xref: /dflybsd-src/crypto/openssh/platform.c (revision ba1276acd1c8c22d225b1bcf370a14c878644f44) 
118de8d7fSPeter Avalos /*
218de8d7fSPeter Avalos  * Copyright (c) 2006 Darren Tucker.  All rights reserved.
318de8d7fSPeter Avalos  *
418de8d7fSPeter Avalos  * Permission to use, copy, modify, and distribute this software for any
518de8d7fSPeter Avalos  * purpose with or without fee is hereby granted, provided that the above
618de8d7fSPeter Avalos  * copyright notice and this permission notice appear in all copies.
718de8d7fSPeter Avalos  *
818de8d7fSPeter Avalos  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
918de8d7fSPeter Avalos  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
1018de8d7fSPeter Avalos  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
1118de8d7fSPeter Avalos  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
1218de8d7fSPeter Avalos  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
1318de8d7fSPeter Avalos  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1418de8d7fSPeter Avalos  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1518de8d7fSPeter Avalos  */
1618de8d7fSPeter Avalos 
179f304aafSPeter Avalos #include "includes.h"
189f304aafSPeter Avalos 
199f304aafSPeter Avalos #include <stdarg.h>
200cbfa66cSDaniel Fojt #include <stdio.h>
21ee116499SAntonio Huete Jimenez #include <string.h>
229f304aafSPeter Avalos #include <unistd.h>
239f304aafSPeter Avalos 
249f304aafSPeter Avalos #include "log.h"
2536e94dc5SPeter Avalos #include "misc.h"
269f304aafSPeter Avalos #include "servconf.h"
27664f4763Szrj #include "sshkey.h"
289f304aafSPeter Avalos #include "hostfile.h"
299f304aafSPeter Avalos #include "auth.h"
309f304aafSPeter Avalos #include "auth-pam.h"
3118de8d7fSPeter Avalos #include "platform.h"
3218de8d7fSPeter Avalos 
3318de8d7fSPeter Avalos #include "openbsd-compat/openbsd-compat.h"
3418de8d7fSPeter Avalos 
359f304aafSPeter Avalos extern ServerOptions options;
369f304aafSPeter Avalos 
379f304aafSPeter Avalos /* return 1 if we are running with privilege to swap UIDs, 0 otherwise */
389f304aafSPeter Avalos int
platform_privileged_uidswap(void)399f304aafSPeter Avalos platform_privileged_uidswap(void)
409f304aafSPeter Avalos {
419f304aafSPeter Avalos #ifdef HAVE_CYGWIN
429f304aafSPeter Avalos 	/* uid 0 is not special on Cygwin so always try */
439f304aafSPeter Avalos 	return 1;
449f304aafSPeter Avalos #else
459f304aafSPeter Avalos 	return (getuid() == 0 || geteuid() == 0);
469f304aafSPeter Avalos #endif
479f304aafSPeter Avalos }
489f304aafSPeter Avalos 
499f304aafSPeter Avalos /*
509f304aafSPeter Avalos  * This gets called before switching UIDs, and is called even when sshd is
519f304aafSPeter Avalos  * not running as root.
529f304aafSPeter Avalos  */
539f304aafSPeter Avalos void
platform_setusercontext(struct passwd * pw)549f304aafSPeter Avalos platform_setusercontext(struct passwd *pw)
559f304aafSPeter Avalos {
569f304aafSPeter Avalos #ifdef WITH_SELINUX
579f304aafSPeter Avalos 	/* Cache selinux status for later use */
589f304aafSPeter Avalos 	(void)ssh_selinux_enabled();
599f304aafSPeter Avalos #endif
609f304aafSPeter Avalos 
619f304aafSPeter Avalos #ifdef USE_SOLARIS_PROJECTS
62e9778795SPeter Avalos 	/*
63e9778795SPeter Avalos 	 * If solaris projects were detected, set the default now, unless
64e9778795SPeter Avalos 	 * we are using PAM in which case it is the responsibility of the
65e9778795SPeter Avalos 	 * PAM stack.
66e9778795SPeter Avalos 	 */
67e9778795SPeter Avalos 	if (!options.use_pam && (getuid() == 0 || geteuid() == 0))
689f304aafSPeter Avalos 		solaris_set_default_project(pw);
699f304aafSPeter Avalos #endif
709f304aafSPeter Avalos 
719f304aafSPeter Avalos #if defined(HAVE_LOGIN_CAP) && defined (__bsdi__)
729f304aafSPeter Avalos 	if (getuid() == 0 || geteuid() == 0)
739f304aafSPeter Avalos 		setpgid(0, 0);
749f304aafSPeter Avalos # endif
759f304aafSPeter Avalos 
769f304aafSPeter Avalos #if defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
779f304aafSPeter Avalos 	/*
789f304aafSPeter Avalos 	 * If we have both LOGIN_CAP and PAM, we want to establish creds
799f304aafSPeter Avalos 	 * before calling setusercontext (in session.c:do_setusercontext).
809f304aafSPeter Avalos 	 */
819f304aafSPeter Avalos 	if (getuid() == 0 || geteuid() == 0) {
829f304aafSPeter Avalos 		if (options.use_pam) {
83*ba1276acSMatthew Dillon 			do_pam_setcred();
849f304aafSPeter Avalos 		}
859f304aafSPeter Avalos 	}
869f304aafSPeter Avalos # endif /* USE_PAM */
879f304aafSPeter Avalos 
889f304aafSPeter Avalos #if !defined(HAVE_LOGIN_CAP) && defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
899f304aafSPeter Avalos 	if (getuid() == 0 || geteuid() == 0) {
909f304aafSPeter Avalos 		/* Sets login uid for accounting */
919f304aafSPeter Avalos 		if (getluid() == -1 && setluid(pw->pw_uid) == -1)
929f304aafSPeter Avalos 			error("setluid: %s", strerror(errno));
939f304aafSPeter Avalos 	}
949f304aafSPeter Avalos #endif
959f304aafSPeter Avalos }
969f304aafSPeter Avalos 
979f304aafSPeter Avalos /*
989f304aafSPeter Avalos  * This gets called after we've established the user's groups, and is only
999f304aafSPeter Avalos  * called if sshd is running as root.
1009f304aafSPeter Avalos  */
1019f304aafSPeter Avalos void
platform_setusercontext_post_groups(struct passwd * pw)1029f304aafSPeter Avalos platform_setusercontext_post_groups(struct passwd *pw)
1039f304aafSPeter Avalos {
1049f304aafSPeter Avalos #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
1059f304aafSPeter Avalos 	/*
1069f304aafSPeter Avalos 	 * PAM credentials may take the form of supplementary groups.
1079f304aafSPeter Avalos 	 * These will have been wiped by the above initgroups() call.
1089f304aafSPeter Avalos 	 * Reestablish them here.
1099f304aafSPeter Avalos 	 */
1109f304aafSPeter Avalos 	if (options.use_pam) {
111*ba1276acSMatthew Dillon 		do_pam_setcred();
1129f304aafSPeter Avalos 	}
1139f304aafSPeter Avalos #endif /* USE_PAM */
1149f304aafSPeter Avalos 
1159f304aafSPeter Avalos #if !defined(HAVE_LOGIN_CAP) && (defined(WITH_IRIX_PROJECT) || \
1169f304aafSPeter Avalos     defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY))
1179f304aafSPeter Avalos 	irix_setusercontext(pw);
1189f304aafSPeter Avalos #endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
1199f304aafSPeter Avalos 
1209f304aafSPeter Avalos #ifdef _AIX
1219f304aafSPeter Avalos 	aix_usrinfo(pw);
1229f304aafSPeter Avalos #endif /* _AIX */
1239f304aafSPeter Avalos 
1249f304aafSPeter Avalos #ifdef HAVE_SETPCRED
1259f304aafSPeter Avalos 	/*
1269f304aafSPeter Avalos 	 * If we have a chroot directory, we set all creds except real
1279f304aafSPeter Avalos 	 * uid which we will need for chroot.  If we don't have a
1289f304aafSPeter Avalos 	 * chroot directory, we don't override anything.
1299f304aafSPeter Avalos 	 */
1309f304aafSPeter Avalos 	{
1319f304aafSPeter Avalos 		char **creds = NULL, *chroot_creds[] =
1329f304aafSPeter Avalos 		    { "REAL_USER=root", NULL };
1339f304aafSPeter Avalos 
1349f304aafSPeter Avalos 		if (options.chroot_directory != NULL &&
1359f304aafSPeter Avalos 		    strcasecmp(options.chroot_directory, "none") != 0)
1369f304aafSPeter Avalos 			creds = chroot_creds;
1379f304aafSPeter Avalos 
1389f304aafSPeter Avalos 		if (setpcred(pw->pw_name, creds) == -1)
1399f304aafSPeter Avalos 			fatal("Failed to set process credentials");
1409f304aafSPeter Avalos 	}
1419f304aafSPeter Avalos #endif /* HAVE_SETPCRED */
1429f304aafSPeter Avalos #ifdef WITH_SELINUX
1439f304aafSPeter Avalos 	ssh_selinux_setup_exec_context(pw->pw_name);
1449f304aafSPeter Avalos #endif
1459f304aafSPeter Avalos }
1469f304aafSPeter Avalos 
147856ea928SPeter Avalos char *
platform_krb5_get_principal_name(const char * pw_name)148856ea928SPeter Avalos platform_krb5_get_principal_name(const char *pw_name)
149856ea928SPeter Avalos {
150856ea928SPeter Avalos #ifdef USE_AIX_KRB_NAME
151856ea928SPeter Avalos 	return aix_krb5_get_principal_name(pw_name);
152856ea928SPeter Avalos #else
153856ea928SPeter Avalos 	return NULL;
154856ea928SPeter Avalos #endif
15518de8d7fSPeter Avalos }
156ee116499SAntonio Huete Jimenez 
157ee116499SAntonio Huete Jimenez /* returns 1 if account is locked */
158ee116499SAntonio Huete Jimenez int
platform_locked_account(struct passwd * pw)159ee116499SAntonio Huete Jimenez platform_locked_account(struct passwd *pw)
160ee116499SAntonio Huete Jimenez {
161ee116499SAntonio Huete Jimenez 	int locked = 0;
162ee116499SAntonio Huete Jimenez 	char *passwd = pw->pw_passwd;
163ee116499SAntonio Huete Jimenez #ifdef USE_SHADOW
164ee116499SAntonio Huete Jimenez 	struct spwd *spw = NULL;
165ee116499SAntonio Huete Jimenez #ifdef USE_LIBIAF
166ee116499SAntonio Huete Jimenez 	char *iaf_passwd = NULL;
167ee116499SAntonio Huete Jimenez #endif
168ee116499SAntonio Huete Jimenez 
169ee116499SAntonio Huete Jimenez 	spw = getspnam(pw->pw_name);
170ee116499SAntonio Huete Jimenez #ifdef HAS_SHADOW_EXPIRE
171ee116499SAntonio Huete Jimenez 	if (spw != NULL && auth_shadow_acctexpired(spw))
172ee116499SAntonio Huete Jimenez 		return 1;
173ee116499SAntonio Huete Jimenez #endif /* HAS_SHADOW_EXPIRE */
174ee116499SAntonio Huete Jimenez 
175ee116499SAntonio Huete Jimenez 	if (spw != NULL)
176ee116499SAntonio Huete Jimenez #ifdef USE_LIBIAF
177ee116499SAntonio Huete Jimenez 		iaf_passwd = passwd = get_iaf_password(pw);
178ee116499SAntonio Huete Jimenez #else
179ee116499SAntonio Huete Jimenez 		passwd = spw->sp_pwdp;
180ee116499SAntonio Huete Jimenez #endif /* USE_LIBIAF */
181ee116499SAntonio Huete Jimenez #endif
182ee116499SAntonio Huete Jimenez 
183ee116499SAntonio Huete Jimenez 	/* check for locked account */
184ee116499SAntonio Huete Jimenez 	if (passwd && *passwd) {
185ee116499SAntonio Huete Jimenez #ifdef LOCKED_PASSWD_STRING
186ee116499SAntonio Huete Jimenez 		if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
187ee116499SAntonio Huete Jimenez 			locked = 1;
188ee116499SAntonio Huete Jimenez #endif
189ee116499SAntonio Huete Jimenez #ifdef LOCKED_PASSWD_PREFIX
190ee116499SAntonio Huete Jimenez 		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
191ee116499SAntonio Huete Jimenez 		    strlen(LOCKED_PASSWD_PREFIX)) == 0)
192ee116499SAntonio Huete Jimenez 			locked = 1;
193ee116499SAntonio Huete Jimenez #endif
194ee116499SAntonio Huete Jimenez #ifdef LOCKED_PASSWD_SUBSTR
195ee116499SAntonio Huete Jimenez 		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
196ee116499SAntonio Huete Jimenez 			locked = 1;
197ee116499SAntonio Huete Jimenez #endif
198ee116499SAntonio Huete Jimenez 	}
199ee116499SAntonio Huete Jimenez #ifdef USE_LIBIAF
200ee116499SAntonio Huete Jimenez 	if (iaf_passwd != NULL)
201ee116499SAntonio Huete Jimenez 		freezero(iaf_passwd, strlen(iaf_passwd));
202ee116499SAntonio Huete Jimenez #endif /* USE_LIBIAF */
203ee116499SAntonio Huete Jimenez 
204ee116499SAntonio Huete Jimenez 	return locked;
205ee116499SAntonio Huete Jimenez }
206