geteuid() == 0) {
125 /* Sets login uid for accounting */
126 if (getluid() == -1 && setluid(pw->pw_uid) == -1)
127 error("setluid: %s", strerror(errno));
128 }
129#endif
Darren Tucker97528352010-11-05 12:03:05 +1100[diff] [blame]130}
131
Darren Tucker920612e2010-11-05 12:36:15 +1100[diff] [blame]132/*
133 * This gets called after we've established the user's groups, and is only
134 * called if sshd is running as root.
135 */
136void
137platform_setusercontext_post_groups(struct passwd *pw)
138{
Darren Tuckercc124182010-11-05 13:32:52 +1100[diff] [blame]139#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
140 /*
141 * PAM credentials may take the form of supplementary groups.
142 * These will have been wiped by the above initgroups() call.
143 * Reestablish them here.
144 */
145 if (options.use_pam) {
146 do_pam_setcred(use_privsep);
147 }
148#endif /* USE_PAM */
149
Darren Tucker0b2ee642010-11-05 13:29:25 +1100[diff] [blame]150#if !defined(HAVE_LOGIN_CAP) && (defined(WITH_IRIX_PROJECT) || \
151 defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY))
152 irix_setusercontext(pw);
153#endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
154
Darren Tucker676b9122010-11-05 13:11:04 +1100[diff] [blame]155#ifdef _AIX
156 aix_usrinfo(pw);
157#endif /* _AIX */
158
Darren Tucker7a8afe32010-11-05 13:07:24 +1100[diff] [blame]159#if !defined(HAVE_LOGIN_CAP) && defined(USE_LIBIAF)
160 if (set_id(pw->pw_name) != 0) {
161 exit(1);
162 }
163# endif /* USE_LIBIAF */
164
Darren Tucker4db38072010-11-05 12:41:13 +1100[diff] [blame]165#ifdef HAVE_SETPCRED
166 /*
167 * If we have a chroot directory, we set all creds except real
168 * uid which we will need for chroot. If we don't have a
169 * chroot directory, we don't override anything.
170 */
171 {
172 char **creds = NULL, *chroot_creds[] =
173 { "REAL_USER=root", NULL };
174
175 if (options.chroot_directory != NULL &&
176 strcasecmp(options.chroot_directory, "none") != 0)
177 creds = chroot_creds;
178
179 if (setpcred(pw->pw_name, creds) == -1)
180 fatal("Failed to set process credentials");
181 }
182#endif /* HAVE_SETPCRED */
Darren Tucker920612e2010-11-05 12:36:15 +1100[diff] [blame]183#ifdef WITH_SELINUX
184 ssh_selinux_setup_exec_context(pw->pw_name);
185#endif
186}
187
Darren Tucker1bf35032009-12-21 10:49:21 +1100[diff] [blame]188char *
189platform_krb5_get_principal_name(const char *pw_name)
190{
191#ifdef USE_AIX_KRB_NAME
192 return aix_krb5_get_principal_name(pw_name);
193#else
194 return NULL;
195#endif
196}