bsd-cray.c revision 7c478bd95313f5f23a4c958a745db2134aa03244
/*
* $Id: bsd-cray.c,v 1.8 2002/09/26 00:38:51 tim Exp $
*
*
* Copyright (c) 2002, Cray Inc. (Wendy Palm <wendyp@cray.com>)
* Significant portions provided by
* Wayne Schroeder, SDSC <schroeder@sdsc.edu>
* William Jones, UTexas <jones@tacc.utexas.edu>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* Created: Apr 22 16.34:00 2002 wp
*
* This file contains functions required for proper execution
* on UNICOS systems.
*
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include "includes.h"
#ifdef _UNICOS
#include <udb.h>
#include <tmpdir.h>
#include <unistd.h>
#include <sys/category.h>
#include <utmp.h>
#include <signal.h>
#include <stdlib.h>
#include <pwd.h>
#include <fcntl.h>
#include <errno.h>
#include <ia.h>
#include <urm.h>
#include "ssh.h"
#include "log.h"
#include "servconf.h"
#include "bsd-cray.h"
#define MAXACID 80
extern ServerOptions options;
/*
* Functions.
*/
void cray_retain_utmp(struct utmp *, int);
void cray_delete_tmpdir(char *, int, uid_t);
void cray_init_job(struct passwd *);
void cray_set_tmpdir(struct utmp *);
void cray_login_failure(char *, int);
int cray_setup(uid_t, char *, const char *);
int cray_access_denied(char *);
void
{
int jid = 0; /* job id */
debug("cray_login_failure(): getjtab error");
}
getsysudb();
debug("cray_login_failure(): getudbname() returned NULL");
}
endudb();
/*
* Call ia_failure because of an login failure.
*/
}
/*
* Cray access denied
*/
int
cray_access_denied(char *username)
{
int errcode; /* IA errorcode */
errcode = 0;
getsysudb();
debug("cray_login_failure(): getudbname() returned NULL");
}
endudb();
if (errcode)
return (errcode);
}
int
{
extern char *setlimits();
int err; /* error return */
int maxattempts; /* maximum no. of failed login attempts */
int SecureSys; /* unicos security flag */
int minslevel = 0; /* system minimum security level */
int i, j;
int jid; /* job ID */
int pid; /* process ID */
char *sr; /* status return from setlimits() */
char hostname[MAXHOSTNAMELEN];
pwddce; /* passwd stuff for ia_user */
int ia_rcode; /* ia_user return code */
int ia_mlsrcode; /* ia_mlsuser return code */
int secstatrc; /* [f]secstat return code */
exit(1);
}
}
hostname[0] = '\0';
/*
* Fetch user's UDB entry.
*/
getsysudb();
debug("cannot fetch user's UDB entry");
exit(1);
}
/*
* Prevent any possible fudging so perform a data
* safety check and compare the supplied uid against
* the udb's uid.
*/
debug("IA uid missmatch");
exit(1);
}
endudb();
debug("getjtab");
return -1;
}
if (SecureSys) {
if (ttyn) {
} else {
}
if (secstatrc == 0) {
debug("[f]secstat() successful");
} else {
exit(1);
}
}
/*
* Initialize all structures to call ia_user
*/
/* pwddialup.next = &pwdwal; */
switch (ia_rcode) {
/*
* These are acceptable return codes from ia_user()
*/
case IA_UDBWEEK: /* Password Expires in 1 week */
printf ("WARNING - your current password will expire %s\n",
break;
case IA_UDBEXPIRED:
/* Force a password change */
printf("Your password has expired; Choose a new one.\n");
exit(9);
}
break;
case IA_NORMAL: /* Normal Return Code */
break;
case IA_BACKDOOR:
for (i=0;i<MAXVIDS;i++)
ue.ue_logfails=0;
ue.ue_defcomps=0;
ue.ue_comparts=0;
ue.ue_permits=0;
ue.ue_disabled=0;
ue.ue_logtime=0;
break;
case IA_CONSOLE: /* Superuser not from Console */
case IA_TRUSTED: /* Trusted user */
break; /* Accept root login */
default:
/*
* These are failed return codes from ia_user()
*/
switch (ia_rcode)
{
case IA_BADAUTH:
printf ("Bad authorization, access denied.\n");
break;
case IA_DIALUPERR:
break;
case IA_DISABLED:
printf ("Your login has been disabled. Contact the system ");
printf ("administrator for assistance.\n");
break;
case IA_GETSYSV:
break;
case IA_LOCALHOST:
break;
case IA_MAXLOGS:
printf ("Maximum number of failed login attempts exceeded.\n");
printf ("Access denied.\n");
break;
case IA_NOPASS:
break;
case IA_PUBLIC:
break;
case IA_SECURIDERR:
break;
case IA_CONSOLE:
break;
case IA_TRUSTED:
break;
case IA_UDBERR:
break;
case IA_UDBPWDNULL:
/*
* NULL password not allowed on MLS systems
*/
if (SecureSys) {
printf("NULL Password not allowed on MLS systems.\n");
}
break;
case IA_UNKNOWN:
break;
case IA_UNKNOWNYP:
break;
case IA_WALERR:
break;
default:
/* nothing special */
;
} /* 2. switch (ia_rcode) */
/*
* Authentication failed.
*/
printf("sshd: Login incorrect, (0%o)\n",
/*
* Initialize structure for ia_failure
* which will exit.
*/
/*
* Call ia_failure because of an IA failure.
* There is no return because ia_failure exits.
*/
exit(1);
} /* 1. switch (ia_rcode) */
if (SecureSys) {
debug("calling ia_mlsuser()");
}
if (ia_mlsrcode != IA_NORMAL) {
printf("sshd: Login incorrect, (0%o)\n",
/*
* Initialize structure for ia_failure
* which will exit.
*/
/*
* Call ia_failure because of an IA failure.
* There is no return because ia_failure exits.
*/
exit(1);
}
/* Provide login status information */
printf("Last successful login was : %.*s ",
}
/*
* Call ia_success to process successful I/A.
*/
/*
* Query for account, iff > 1 valid acid & askacid permbit
*/
while (valid_acct == -1) {
printf("Account (? for available accounts)"
switch (acct_name[0]) {
case EOF:
exit(0);
break;
case '\0':
break;
case '?':
/* Print the list 3 wide */
for (i = 0, j = 0; i < MAXVIDS; i++) {
printf("\n");
break;
}
if (++j == 4) {
j = 1;
printf("\n");
}
printf(" %s",
}
printf("\"acctid\" permbit also allows"
" you to select any valid "
"account name.\n");
printf("\n");
break;
default:
" account name \"%s\"\n\n",
break;
}
/*
* If an account was given, search the user's
* acids array to verify they can use this account.
*/
if ((valid_acct != -1) &&
for (i = 0; i < MAXVIDS; i++) {
break;
break;
}
if (i == MAXVIDS ||
" account name to "
"\"%s\", permission "
"denied\n\n", acct_name);
valid_acct = -1;
}
}
}
} else {
/*
* The client isn't connected to a terminal and can't
* respond to an acid prompt. Use default acid.
*/
}
} else {
/*
* The user doesn't have the askacid permbit set or
* only has one valid account to use.
*/
}
if (acctid(0, valid_acct) < 0) {
exit(1);
}
/* set up shares and quotas */
/* Now set shares, quotas, limits, including CPU time for the (interactive)
* job and process, and set up permissions (for chown etc), etc.
*/
printf("Unable to give %d shares to <%s>(%d/%d)\n", ue.ue_shares, ue.ue_name, ue.ue_uid, valid_acct);
exit(1);
}
exit(1);
}
exit(1);
}
/*
* Place the service provider information into
*/
/*
* Set user and controlling tty security attributes.
*/
if (SecureSys) {
exit(1);
}
}
return(0);
}
/*
* can have pal privileges that sshd can inherit which
* could allow a user to su to root with out a password.
* This subroutine clears all privileges.
*/
void
{
#if defined(_SC_CRAY_PRIV_SU)
int result;
extern int priv_set_proc();
extern priv_proc_t* priv_init_proc();
/*
* If ether of theses two flags are not set
* then don't allow this version of ssh to run.
*/
if (!sysconf(_SC_CRAY_PRIV_SU))
fatal("Not PRIV_SU system.");
if (!sysconf(_SC_CRAY_POSIX_PRIV))
fatal("Not POSIX_PRIV.");
debug("Setting MLS labels.");;
if (sysconf(_SC_CRAY_SECURE_MAC)) {
} else {
}
if (result != 0 )
fatal("%s(%d): priv_set_proc(): %s",
}
debug ("Privileges should be cleared...");
#else
/* XXX: do this differently */
#endif
}
/*
*/
void
{
int fd;
break;
}
}
}
else
fatal("Unable to open utmp file");
}
/*
* tmpdir support.
*/
/*
* find and delete jobs tmpdir.
*/
void
{
int child;
int c;
int wstat;
for (c = 'a'; c <= 'z'; c++) {
break;
}
if (c > 'z')
return;
fatal("cray_delete_tmpdir: execl of CLEANTMPCMD failed");
}
;
}
/*
* Remove tmpdir on job termination.
*/
void
{
int jid;
return;
}
/*
* Set job id and create tmpdir directory.
*/
void
{
int jid;
int c;
if (jid < 0)
fatal("System call setjob failure");
for (c = 'a'; c <= 'z'; c++) {
continue;
continue;
}
break;
}
if (c > 'z')
cray_tmpdir[0] = '\0';
}
void
{
int jid;
return;
/*
* Set jid and tmpdir in utmp record.
*/
}
#endif