Following up on myself...
On Tue, May 14, 2002 at 04:06:16PM +0200, Jan-Frode Myklebust
wrote:> Hi,
>
> we're in the process of setting up large-page support on IBM regattas,
> but for large-page support the users have to have a set of extra
> capabilities (CAP_BYPASS_RAC_VMM,CAP_PROPAGATE). This are configured
> on a per user basis by listing which capability each user have in
> /etc/security/user.
>
> Unfortunately they don't get set when the users log in via OpenSSH
> (3.1p1).
It would be nice if someone more familiar with AIX could comment on this.
It seems to me that openbsd-compat/port-aix.c is doing more work than
it should to set up the user environment, but I don't know if this
might be for backward compatibility.
If instead of setting all limits manually via setrlimit() one were to
call setpcred()/setpenv() everything should be set up correctly,
including the capabilities. Here's a patch replacing the whole
body of set_limits_from_userattr() with calls to these functions. Please
consider applying this so that we get the full AIX environment set up.
I have only tested this on AIX 5.1, and have no idea if these calls
are available on earlier versions of AIX.
-jf
-------------- next part --------------
--- port-aix.h-original Wed May 29 11:29:00 2002
+++ port-aix.h Wed May 29 11:17:13 2002
@@ -1,7 +1,6 @@
#ifdef _AIX
#ifdef HAVE_GETUSERATTR
-void set_limit(char *user, char *soft, char *hard, int resource, int mult);
void set_limits_from_userattr(char *user);
#endif /* HAVE_GETUSERATTR */
-------------- next part --------------
--- port-aix.c-original Wed May 29 10:01:59 2002
+++ port-aix.c Wed May 29 11:27:50 2002
@@ -24,79 +24,16 @@
/*
* AIX-specific login initialisation
*/
-void
-set_limit(char *user, char *soft, char *hard, int resource, int mult)
-{
- struct rlimit rlim;
- int slim, hlim;
-
- getrlimit(resource, &rlim);
-
- slim = 0;
- if (getuserattr(user, soft, &slim, SEC_INT) != -1) {
- if (slim < 0) {
- rlim.rlim_cur = RLIM_INFINITY;
- } else if (slim != 0) {
- /* See the wackiness below */
- if (rlim.rlim_cur == slim * mult)
- slim = 0;
- else
- rlim.rlim_cur = slim * mult;
- }
- }
- hlim = 0;
- if (getuserattr(user, hard, &hlim, SEC_INT) != -1) {
- if (hlim < 0) {
- rlim.rlim_max = RLIM_INFINITY;
- } else if (hlim != 0) {
- rlim.rlim_max = hlim * mult;
- }
- }
-
- /*
- * XXX For cpu and fsize the soft limit is set to the hard limit
- * if the hard limit is left at its default value and the soft limit
- * is changed from its default value, either by requesting it
- * (slim == 0) or by setting it to the current default. At least
- * that's how rlogind does it. If you're confused you're
not alone.
- * Bug or feature? AIX 4.3.1.2
- */
- if ((!strcmp(soft, "fsize") || !strcmp(soft,
"cpu"))
- && hlim == 0 && slim != 0)
- rlim.rlim_max = rlim.rlim_cur;
- /* A specified hard limit limits the soft limit */
- else if (hlim > 0 && rlim.rlim_cur > rlim.rlim_max)
- rlim.rlim_cur = rlim.rlim_max;
- /* A soft limit can increase a hard limit */
- else if (rlim.rlim_cur > rlim.rlim_max)
- rlim.rlim_max = rlim.rlim_cur;
-
- if (setrlimit(resource, &rlim) != 0)
- error("setrlimit(%.10s) failed: %.100s", soft,
strerror(errno));
-}
void
set_limits_from_userattr(char *user)
{
- int mask;
- char buf[16];
-
- set_limit(user, S_UFSIZE, S_UFSIZE_HARD, RLIMIT_FSIZE, 512);
- set_limit(user, S_UCPU, S_UCPU_HARD, RLIMIT_CPU, 1);
- set_limit(user, S_UDATA, S_UDATA_HARD, RLIMIT_DATA, 512);
- set_limit(user, S_USTACK, S_USTACK_HARD, RLIMIT_STACK, 512);
- set_limit(user, S_URSS, S_URSS_HARD, RLIMIT_RSS, 512);
- set_limit(user, S_UCORE, S_UCORE_HARD, RLIMIT_CORE, 512);
-#if defined(S_UNOFILE)
- set_limit(user, S_UNOFILE, S_UNOFILE_HARD, RLIMIT_NOFILE, 1);
-#endif
-
- if (getuserattr(user, S_UMASK, &mask, SEC_INT) != -1) {
- /* Convert decimal to octal */
- (void) snprintf(buf, sizeof(buf), "%d", mask);
- if (sscanf(buf, "%o", &mask) == 1)
- umask(mask);
- }
+ /*
+ Set up the process credentials and process environment
+ based on the AIX userdatabase.
+ */
+ setpcred (user);
+ setpenv (user);
}
#endif /* defined(HAVE_GETUSERATTR) */