[PATCH] Trusted IRIX Support
Jason Ostermann
josterm at raytheon.com
Fri May 13 06:49:04 EST 2005
I developed a better prototype quicker than I expected.
Please provide feedback. It's been a few years since I've used autoconf,
so I'm not certain the new defines were integrated correctly.
Jason
diff -r -C3 openssh-4.0p1/acconfig.h openssh-4.0p1.trix/acconfig.h
*** openssh-4.0p1/acconfig.h Fri Feb 25 17:07:38 2005
--- openssh-4.0p1.trix/acconfig.h Thu May 12 10:32:25 2005
***************
*** 146,151 ****
--- 146,157 ----
/* Define if you want IRIX kernel jobs */
#undef WITH_IRIX_JOBS
+ /* Define if you want IRIX Capability support */
+ #undef WITH_IRIX_CAP
+
+ /* Define if you want IRIX MAC Label support (Trusted IRIX only!) */
+ #undef WITH_IRIX_MAC
+
/* Location of PRNGD/EGD random number socket */
#undef PRNGD_SOCKET
diff -r -C3 openssh-4.0p1/config.h.in openssh-4.0p1.trix/config.h.in
*** openssh-4.0p1/config.h.in Tue Mar 8 22:54:14 2005
--- openssh-4.0p1.trix/config.h.in Thu May 12 12:56:15 2005
***************
*** 146,151 ****
--- 146,157 ----
/* Define if you want IRIX kernel jobs */
#undef WITH_IRIX_JOBS
+ /* Define if you want IRIX Capability support */
+ #undef WITH_IRIX_CAP
+
+ /* Define if you want IRIX MAC Label support (Trusted IRIX only!) */
+ #undef WITH_IRIX_MAC
+
/* Location of PRNGD/EGD random number socket */
#undef PRNGD_SOCKET
diff -r -C3 openssh-4.0p1/configure.ac openssh-4.0p1.trix/configure.ac
*** openssh-4.0p1/configure.ac Mon Mar 7 03:21:37 2005
--- openssh-4.0p1.trix/configure.ac Thu May 12 10:33:58 2005
***************
*** 241,246 ****
--- 241,248 ----
AC_DEFINE(WITH_IRIX_ARRAY)
AC_DEFINE(WITH_IRIX_PROJECT)
AC_DEFINE(WITH_IRIX_AUDIT)
+ AC_DEFINE(WITH_IRIX_CAP)
+ AC_DEFINE(WITH_IRIX_MAC)
AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)])
AC_DEFINE(BROKEN_INET_NTOA)
AC_DEFINE(SETEUID_BREAKS_SETUID)
diff -r -C3 openssh-4.0p1/openbsd-compat/port-irix.c
openssh-4.0p1.trix/openbsd-compat/port-irix.c
*** openssh-4.0p1/openbsd-compat/port-irix.c Sat May 31 22:23:57 2003
--- openssh-4.0p1.trix/openbsd-compat/port-irix.c Thu May 12
13:01:58 2005
***************
*** 38,43 ****
--- 39,51 ----
#ifdef WITH_IRIX_AUDIT
# include <sat.h>
#endif /* WITH_IRIX_AUDIT */
+ #ifdef WITH_IRIX_CAP
+ # include <sys/capability.h>
+ #endif /* WITH_IRIX_CAP */
+ #ifdef WITH_IRIX_MAC
+ # include <sys/mac.h>
+ # include <sys/mac_label.h>
+ #endif /* WITH_IRIX_MAC */
void
irix_setusercontext(struct passwd *pw)
***************
*** 84,86 ****
--- 92,144 ----
#endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) ||
defined(WITH_IRIX_ARRAY) */
+
+ #ifdef WITH_IRIX_CAP
+ void
+ irix_set_cap(const char * cap_string)
+ {
+ cap_t running_cap;
+ if(cap_string == NULL)
+ fatal("irix_set_cap received NULL for input!");
+ if(sysconf(_SC_CAP) != 0) {
+ debug("irix_set_cap: setting capability to
%s",cap_string);
+ running_cap=cap_from_text(cap_string);
+ if(running_cap != NULL) {
+ if(cap_set_proc(running_cap) != 0)
+ fatal("Unable to set the process
capability "
+ "set to %s!",cap_string);
+ cap_free(running_cap);
+ }
+ else
+ fatal("Unable to convert %s into a capability
set!",
+ cap_string);
+ }
+ }
+
+ #endif /* WITH_IRIX_CAP */
+
+
+ #ifdef WITH_IRIX_MAC
+ void
+ irix_set_mac(const char * mac_string)
+ {
+ mac_t running_mac;
+ if(mac_string == NULL)
+ fatal("irix_set_mac received NULL for input!");
+ if(sysconf(_SC_MAC) != 0) {
+ debug("irix_set_mac: setting mac label to %s",mac_string);
+ running_mac=mac_from_text(mac_string);
+ if(running_mac != NULL) {
+ if(mac_set_proc(running_mac) != 0)
+ fatal("Unable to set the process mac
label "
+ "to %s!",mac_string);
+ mac_free(running_mac);
+ }
+ else
+ fatal("Unable to convert %s into a mac label!",
+ mac_string);
+ }
+ }
+
+ #endif /* WITH_IRIX_MAC */
+
diff -r -C3 openssh-4.0p1/session.c openssh-4.0p1.trix/session.c
*** openssh-4.0p1/session.c Sun Mar 6 05:38:52 2005
--- openssh-4.0p1.trix/session.c Thu May 12 13:03:23 2005
***************
*** 1554,1559 ****
--- 1554,1583 ----
#endif
}
+ #ifdef WITH_IRIX_CAP
+ /* Set the user's capabilities before running their RC files!!
+ Only if we won't use login(1), as login handles setting
+ capabilities itself */
+ if (!options.use_login) {
+ if(child_get_env(env,"CAP") == NULL)
+ irix_set_cap("all=");
+ else
+ irix_set_cap(child_get_env(env,"CAP"));
+ }
+ #endif /* WITH_IRIX_CAP */
+
+ #ifdef WITH_IRIX_MAC
+ /* Set the user's mac label before running their RC files!!
+ Only if we won't use login(1), as login handles setting
+ mac labels itself */
+ if (!options.use_login) {
+ if(child_get_env(env,"MAC") == NULL)
+ irix_set_mac("all=");
+ else
+ irix_set_mac(child_get_env(env,"MAC"));
+ }
+ #endif /* WITH_IRIX_MAC */
+
if (!options.use_login)
do_rc_files(s, shell);
diff -r -C3 openssh-4.0p1/uidswap.c openssh-4.0p1.trix/uidswap.c
*** openssh-4.0p1/uidswap.c Tue Feb 22 00:57:13 2005
--- openssh-4.0p1.trix/uidswap.c Thu May 12 12:05:00 2005
***************
*** 202,207 ****
--- 203,216 ----
fatal("setuid %u: %.100s", (u_int)pw->pw_uid,
strerror(errno));
#endif
+ #ifdef WITH_IRIX_CAP
+ /* Don't want to perform the following checks on a system
+ that supports capabilities, because they may be valid
+ actions */
+ if(sysconf(_SC_CAP != 0))
+ return;
+ #endif /* WITH_IRIX_CAP */
+
#ifndef HAVE_CYGWIN
/* Try restoration of GID if changed (test clearing of saved
gid) */
if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&
More information about the openssh-unix-dev
mailing list