2 * Copyright (c) 2006 Darren Tucker. All rights reserved.
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
31 #include "openbsd-compat/openbsd-compat.h"
33 extern int use_privsep;
34 extern ServerOptions options;
37 platform_pre_listen(void)
39 #ifdef LINUX_OOM_ADJUST
40 /* Adjust out-of-memory killer so listening process is not killed */
46 platform_pre_fork(void)
48 #ifdef USE_SOLARIS_PROCESS_CONTRACTS
49 solaris_contract_pre_fork();
54 platform_pre_restart(void)
56 #ifdef LINUX_OOM_ADJUST
62 platform_post_fork_parent(pid_t child_pid)
64 #ifdef USE_SOLARIS_PROCESS_CONTRACTS
65 solaris_contract_post_fork_parent(child_pid);
70 platform_post_fork_child(void)
72 #ifdef USE_SOLARIS_PROCESS_CONTRACTS
73 solaris_contract_post_fork_child();
75 #ifdef LINUX_OOM_ADJUST
80 /* return 1 if we are running with privilege to swap UIDs, 0 otherwise */
82 platform_privileged_uidswap(void)
85 /* uid 0 is not special on Cygwin so always try */
88 return (getuid() == 0 || geteuid() == 0);
93 * This gets called before switching UIDs, and is called even when sshd is
94 * not running as root.
97 platform_setusercontext(struct passwd *pw)
100 /* Cache selinux status for later use */
101 (void)ssh_selinux_enabled();
104 #ifdef USE_SOLARIS_PROJECTS
106 * If solaris projects were detected, set the default now, unless
107 * we are using PAM in which case it is the responsibility of the
110 if (!options.use_pam && (getuid() == 0 || geteuid() == 0))
111 solaris_set_default_project(pw);
114 #if defined(HAVE_LOGIN_CAP) && defined (__bsdi__)
115 if (getuid() == 0 || geteuid() == 0)
119 #if defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
121 * If we have both LOGIN_CAP and PAM, we want to establish creds
122 * before calling setusercontext (in session.c:do_setusercontext).
124 if (getuid() == 0 || geteuid() == 0) {
125 if (options.use_pam) {
126 do_pam_setcred(use_privsep);
129 # endif /* USE_PAM */
131 #if !defined(HAVE_LOGIN_CAP) && defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
132 if (getuid() == 0 || geteuid() == 0) {
133 /* Sets login uid for accounting */
134 if (getluid() == -1 && setluid(pw->pw_uid) == -1)
135 error("setluid: %s", strerror(errno));
141 * This gets called after we've established the user's groups, and is only
142 * called if sshd is running as root.
145 platform_setusercontext_post_groups(struct passwd *pw)
147 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
149 * PAM credentials may take the form of supplementary groups.
150 * These will have been wiped by the above initgroups() call.
151 * Reestablish them here.
153 if (options.use_pam) {
154 do_pam_setcred(use_privsep);
158 #if !defined(HAVE_LOGIN_CAP) && (defined(WITH_IRIX_PROJECT) || \
159 defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY))
160 irix_setusercontext(pw);
161 #endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
169 * If we have a chroot directory, we set all creds except real
170 * uid which we will need for chroot. If we don't have a
171 * chroot directory, we don't override anything.
174 char **creds = NULL, *chroot_creds[] =
175 { "REAL_USER=root", NULL };
177 if (options.chroot_directory != NULL &&
178 strcasecmp(options.chroot_directory, "none") != 0)
179 creds = chroot_creds;
181 if (setpcred(pw->pw_name, creds) == -1)
182 fatal("Failed to set process credentials");
184 #endif /* HAVE_SETPCRED */
186 ssh_selinux_setup_exec_context(pw->pw_name);
191 platform_krb5_get_principal_name(const char *pw_name)
193 #ifdef USE_AIX_KRB_NAME
194 return aix_krb5_get_principal_name(pw_name);