diff options
| author |   millert <millert@openbsd.org> | 2015-05-19 16:05:12 +0000 |
|---|---|---|
| committer | millert <millert@openbsd.org> | 2015-05-19 16:05:12 +0000 |
| commit | 14fcad980f4cfaf10d9c8ed599c0a85c88c8aeff (patch) | |
| tree | 72bcefdc6acde1a1ba730d1028b2cbc3a2836365 /usr.sbin/chroot/chroot.c | |
| parent | Add -c flag to display the user's login class. OK espie@ (diff) | |
| download | wireguard-openbsd-14fcad980f4cfaf10d9c8ed599c0a85c88c8aeff.tar.xz wireguard-openbsd-14fcad980f4cfaf10d9c8ed599c0a85c88c8aeff.zip | |
When a user is specified via the -u flag, use setusercontext() to
setup (most of) the execution environment. We still have to defer
setting the actual uid until after we change root. OK deraadt@
Diffstat (limited to 'usr.sbin/chroot/chroot.c')
| -rw-r--r-- | usr.sbin/chroot/chroot.c | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/usr.sbin/chroot/chroot.c b/usr.sbin/chroot/chroot.c index c9cd972a652..6076f522a97 100644 --- a/usr.sbin/chroot/chroot.c +++ b/usr.sbin/chroot/chroot.c @@ -1,4 +1,4 @@ -/* $OpenBSD: chroot.c,v 1.13 2009/10/27 23:59:51 deraadt Exp $ */ +/* $OpenBSD: chroot.c,v 1.14 2015/05/19 16:05:12 millert Exp $ */ /* * Copyright (c) 1988, 1993 @@ -35,6 +35,7 @@ #include <errno.h> #include <grp.h> #include <limits.h> +#include <login_cap.h> #include <paths.h> #include <pwd.h> #include <stdio.h> @@ -50,11 +51,14 @@ main(int argc, char **argv) { struct group *grp; struct passwd *pwd; + login_cap_t *lc; const char *shell; char *user, *group, *grouplist; gid_t gidlist[NGROUPS_MAX]; int ch, ngids; + int flags = LOGIN_SETALL & ~(LOGIN_SETLOGIN|LOGIN_SETUSER); + lc = NULL; ngids = 0; pwd = NULL; user = grouplist = NULL; @@ -80,8 +84,12 @@ main(int argc, char **argv) if (argc < 1) usage(); - if (user != NULL && (pwd = getpwnam(user)) == NULL) - errx(1, "no such user `%s'", user); + if (user != NULL) { + if ((pwd = getpwnam(user)) == NULL) + errx(1, "no such user `%s'", user); + if ((lc = login_getclass(pwd->pw_class)) == NULL) + err(1, "unable to get login class for `%s'", user); + } while ((group = strsep(&grouplist, ",")) != NULL) { if (*group == '\0') @@ -99,11 +107,11 @@ main(int argc, char **argv) err(1, "setgid"); if (setgroups(ngids, gidlist) != 0) err(1, "setgroups"); - } else if (pwd != NULL) { - if (setgid(pwd->pw_gid) != 0) - err(1, "setgid"); - if (initgroups(user, pwd->pw_gid) == -1) - err(1, "initgroups"); + flags &= ~LOGIN_SETGROUP; + } + if (lc != NULL) { + if (setusercontext(lc, pwd, pwd->pw_uid, flags) == -1) + err(1, "setusercontext"); } if (chroot(argv[0]) != 0 || chdir("/") != 0) @@ -115,7 +123,6 @@ main(int argc, char **argv) setlogin(pwd->pw_name); if (setuid(pwd->pw_uid) != 0) err(1, "setuid"); - endgrent(); } if (argv[1]) { |