AIX capabilities not set

Jan-Frode Myklebust janfrode at parallab.uib.no
Wed May 29 19:38:56 EST 2002 

Following up on myself...

On Tue, May 14, 2002 at 04:06:16PM +0200, Jan-Frode Myklebust wrote:
> Hi, 
> 
> we're in the process of setting up large-page support on IBM regattas,
> but for large-page support the users have to have a set of extra 
> capabilities (CAP_BYPASS_RAC_VMM,CAP_PROPAGATE). This are configured
> on a per user basis by listing which capability each user have in
> /etc/security/user.
> 
> Unfortunately they don't get set when the users log in via OpenSSH
> (3.1p1). 

It would be nice if someone more familiar with AIX could comment on this.

It seems to me that openbsd-compat/port-aix.c is doing more work than
it should to set up the user environment, but I don't know if this
might be for backward compatibility.

If instead of setting all limits manually via setrlimit() one were to
call setpcred()/setpenv() everything should be set up correctly,
including the capabilities. Here's a patch replacing the whole
body of set_limits_from_userattr() with calls to these functions. Please
consider applying this so that we get the full AIX environment set up.

I have only tested this on AIX 5.1, and have no idea if these calls
are available on earlier versions of AIX. 


  -jf
-------------- next part --------------
--- port-aix.h-original	Wed May 29 11:29:00 2002
+++ port-aix.h	Wed May 29 11:17:13 2002
@@ -1,7 +1,6 @@
 #ifdef _AIX
 
 #ifdef HAVE_GETUSERATTR
-void set_limit(char *user, char *soft, char *hard, int resource, int mult);
 void set_limits_from_userattr(char *user);
 #endif /* HAVE_GETUSERATTR */
 
-------------- next part --------------
--- port-aix.c-original	Wed May 29 10:01:59 2002
+++ port-aix.c	Wed May 29 11:27:50 2002
@@ -24,79 +24,16 @@
 /*
  * AIX-specific login initialisation
  */
-void 
-set_limit(char *user, char *soft, char *hard, int resource, int mult)
-{
-        struct rlimit rlim;
-        int slim, hlim;
-
-        getrlimit(resource, &rlim);
-
-        slim = 0;
-        if (getuserattr(user, soft, &slim, SEC_INT) != -1) {
-                if (slim < 0) {
-                        rlim.rlim_cur = RLIM_INFINITY;
-                } else if (slim != 0) {
-                        /* See the wackiness below */
-                        if (rlim.rlim_cur == slim * mult)
-                                slim = 0;
-                        else
-                                rlim.rlim_cur = slim * mult;
-                }
-        }
-        hlim = 0;
-        if (getuserattr(user, hard, &hlim, SEC_INT) != -1) {
-                if (hlim < 0) {
-                        rlim.rlim_max = RLIM_INFINITY;
-                } else if (hlim != 0) {
-                        rlim.rlim_max = hlim * mult;
-                }
-        }
-
-        /*
-         * XXX For cpu and fsize the soft limit is set to the hard limit
-         * if the hard limit is left at its default value and the soft limit
-         * is changed from its default value, either by requesting it
-         * (slim == 0) or by setting it to the current default.  At least
-         * that's how rlogind does it.  If you're confused you're not alone.
-         * Bug or feature? AIX 4.3.1.2
-         */
-        if ((!strcmp(soft, "fsize") || !strcmp(soft, "cpu"))
-            && hlim == 0 && slim != 0)
-                rlim.rlim_max = rlim.rlim_cur;
-        /* A specified hard limit limits the soft limit */
-        else if (hlim > 0 && rlim.rlim_cur > rlim.rlim_max)
-                rlim.rlim_cur = rlim.rlim_max;
-        /* A soft limit can increase a hard limit */
-        else if (rlim.rlim_cur > rlim.rlim_max)
-                rlim.rlim_max = rlim.rlim_cur;
-
-        if (setrlimit(resource, &rlim) != 0)
-                error("setrlimit(%.10s) failed: %.100s", soft, strerror(errno));
-}
 
 void 
 set_limits_from_userattr(char *user)
 {
-        int mask;
-        char buf[16];
-
-        set_limit(user, S_UFSIZE, S_UFSIZE_HARD, RLIMIT_FSIZE, 512);
-        set_limit(user, S_UCPU, S_UCPU_HARD, RLIMIT_CPU, 1);
-        set_limit(user, S_UDATA, S_UDATA_HARD, RLIMIT_DATA, 512);
-        set_limit(user, S_USTACK, S_USTACK_HARD, RLIMIT_STACK, 512);
-        set_limit(user, S_URSS, S_URSS_HARD, RLIMIT_RSS, 512);
-        set_limit(user, S_UCORE, S_UCORE_HARD, RLIMIT_CORE, 512);
-#if defined(S_UNOFILE)
-        set_limit(user, S_UNOFILE, S_UNOFILE_HARD, RLIMIT_NOFILE, 1);
-#endif
-
-        if (getuserattr(user, S_UMASK, &mask, SEC_INT) != -1) {
-                /* Convert decimal to octal */
-                (void) snprintf(buf, sizeof(buf), "%d", mask);
-                if (sscanf(buf, "%o", &mask) == 1)
-                        umask(mask);
-        }
+	/* 
+	   Set up the process credentials and process environment
+	   based on the AIX userdatabase. 
+	*/
+	setpcred (user);
+	setpenv (user); 
 }
 #endif /* defined(HAVE_GETUSERATTR) */

More information about the openssh-unix-dev mailing list