> The consensus seems to be that "chroot -u" should apply the settings
> in /etc/login.conf by default. Since this is a non-standard flag
> we can do what we like with it. I should have used setusercontext()
> when I added -u to chroot in the first place.
>
> We can add a "-c class" option in the future if there turns out to
> be a need for it.
Looks good.
I think the consensus was easy to form. People using -u right now
collect root's giant limits, which is not sensible.
> Index: usr.sbin/chroot/chroot.8
> ===================================================================
> RCS file: /cvs/src/usr.sbin/chroot/chroot.8,v
> retrieving revision 1.14
> diff -u -p -u -r1.14 chroot.8
> --- usr.sbin/chroot/chroot.8 8 Jul 2010 06:52:30 -0000 1.14
> +++ usr.sbin/chroot/chroot.8 19 May 2015 15:47:52 -0000
> @@ -77,6 +77,11 @@ and
> databases unless overridden by the
> .Fl g
> option.
> +Additional settings may be applied as specified in
> +.Xr login.conf 5
> +depending on
> +.Ar user Ns 's
> +login class.
> .El
> .Sh ENVIRONMENT
> .Bl -tag -width SHELL
> @@ -95,6 +100,7 @@ is used.
> .Sh SEE ALSO
> .Xr ldd 1 ,
> .Xr group 5 ,
> +.Xr login.conf 5 ,
> .Xr passwd 5 ,
> .Xr environ 7
> .Sh HISTORY
> Index: usr.sbin/chroot/chroot.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/chroot/chroot.c,v
> retrieving revision 1.13
> diff -u -p -u -r1.13 chroot.c
> --- usr.sbin/chroot/chroot.c 27 Oct 2009 23:59:51 -0000 1.13
> +++ usr.sbin/chroot/chroot.c 19 May 2015 15:48:29 -0000
> @@ -35,6 +35,7 @@
> #include <errno.h>
> #include <grp.h>
> #include <limits.h>
> +#include <login_cap.h>
> #include <paths.h>
> #include <pwd.h>
> #include <stdio.h>
> @@ -50,11 +51,14 @@ main(int argc, char **argv)
> {
> struct group *grp;
> struct passwd *pwd;
> + login_cap_t *lc;
> const char *shell;
> char *user, *group, *grouplist;
> gid_t gidlist[NGROUPS_MAX];
> int ch, ngids;
> + int flags = LOGIN_SETALL & ~(LOGIN_SETLOGIN|LOGIN_SETUSER);
>
> + lc = NULL;
> ngids = 0;
> pwd = NULL;
> user = grouplist = NULL;
> @@ -80,8 +84,12 @@ main(int argc, char **argv)
> if (argc < 1)
> usage();
>
> - if (user != NULL && (pwd = getpwnam(user)) == NULL)
> - errx(1, "no such user `%s'", user);
> + if (user != NULL) {
> + if ((pwd = getpwnam(user)) == NULL)
> + errx(1, "no such user `%s'", user);
> + if ((lc = login_getclass(pwd->pw_class)) == NULL)
> + err(1, "unable to get login class for `%s'", user);
> + }
>
> while ((group = strsep(&grouplist, ",")) != NULL) {
> if (*group == '\0')
> @@ -99,11 +107,11 @@ main(int argc, char **argv)
> err(1, "setgid");
> if (setgroups(ngids, gidlist) != 0)
> err(1, "setgroups");
> - } else if (pwd != NULL) {
> - if (setgid(pwd->pw_gid) != 0)
> - err(1, "setgid");
> - if (initgroups(user, pwd->pw_gid) == -1)
> - err(1, "initgroups");
> + flags &= ~LOGIN_SETGROUP;
> + }
> + if (lc != NULL) {
> + if (setusercontext(lc, pwd, pwd->pw_uid, flags) == -1)
> + err(1, "setusercontext");
> }
>
> if (chroot(argv[0]) != 0 || chdir("/") != 0)
> @@ -115,7 +123,6 @@ main(int argc, char **argv)
> setlogin(pwd->pw_name);
> if (setuid(pwd->pw_uid) != 0)
> err(1, "setuid");
> - endgrent();
> }
>
> if (argv[1]) {
>
