On FreeBSD limits set by the user's class (in /etc/login.conf) would

not be respected when running doas. The default class would always be used, ignoring both the classing class and the target user's class. This came about because FreeBSD has a "class" field in the password structure, but other supported systems like Linux do not. doas.c and env.c have been patched to support FreeBSD's class field in the password structure. Login class limits are now respected.
2024-09-30 05:03:36 +00:00 · 2021-05-30 12:27:44 -03:00 · 2021-05-30 12:27:44 -03:00 · ab3ae5ad41
parent d291aba9b0
commit ab3ae5ad41
2 changed files with 4 additions and 1 deletions
--- a/doas.c
+++ b/doas.c
@ -520,7 +520,7 @@ main(int argc, char **argv)

        
 #if defined(HAVE_LOGIN_CAP_H)
-	if (setusercontext(NULL, target_pw, target, LOGIN_SETGROUP |
+	if (setusercontext(NULL, target_pw, target, LOGIN_SETLOGINCLASS | LOGIN_SETGROUP |
 	    LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
 	    LOGIN_SETUSER) != 0)
 		errx(1, "failed to set user context for target");
--- a/env.c
+++ b/env.c
@ -102,6 +102,9 @@ copyenvpw(struct passwd *my_static)
    new_pw->pw_passwd = strdup(my_static->pw_passwd);
    new_pw->pw_uid = my_static->pw_uid;
    new_pw->pw_gid = my_static->pw_gid;
+    #if defined(__FreeBSD__)
+    new_pw->pw_class = strdup(my_static->pw_class);
+    #endif
    new_pw->pw_gecos = strdup(my_static->pw_gecos);
    new_pw->pw_dir = strdup(my_static->pw_dir);
    new_pw->pw_shell = strdup(my_static->pw_shell);