Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
sudo-project
GitHub Repository: sudo-project/sudo
 Path: blob/main/lib/util/aix.c
1532 views
1
/*

2
 * SPDX-License-Identifier: ISC

3
 *

4
 * Copyright (c) 2008, 2010-2016 Todd C. Miller <[email protected]>

5
 *

6
 * Permission to use, copy, modify, and distribute this software for any

7
 * purpose with or without fee is hereby granted, provided that the above

8
 * copyright notice and this permission notice appear in all copies.

9
 *

10
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

11
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

12
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

13
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

14
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

15
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

16
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

17
 */

18


19
#include <config.h>

20


21
#include <sys/resource.h>

22


23
#include <stdio.h>

24
#include <stdlib.h>

25
#include <errno.h>

26
#include <usersec.h>

27
#include <uinfo.h>

28


29
#include <sudo_compat.h>

30
#include <sudo_debug.h>

31
#include <sudo_fatal.h>

32
#include <sudo_gettext.h>

33
#include <sudo_util.h>

34


35
#ifdef HAVE_GETUSERATTR

36


37
#ifndef HAVE_SETRLIMIT64

38
# define setrlimit64(a, b) setrlimit(a, b)

39
# define rlimit64 rlimit

40
# define rlim64_t rlim_t

41
# define RLIM64_INFINITY RLIM_INFINITY

42
#endif /* HAVE_SETRLIMIT64 */

43


44
#ifndef RLIM_SAVED_MAX

45
# define RLIM_SAVED_MAX	RLIM64_INFINITY

46
#endif

47


48
struct aix_limit {

49
    int resource;

50
    const char *soft;

51
    const char *hard;

52
    int factor;

53
};

54


55
static struct aix_limit aix_limits[] = {

56
    { RLIMIT_FSIZE, S_UFSIZE, S_UFSIZE_HARD, 512 },

57
    { RLIMIT_CPU, S_UCPU, S_UCPU_HARD, 1 },

58
    { RLIMIT_DATA, S_UDATA, S_UDATA_HARD, 512 },

59
    { RLIMIT_STACK, S_USTACK, S_USTACK_HARD, 512 },

60
    { RLIMIT_RSS, S_URSS, S_URSS_HARD, 512 },

61
    { RLIMIT_CORE, S_UCORE, S_UCORE_HARD, 512 },

62
    { RLIMIT_NOFILE, S_UNOFILE, S_UNOFILE_HARD, 1 }

63
};

64


65
static int

66
aix_getlimit(const char *user, const char *lim, int *valp)

67
{

68
    debug_decl(aix_getlimit, SUDO_DEBUG_UTIL);

69


70
    if (getuserattr((char *)user, (char *)lim, valp, SEC_INT) != 0)

71
	debug_return_int(-1);

72
    debug_return_int(0);

73
}

74


75
static int

76
aix_setlimits(char *user)

77
{

78
    struct rlimit64 rlim;

79
    int val;

80
    size_t n;

81
    debug_decl(aix_setlimits, SUDO_DEBUG_UTIL);

82


83
    if (setuserdb(S_READ) != 0) {

84
	sudo_warn("%s", U_("unable to open userdb"));

85
	debug_return_int(-1);

86
    }

87


88
    /*

89
     * For each resource limit, get the soft/hard values for the user

90
     * and set those values via setrlimit64().  Must be run as euid 0.

91
     */

92
    for (n = 0; n < nitems(aix_limits); n++) {

93
	/*

94
	 * We have two strategies, depending on whether or not the

95
	 * hard limit has been defined.

96
	 */

97
	if (aix_getlimit(user, aix_limits[n].hard, &val) == 0) {

98
	    rlim.rlim_max = val == -1 ? RLIM64_INFINITY : (rlim64_t)val * aix_limits[n].factor;

99
	    if (aix_getlimit(user, aix_limits[n].soft, &val) == 0)

100
		rlim.rlim_cur = val == -1 ? RLIM64_INFINITY : (rlim64_t)val * aix_limits[n].factor;

101
	    else

102
		rlim.rlim_cur = rlim.rlim_max;	/* soft not specd, use hard */

103
	} else {

104
	    /* No hard limit set, try soft limit, if it exists. */

105
	    if (aix_getlimit(user, aix_limits[n].soft, &val) == -1)

106
		continue;

107
	    rlim.rlim_cur = val == -1 ? RLIM64_INFINITY : (rlim64_t)val * aix_limits[n].factor;

108


109
	    /* Set default hard limit as per limits(4). */

110
	    switch (aix_limits[n].resource) {

111
		case RLIMIT_CPU:

112
		case RLIMIT_FSIZE:

113
		    rlim.rlim_max = rlim.rlim_cur;

114
		    break;

115
		case RLIMIT_STACK:

116
		    rlim.rlim_max = 4194304UL * aix_limits[n].factor;

117
		    break;

118
		default:

119
		    rlim.rlim_max = RLIM64_INFINITY;

120
		    break;

121
	    }

122
	}

123
	(void)setrlimit64(aix_limits[n].resource, &rlim);

124
    }

125
    enduserdb();

126
    debug_return_int(0);

127
}

128


129
#ifdef HAVE_SETAUTHDB

130


131
# ifndef HAVE_AUTHDB_T

132
typedef char authdb_t[16];

133
# endif

134


135
/* The empty string means to access all defined authentication registries. */

136
static authdb_t old_registry;

137


138
# if defined(HAVE_DECL_SETAUTHDB) && !HAVE_DECL_SETAUTHDB

139
int setauthdb(authdb_t new, authdb_t old);

140
int getauthdb(authdb_t val);

141
# endif

142
# if defined(HAVE_DECL_USRINFO) && !HAVE_DECL_USRINFO

143
int usrinfo(int cmd, char *buf, int count);

144
# endif

145


146
/*

147
 * Look up authentication registry for user (SYSTEM in /etc/security/user) and

148
 * set it as the default for the process.  This ensures that password and

149
 * group lookups are made against the correct source (files, NIS, LDAP, etc).

150
 * Does not modify errno even on error since callers do not check return value.

151
 */

152
int

153
aix_getauthregistry_v1(char *user, char *saved_registry)

154
{

155
    int serrno = errno;

156
    int ret = -1;

157
    debug_decl(aix_getauthregistry, SUDO_DEBUG_UTIL);

158


159
    saved_registry[0] = '\0';

160
    if (user != NULL) {

161
	char *registry;

162


163
	if (setuserdb(S_READ) != 0) {

164
	    sudo_warn("%s", U_("unable to open userdb"));

165
	    goto done;

166
	}

167
	ret = getuserattr(user, (char *)S_REGISTRY, &registry, SEC_CHAR);

168
	if (ret == 0) {

169
	    /* sizeof(authdb_t) is guaranteed to be 16 */

170
	    if (strlcpy(saved_registry, registry, 16) >= 16) {

171
		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,

172
		    "registry for user %s too long: %s", user, registry);

173
	    }

174
	    sudo_debug_printf(SUDO_DEBUG_INFO,

175
		"%s: saved authentication registry for user %s is %s",

176
		__func__, user, saved_registry);

177
	}

178
	enduserdb();

179
    } else {

180
	/* Get the process-wide registry. */

181
	ret = getauthdb(saved_registry);

182
    }

183
done:

184
    errno = serrno;

185
    debug_return_int(ret);

186
}

187


188
/*

189
 * Set the specified authentication registry for user (SYSTEM in

190
 * /etc/security/user) and set it as the default for the process.

191
 * This ensures that password and group lookups are made against

192
 * the correct source (files, NIS, LDAP, etc).

193
 * If registry is NULL, look it up based on the user name.

194
 * Does not modify errno even on error since callers do not check return value.

195
 */

196
int

197
aix_setauthdb_v1(char *user)

198
{

199
    return aix_setauthdb_v2(user, NULL);

200
}

201


202
int

203
aix_setauthdb_v2(char *user, char *registry)

204
{

205
    authdb_t regbuf;

206
    int serrno = errno;

207
    int ret = -1;

208
    debug_decl(aix_setauthdb, SUDO_DEBUG_UTIL);

209


210
    if (user != NULL) {

211
	/* Look up authentication registry if one is not provided. */

212
	if (registry == NULL) {

213
	    if (aix_getauthregistry(user, regbuf) != 0)

214
		goto done;

215
	    registry = regbuf;

216
	}

217
	ret = setauthdb(registry, old_registry);

218
	if (ret != 0) {

219
	    sudo_warn(U_("unable to switch to registry \"%s\" for %s"),

220
		registry, user);

221
	} else {

222
		sudo_debug_printf(SUDO_DEBUG_INFO,

223
		    "%s: setting authentication registry to %s",

224
		    __func__, registry);

225
	}

226
    }

227
done:

228
    errno = serrno;

229
    debug_return_int(ret);

230
}

231


232
/*

233
 * Restore the saved authentication registry, if any.

234
 * Does not modify errno even on error since callers do not check return value.

235
 */

236
int

237
aix_restoreauthdb_v1(void)

238
{

239
    int serrno = errno;

240
    int ret = 0;

241
    debug_decl(aix_setauthdb, SUDO_DEBUG_UTIL);

242


243
    if (setauthdb(old_registry, NULL) != 0) {

244
	sudo_warn("%s", U_("unable to restore registry"));

245
	ret = -1;

246
    } else {

247
	sudo_debug_printf(SUDO_DEBUG_INFO,

248
	    "%s: setting authentication registry to %s",

249
	    __func__, old_registry);

250
    }

251
    errno = serrno;

252
    debug_return_int(ret);

253
}

254
#endif

255


256
int

257
aix_prep_user_v1(char *user, const char *tty)

258
{

259
    char *info;

260
    int len;

261
    debug_decl(aix_setauthdb, SUDO_DEBUG_UTIL);

262


263
    /* set usrinfo, like login(1) does */

264
    len = asprintf(&info, "NAME=%s%cLOGIN=%s%cLOGNAME=%s%cTTY=%s%c",

265
	user, '\0', user, '\0', user, '\0', tty ? tty : "", '\0');

266
    if (len == -1) {

267
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));

268
	debug_return_int(-1);

269
    }

270
    (void)usrinfo(SETUINFO, info, len);

271
    free(info);

272


273
#ifdef HAVE_SETAUTHDB

274
    /* set authentication registry */

275
    if (aix_setauthdb(user, NULL) != 0)

276
	debug_return_int(-1);

277
#endif

278


279
    /* set resource limits */

280
    if (aix_setlimits(user) != 0)

281
	debug_return_int(-1);

282


283
    debug_return_int(0);

284
}

285
#endif /* HAVE_GETUSERATTR */

286


287