On Fri, Feb 18, 2022 at 03:25:51PM -0500, Ted Unangst wrote:
> On 2022-02-06, Ted Unangst wrote:
> > On 2022-02-05, Matthew Martin wrote:
> > > On Sat, Jan 29, 2022 at 06:25:32PM -0600, Matthew Martin wrote:
> > > > On Sat, Jan 29, 2022 at 07:10:00PM -0500, Ted Unangst wrote:
> > > > > I believe it would be better to add setrtable to id pledge.
> > >
> > > ping
> > >
> > > Also are there any opinions on adding LOGIN_SETRTABLE to doas?
> >
> > I think this diff looks fine.
> >
> > For doas, we can use setall with an extra note in the man page.
>
> Final auction for oks. I think all the login.conf.d changes are in now.
>
> Plan is add setrtable to pledge first so people don't get caught, then libc.
ping?
> > Index: doas.1
> > ===================================================================
> > RCS file: /home/cvs/src/usr.bin/doas/doas.1,v
> > retrieving revision 1.25
> > diff -u -p -r1.25 doas.1
> > --- doas.1 16 Jan 2021 09:18:41 -0000 1.25
> > +++ doas.1 6 Feb 2022 18:41:53 -0000
> > @@ -54,6 +54,8 @@ and
> > and the
> > .Xr umask 2
> > are set to values appropriate for the target user.
> > +Other values may also be set as specified in
> > +.Pa /etc/login.conf .
> > .Ev DOAS_USER
> > is set to the name of the user executing
> > .Nm .
> > Index: doas.c
> > ===================================================================
> > RCS file: /home/cvs/src/usr.bin/doas/doas.c,v
> > retrieving revision 1.93
> > diff -u -p -r1.93 doas.c
> > --- doas.c 30 Nov 2021 20:08:15 -0000 1.93
> > +++ doas.c 6 Feb 2022 18:39:38 -0000
> > @@ -450,10 +450,7 @@ main(int argc, char **argv)
> > if (targpw == NULL)
> > errx(1, "no passwd entry for target");
> >
> > - if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |
> > - LOGIN_SETPATH |
> > - LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
> > - LOGIN_SETUSER) != 0)
> > + if (setusercontext(NULL, targpw, target, LOGIN_SETALL) == -1)
> > errx(1, "failed to set user context for target");
> >
> > if (pledge("stdio rpath exec", NULL) == -1)
> >
> >
