1 /* 2 * Copyright (c) 2006 Darren Tucker. All rights reserved. 3 * 4 * Permission to use, copy, modify, and distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 */ 16 17 #include "includes.h" 18 19 #include <stdarg.h> 20 #include <stdio.h> 21 #include <string.h> 22 #include <unistd.h> 23 24 #include "log.h" 25 #include "misc.h" 26 #include "servconf.h" 27 #include "sshkey.h" 28 #include "hostfile.h" 29 #include "auth.h" 30 #include "auth-pam.h" 31 #include "platform.h" 32 33 #include "openbsd-compat/openbsd-compat.h" 34 35 extern ServerOptions options; 36 37 /* return 1 if we are running with privilege to swap UIDs, 0 otherwise */ 38 int 39 platform_privileged_uidswap(void) 40 { 41 #ifdef HAVE_CYGWIN 42 /* uid 0 is not special on Cygwin so always try */ 43 return 1; 44 #else 45 return (getuid() == 0 || geteuid() == 0); 46 #endif 47 } 48 49 /* 50 * This gets called before switching UIDs, and is called even when sshd is 51 * not running as root. 52 */ 53 void 54 platform_setusercontext(struct passwd *pw) 55 { 56 #ifdef WITH_SELINUX 57 /* Cache selinux status for later use */ 58 (void)ssh_selinux_enabled(); 59 #endif 60 61 #ifdef USE_SOLARIS_PROJECTS 62 /* 63 * If solaris projects were detected, set the default now, unless 64 * we are using PAM in which case it is the responsibility of the 65 * PAM stack. 66 */ 67 if (!options.use_pam && (getuid() == 0 || geteuid() == 0)) 68 solaris_set_default_project(pw); 69 #endif 70 71 #if defined(HAVE_LOGIN_CAP) && defined (__bsdi__) 72 if (getuid() == 0 || geteuid() == 0) 73 setpgid(0, 0); 74 # endif 75 76 #if defined(HAVE_LOGIN_CAP) && defined(USE_PAM) 77 /* 78 * If we have both LOGIN_CAP and PAM, we want to establish creds 79 * before calling setusercontext (in session.c:do_setusercontext). 80 */ 81 if (getuid() == 0 || geteuid() == 0) { 82 if (options.use_pam) { 83 do_pam_setcred(); 84 } 85 } 86 # endif /* USE_PAM */ 87 88 #if !defined(HAVE_LOGIN_CAP) && defined(HAVE_GETLUID) && defined(HAVE_SETLUID) 89 if (getuid() == 0 || geteuid() == 0) { 90 /* Sets login uid for accounting */ 91 if (getluid() == -1 && setluid(pw->pw_uid) == -1) 92 error("setluid: %s", strerror(errno)); 93 } 94 #endif 95 } 96 97 /* 98 * This gets called after we've established the user's groups, and is only 99 * called if sshd is running as root. 100 */ 101 void 102 platform_setusercontext_post_groups(struct passwd *pw) 103 { 104 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) 105 /* 106 * PAM credentials may take the form of supplementary groups. 107 * These will have been wiped by the above initgroups() call. 108 * Reestablish them here. 109 */ 110 if (options.use_pam) { 111 do_pam_setcred(); 112 } 113 #endif /* USE_PAM */ 114 115 #if !defined(HAVE_LOGIN_CAP) && (defined(WITH_IRIX_PROJECT) || \ 116 defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)) 117 irix_setusercontext(pw); 118 #endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ 119 120 #ifdef _AIX 121 aix_usrinfo(pw); 122 #endif /* _AIX */ 123 124 #ifdef HAVE_SETPCRED 125 /* 126 * If we have a chroot directory, we set all creds except real 127 * uid which we will need for chroot. If we don't have a 128 * chroot directory, we don't override anything. 129 */ 130 { 131 char **creds = NULL, *chroot_creds[] = 132 { "REAL_USER=root", NULL }; 133 134 if (options.chroot_directory != NULL && 135 strcasecmp(options.chroot_directory, "none") != 0) 136 creds = chroot_creds; 137 138 if (setpcred(pw->pw_name, creds) == -1) 139 fatal("Failed to set process credentials"); 140 } 141 #endif /* HAVE_SETPCRED */ 142 #ifdef WITH_SELINUX 143 ssh_selinux_setup_exec_context(pw->pw_name); 144 #endif 145 } 146 147 char * 148 platform_krb5_get_principal_name(const char *pw_name) 149 { 150 #ifdef USE_AIX_KRB_NAME 151 return aix_krb5_get_principal_name(pw_name); 152 #else 153 return NULL; 154 #endif 155 } 156 157 /* returns 1 if account is locked */ 158 int 159 platform_locked_account(struct passwd *pw) 160 { 161 int locked = 0; 162 char *passwd = pw->pw_passwd; 163 #ifdef USE_SHADOW 164 struct spwd *spw = NULL; 165 #ifdef USE_LIBIAF 166 char *iaf_passwd = NULL; 167 #endif 168 169 spw = getspnam(pw->pw_name); 170 #ifdef HAS_SHADOW_EXPIRE 171 if (spw != NULL && auth_shadow_acctexpired(spw)) 172 return 1; 173 #endif /* HAS_SHADOW_EXPIRE */ 174 175 if (spw != NULL) 176 #ifdef USE_LIBIAF 177 iaf_passwd = passwd = get_iaf_password(pw); 178 #else 179 passwd = spw->sp_pwdp; 180 #endif /* USE_LIBIAF */ 181 #endif 182 183 /* check for locked account */ 184 if (passwd && *passwd) { 185 #ifdef LOCKED_PASSWD_STRING 186 if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0) 187 locked = 1; 188 #endif 189 #ifdef LOCKED_PASSWD_PREFIX 190 if (strncmp(passwd, LOCKED_PASSWD_PREFIX, 191 strlen(LOCKED_PASSWD_PREFIX)) == 0) 192 locked = 1; 193 #endif 194 #ifdef LOCKED_PASSWD_SUBSTR 195 if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) 196 locked = 1; 197 #endif 198 } 199 #ifdef USE_LIBIAF 200 if (iaf_passwd != NULL) 201 freezero(iaf_passwd, strlen(iaf_passwd)); 202 #endif /* USE_LIBIAF */ 203 204 return locked; 205 } 206