Re: chroot: add -c to use login class with -u

[Todd C. Miller]

The consensus seems to be that "chroot -u" should apply the settings
in /etc/login.conf by default.  Since this is a non-standard flag
we can do what we like with it.  I should have used setusercontext()
when I added -u to chroot in the first place.

We can add a "-c class" option in the future if there turns out to
be a need for it.

 - todd

Index: usr.sbin/chroot/chroot.8
===================================================================
RCS file: /cvs/src/usr.sbin/chroot/chroot.8,v
retrieving revision 1.14
diff -u -p -u -r1.14 chroot.8
--- usr.sbin/chroot/chroot.8    8 Jul 2010 06:52:30 -0000       1.14
+++ usr.sbin/chroot/chroot.8    19 May 2015 15:47:52 -0000
@@ -77,6 +77,11 @@ and
 databases unless overridden by the
 .Fl g
 option.
+Additional settings may be applied as specified in
+.Xr login.conf 5
+depending on
+.Ar user Ns 's
+login class.
 .El
 .Sh ENVIRONMENT
 .Bl -tag -width SHELL
@@ -95,6 +100,7 @@ is used.
 .Sh SEE ALSO
 .Xr ldd 1 ,
 .Xr group 5 ,
+.Xr login.conf 5 ,
 .Xr passwd 5 ,
 .Xr environ 7
 .Sh HISTORY
Index: usr.sbin/chroot/chroot.c
===================================================================
RCS file: /cvs/src/usr.sbin/chroot/chroot.c,v
retrieving revision 1.13
diff -u -p -u -r1.13 chroot.c
--- usr.sbin/chroot/chroot.c    27 Oct 2009 23:59:51 -0000      1.13
+++ usr.sbin/chroot/chroot.c    19 May 2015 15:48:29 -0000
@@ -35,6 +35,7 @@
 #include <errno.h>
 #include <grp.h>
 #include <limits.h>
+#include <login_cap.h>
 #include <paths.h>
 #include <pwd.h>
 #include <stdio.h>
@@ -50,11 +51,14 @@ main(int argc, char **argv)
 {
        struct group    *grp;
        struct passwd   *pwd;
+       login_cap_t     *lc;
        const char      *shell;
        char            *user, *group, *grouplist;
        gid_t           gidlist[NGROUPS_MAX];
        int             ch, ngids;
+       int             flags = LOGIN_SETALL & ~(LOGIN_SETLOGIN|LOGIN_SETUSER);
 
+       lc = NULL;
        ngids = 0;
        pwd = NULL;
        user = grouplist = NULL;
@@ -80,8 +84,12 @@ main(int argc, char **argv)
        if (argc < 1)
                usage();
 
-       if (user != NULL && (pwd = getpwnam(user)) == NULL)
-               errx(1, "no such user `%s'", user);
+       if (user != NULL) {
+               if ((pwd = getpwnam(user)) == NULL)
+                       errx(1, "no such user `%s'", user);
+               if ((lc = login_getclass(pwd->pw_class)) == NULL)
+                       err(1, "unable to get login class for `%s'", user);
+       }
 
        while ((group = strsep(&grouplist, ",")) != NULL) {
                if (*group == '\0')
@@ -99,11 +107,11 @@ main(int argc, char **argv)
                        err(1, "setgid");
                if (setgroups(ngids, gidlist) != 0)
                        err(1, "setgroups");
-       } else if (pwd != NULL) {
-               if (setgid(pwd->pw_gid) != 0)
-                       err(1, "setgid");
-               if (initgroups(user, pwd->pw_gid) == -1)
-                       err(1, "initgroups");
+               flags &= ~LOGIN_SETGROUP;
+       }
+       if (lc != NULL) {
+               if (setusercontext(lc, pwd, pwd->pw_uid, flags) == -1)
+                       err(1, "setusercontext");
        }
 
        if (chroot(argv[0]) != 0 || chdir("/") != 0)
@@ -115,7 +123,6 @@ main(int argc, char **argv)
                        setlogin(pwd->pw_name);
                if (setuid(pwd->pw_uid) != 0)
                        err(1, "setuid");
-               endgrent();
        }
 
        if (argv[1]) {