2 * Copyright (c) 2008, 2010-2011 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 #include <sys/types.h>
20 #include <sys/resource.h>
30 #endif /* STDC_HEADERS */
37 #include "sudo_debug.h"
39 #define DEFAULT_TEXT_DOMAIN "sudo"
42 #ifdef HAVE_GETUSERATTR
44 #ifndef HAVE_SETRLIMIT64
45 # define setrlimit64(a, b) setrlimit(a, b)
46 # define rlimit64 rlimit
47 # define rlim64_t rlim_t
48 # define RLIM64_INFINITY RLIM_INFINITY
49 #endif /* HAVE_SETRLIMIT64 */
51 #ifndef RLIM_SAVED_MAX
52 # define RLIM_SAVED_MAX RLIM64_INFINITY
62 static struct aix_limit aix_limits[] = {
63 { RLIMIT_FSIZE, S_UFSIZE, S_UFSIZE_HARD, 512 },
64 { RLIMIT_CPU, S_UCPU, S_UCPU_HARD, 1 },
65 { RLIMIT_DATA, S_UDATA, S_UDATA_HARD, 512 },
66 { RLIMIT_STACK, S_USTACK, S_USTACK_HARD, 512 },
67 { RLIMIT_RSS, S_URSS, S_URSS_HARD, 512 },
68 { RLIMIT_CORE, S_UCORE, S_UCORE_HARD, 512 },
69 { RLIMIT_NOFILE, S_UNOFILE, S_UNOFILE_HARD, 1 }
73 aix_getlimit(char *user, char *lim, rlim64_t *valp)
76 debug_decl(aix_getlimit, SUDO_DEBUG_UTIL)
78 if (getuserattr(user, lim, &val, SEC_INT) != 0)
85 aix_setlimits(char *user)
90 debug_decl(aix_setlimits, SUDO_DEBUG_UTIL)
92 if (setuserdb(S_READ) != 0)
93 error(1, "unable to open userdb");
96 * For each resource limit, get the soft/hard values for the user
97 * and set those values via setrlimit64(). Must be run as euid 0.
99 for (n = 0; n < sizeof(aix_limits) / sizeof(aix_limits[0]); n++) {
101 * We have two strategies, depending on whether or not the
102 * hard limit has been defined.
104 if (aix_getlimit(user, aix_limits[n].hard, &val) == 0) {
105 rlim.rlim_max = val == -1 ? RLIM64_INFINITY : val * aix_limits[n].factor;
106 if (aix_getlimit(user, aix_limits[n].soft, &val) == 0)
107 rlim.rlim_cur = val == -1 ? RLIM64_INFINITY : val * aix_limits[n].factor;
109 rlim.rlim_cur = rlim.rlim_max; /* soft not specd, use hard */
111 /* No hard limit set, try soft limit, if it exists. */
112 if (aix_getlimit(user, aix_limits[n].soft, &val) == -1)
114 rlim.rlim_cur = val == -1 ? RLIM64_INFINITY : val * aix_limits[n].factor;
116 /* Set hard limit per AIX /etc/security/limits documentation. */
117 switch (aix_limits[n].resource) {
120 rlim.rlim_max = rlim.rlim_cur;
123 rlim.rlim_max = RLIM_SAVED_MAX;
126 rlim.rlim_max = RLIM64_INFINITY;
130 (void)setrlimit64(aix_limits[n].resource, &rlim);
136 #ifdef HAVE_SETAUTHDB
138 * Look up administrative domain for user (SYSTEM in /etc/security/user) and
139 * set it as the default for the process. This ensures that password and
140 * group lookups are made against the correct source (files, NIS, LDAP, etc).
143 aix_setauthdb(char *user)
146 debug_decl(aix_setauthdb, SUDO_DEBUG_UTIL)
149 if (setuserdb(S_READ) != 0)
150 error(1, _("unable to open userdb"));
151 if (getuserattr(user, S_REGISTRY, ®istry, SEC_CHAR) == 0) {
152 if (setauthdb(registry, NULL) != 0)
153 error(1, _("unable to switch to registry \"%s\" for %s"),
162 * Restore the saved administrative domain, if any.
165 aix_restoreauthdb(void)
167 debug_decl(aix_setauthdb, SUDO_DEBUG_UTIL)
169 if (setauthdb(NULL, NULL) != 0)
170 error(1, _("unable to restore registry"));
177 aix_prep_user(char *user, const char *tty)
181 debug_decl(aix_setauthdb, SUDO_DEBUG_UTIL)
183 /* set usrinfo, like login(1) does */
184 len = easprintf(&info, "NAME=%s%cLOGIN=%s%cLOGNAME=%s%cTTY=%s%c",
185 user, '\0', user, '\0', user, '\0', tty ? tty : "", '\0');
186 (void)usrinfo(SETUINFO, info, len);
189 #ifdef HAVE_SETAUTHDB
190 /* set administrative domain */
194 /* set resource limits */
199 #endif /* HAVE_GETUSERATTR */