There are at least two instances in sudo documentation that lead to believe that `use_loginclass' and `sudo -c` behave differently than they do in the implementation WRT which of the target and calling users' loginclass gets applied.
sudoers(5): 831 832 use_loginclass If set, sudo will apply the defaults specified for the 833 target user's login class if one exists. Only 834 available if sudo is configured with the 835 --with-logincap option. This flag is off by default. 836 By "target user" I understand NAME in `sudo -uNAME CMD` or root in absence of `-u'. sudo(8): 69 70 -c class The -c (class) option causes sudo to run the specified 71 command with resources limited by the specified login class. 72 The class argument can be either a class name as defined in 73 /etc/login.conf, or a single `-' character. Specifying a 74 class of - indicates that the command should be run 75 restricted by the default login capabilities for the user the 76 command is run as. If the class argument specifies an 77 existing user class, the command must be run as root, or the 78 sudo command must be run from a shell that is already root. 79 This option is only available on systems with BSD login 80 classes. 81 In the `sudo -c- CMD` case, I understand that "the user the command is run as" is a synonym of the previous "target user" term; NAME in `sudo -uNAME CMD` or root. In spite both of these, it's the calling user's loginclass that is effective. The patch below attempts to aligns sudo with the documentation. I have no idea if it causes unwarranted privileges to be granted later on in the call stack. Alternatively, the documentation should be fixed to reflect the less useful and counter-intuitive current bevahiour. diff --git a/usr.bin/sudo/sudo.c b/usr.bin/sudo/sudo.c index a299bdc..650c41a 100644 --- a/usr.bin/sudo/sudo.c +++ b/usr.bin/sudo/sudo.c @@ -305,7 +305,7 @@ main(argc, argv, envp) log_error(NO_STDERR|NO_EXIT, "problem with defaults entries"); /* Set login class if applicable. */ - set_loginclass(sudo_user.pw); + set_loginclass(runas_pw); /* Update initial shell now that runas is set. */ if (ISSET(sudo_mode, MODE_LOGIN_SHELL))