From 14fcad980f4cfaf10d9c8ed599c0a85c88c8aeff Mon Sep 17 00:00:00 2001 From: millert Date: Tue, 19 May 2015 16:05:12 +0000 Subject: [PATCH] When a user is specified via the -u flag, use setusercontext() to setup (most of) the execution environment. We still have to defer setting the actual uid until after we change root. OK deraadt@ --- usr.sbin/chroot/chroot.8 | 10 ++++++++-- usr.sbin/chroot/chroot.c | 25 ++++++++++++++++--------- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/usr.sbin/chroot/chroot.8 b/usr.sbin/chroot/chroot.8 index 02b96d7a960..ed478b24995 100644 --- a/usr.sbin/chroot/chroot.8 +++ b/usr.sbin/chroot/chroot.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: chroot.8,v 1.14 2010/07/08 06:52:30 jmc Exp $ +.\" $OpenBSD: chroot.8,v 1.15 2015/05/19 16:05:12 millert Exp $ .\" .\" Copyright (c) 1988, 1991, 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" from: @(#)chroot.8 8.1 (Berkeley) 6/9/93 .\" -.Dd $Mdocdate: July 8 2010 $ +.Dd $Mdocdate: May 19 2015 $ .Dt CHROOT 8 .Os .Sh NAME @@ -77,6 +77,11 @@ and databases unless overridden by the .Fl g option. +Additional settings may be applied as specified in +.Xr login.conf 5 +depending on +.Ar user Ns 's +login class. .El .Sh ENVIRONMENT .Bl -tag -width SHELL @@ -95,6 +100,7 @@ is used. .Sh SEE ALSO .Xr ldd 1 , .Xr group 5 , +.Xr login.conf 5 , .Xr passwd 5 , .Xr environ 7 .Sh HISTORY diff --git a/usr.sbin/chroot/chroot.c b/usr.sbin/chroot/chroot.c index c9cd972a652..6076f522a97 100644 --- a/usr.sbin/chroot/chroot.c +++ b/usr.sbin/chroot/chroot.c @@ -1,4 +1,4 @@ -/* $OpenBSD: chroot.c,v 1.13 2009/10/27 23:59:51 deraadt Exp $ */ +/* $OpenBSD: chroot.c,v 1.14 2015/05/19 16:05:12 millert Exp $ */ /* * Copyright (c) 1988, 1993 @@ -35,6 +35,7 @@ #include #include #include +#include #include #include #include @@ -50,11 +51,14 @@ main(int argc, char **argv) { struct group *grp; struct passwd *pwd; + login_cap_t *lc; const char *shell; char *user, *group, *grouplist; gid_t gidlist[NGROUPS_MAX]; int ch, ngids; + int flags = LOGIN_SETALL & ~(LOGIN_SETLOGIN|LOGIN_SETUSER); + lc = NULL; ngids = 0; pwd = NULL; user = grouplist = NULL; @@ -80,8 +84,12 @@ main(int argc, char **argv) if (argc < 1) usage(); - if (user != NULL && (pwd = getpwnam(user)) == NULL) - errx(1, "no such user `%s'", user); + if (user != NULL) { + if ((pwd = getpwnam(user)) == NULL) + errx(1, "no such user `%s'", user); + if ((lc = login_getclass(pwd->pw_class)) == NULL) + err(1, "unable to get login class for `%s'", user); + } while ((group = strsep(&grouplist, ",")) != NULL) { if (*group == '\0') @@ -99,11 +107,11 @@ main(int argc, char **argv) err(1, "setgid"); if (setgroups(ngids, gidlist) != 0) err(1, "setgroups"); - } else if (pwd != NULL) { - if (setgid(pwd->pw_gid) != 0) - err(1, "setgid"); - if (initgroups(user, pwd->pw_gid) == -1) - err(1, "initgroups"); + flags &= ~LOGIN_SETGROUP; + } + if (lc != NULL) { + if (setusercontext(lc, pwd, pwd->pw_uid, flags) == -1) + err(1, "setusercontext"); } if (chroot(argv[0]) != 0 || chdir("/") != 0) @@ -115,7 +123,6 @@ main(int argc, char **argv) setlogin(pwd->pw_name); if (setuid(pwd->pw_uid) != 0) err(1, "setuid"); - endgrent(); } if (argv[1]) { -- 2.20.1