system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-22 10:48:02 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
freebsd-src/lib/libutil/login_class.c

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

631 lines
16 KiB
C
Raw Normal View History

Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
/*-
* Copyright (c) 1996 by
* Sean Eric Fagan <sef@kithrup.com>
* David Nugent <davidn@blaze.net.au>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, is permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice immediately at the beginning of the file, without modification,
* this list of conditions, and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. This work was done expressly for inclusion into FreeBSD. Other use
* is permitted provided this notation is included.
* 4. Absolutely no warranty of function or purpose is made by the authors.
* 5. Modifications may be freely made to this file providing the above
* conditions are met.
*
* High-level routines relating to use of the user capabilities database
*/
Add support for a new login capability, cpumask which allows login sessions to be pinned to cpus by login class.
2008-07-25 19:58:14 +00:00
#include <sys/param.h>
#include <sys/cpuset.h>
Tidy up. Sort headers.
2003-06-14 18:42:37 +00:00
#include <sys/mac.h>
include and whitespace cleanup.
2008-10-20 16:48:18 +00:00
#include <sys/resource.h>
Tidy up. Sort headers.
2003-06-14 18:42:37 +00:00
#include <sys/rtprio.h>
include and whitespace cleanup.
2008-10-20 16:48:18 +00:00
#include <sys/stat.h>
#include <sys/time.h>
#include <ctype.h>
#include <err.h>
Tidy up. Sort headers.
2003-06-14 18:42:37 +00:00
#include <errno.h>
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
#include <fcntl.h>
#include <login_cap.h>
#include <paths.h>
Tidy up. Sort headers.
2003-06-14 18:42:37 +00:00
#include <pwd.h>
setusercontext(): umask: Set it only once (in the common case) Simplify the code and make it more coherent (umask was the only context setting not modified by setlogincontext() directly). Preserve the current behavior of not changing the umask if none is specified in the login class capabilities database, but without the superfluous umask() dance. (The only exception to this is that a special value no user is likely to input in the database now stands for no specification.) If some user has a 'umask' override in its '~/.login_conf', the umask will still be set twice as before (as is the case for all other context settings overriden in '~/.login_conf'). Log a warning in case of an invalid umask specification. This change makes it apparent that the value of LOGIN_DEFUMASK doesn't matter. It will be removed in a subsequent commit. PR: 271747 Reviewed by: emaste, kib (earlier version) Approved by: emaste MFC after: 3 days Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40344
2023-05-25 12:18:45 +00:00
#include <stdint.h>
Tidy up. Sort headers.
2003-06-14 18:42:37 +00:00
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
static struct login_res {
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
const char *what;
rlim_t (*who)(login_cap_t *, const char *, rlim_t, rlim_t);
int why;
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
} resources[] = {
Integrate the new MPSAFE TTY layer to the FreeBSD operating system. The last half year I've been working on a replacement TTY layer for the FreeBSD kernel. The new TTY layer was designed to improve the following: - Improved driver model: The old TTY layer has a driver model that is not abstract enough to make it friendly to use. A good example is the output path, where the device drivers directly access the output buffers. This means that an in-kernel PPP implementation must always convert network buffers into TTY buffers. If a PPP implementation would be built on top of the new TTY layer (still needs a hooks layer, though), it would allow the PPP implementation to directly hand the data to the TTY driver. - Improved hotplugging: With the old TTY layer, it isn't entirely safe to destroy TTY's from the system. This implementation has a two-step destructing design, where the driver first abandons the TTY. After all threads have left the TTY, the TTY layer calls a routine in the driver, which can be used to free resources (unit numbers, etc). The pts(4) driver also implements this feature, which means posix_openpt() will now return PTY's that are created on the fly. - Improved performance: One of the major improvements is the per-TTY mutex, which is expected to improve scalability when compared to the old Giant locking. Another change is the unbuffered copying to userspace, which is both used on TTY device nodes and PTY masters. Upgrading should be quite straightforward. Unlike previous versions, existing kernel configuration files do not need to be changed, except when they reference device drivers that are listed in UPDATING. Obtained from: //depot/projects/mpsafetty/... Approved by: philip (ex-mentor) Discussed: on the lists, at BSDCan, at the DevSummit Sponsored by: Snow B.V., the Netherlands dcons(4) fixed by: kan
2008-08-20 08:31:58 +00:00
{ "cputime", login_getcaptime, RLIMIT_CPU },
{ "filesize", login_getcapsize, RLIMIT_FSIZE },
{ "datasize", login_getcapsize, RLIMIT_DATA },
{ "stacksize", login_getcapsize, RLIMIT_STACK },
{ "memoryuse", login_getcapsize, RLIMIT_RSS },
{ "memorylocked", login_getcapsize, RLIMIT_MEMLOCK },
{ "maxproc", login_getcapnum, RLIMIT_NPROC },
{ "openfiles", login_getcapnum, RLIMIT_NOFILE },
{ "coredumpsize", login_getcapsize, RLIMIT_CORE },
{ "sbsize", login_getcapsize, RLIMIT_SBSIZE },
{ "vmemoryuse", login_getcapsize, RLIMIT_VMEM },
{ "pseudoterminals", login_getcapnum, RLIMIT_NPTS },
Usermode portion of the support for swap allocation accounting: - update for getrlimit(2) manpage; - support for setting RLIMIT_SWAP in login class; - addition to the limits(1) and sh and csh limit-setting builtins; - tuning(7) documentation on the sysctls controlling overcommit. In collaboration with: pho Reviewed by: alc Approved by: re (kensmith)
2009-06-23 20:57:27 +00:00
{ "swapuse", login_getcapsize, RLIMIT_SWAP },
Add a resource limit for the total number of kqueues available to the user. Kqueue now saves the ucred of the allocating thread, to correctly decrement the counter on close. Under some specific and not real-world use scenario for kqueue, it is possible for the kqueues to consume memory proportional to the square of the number of the filedescriptors available to the process. Limit allows administrator to prevent the abuse. This is kernel-mode side of the change, with the user-mode enabling commit following. Reported and tested by: pho Discussed with: jmg Sponsored by: The FreeBSD Foundation MFC after: 2 weeks
2013-10-21 16:46:12 +00:00
{ "kqueues", login_getcapsize, RLIMIT_KQUEUES },
Fix handling of umtxp resource limit in sh(1)/ulimit(1), limits(1), add login.conf(5) support. Reviewed by: jilles Sponsored by: The FreeBSD Foundation Differential revision: https://reviews.freebsd.org/D5610
2016-03-12 14:54:34 +00:00
{ "umtxp", login_getcapnum, RLIMIT_UMTXP },
Integrate the new MPSAFE TTY layer to the FreeBSD operating system. The last half year I've been working on a replacement TTY layer for the FreeBSD kernel. The new TTY layer was designed to improve the following: - Improved driver model: The old TTY layer has a driver model that is not abstract enough to make it friendly to use. A good example is the output path, where the device drivers directly access the output buffers. This means that an in-kernel PPP implementation must always convert network buffers into TTY buffers. If a PPP implementation would be built on top of the new TTY layer (still needs a hooks layer, though), it would allow the PPP implementation to directly hand the data to the TTY driver. - Improved hotplugging: With the old TTY layer, it isn't entirely safe to destroy TTY's from the system. This implementation has a two-step destructing design, where the driver first abandons the TTY. After all threads have left the TTY, the TTY layer calls a routine in the driver, which can be used to free resources (unit numbers, etc). The pts(4) driver also implements this feature, which means posix_openpt() will now return PTY's that are created on the fly. - Improved performance: One of the major improvements is the per-TTY mutex, which is expected to improve scalability when compared to the old Giant locking. Another change is the unbuffered copying to userspace, which is both used on TTY device nodes and PTY masters. Upgrading should be quite straightforward. Unlike previous versions, existing kernel configuration files do not need to be changed, except when they reference device drivers that are listed in UPDATING. Obtained from: //depot/projects/mpsafetty/... Approved by: philip (ex-mentor) Discussed: on the lists, at BSDCan, at the DevSummit Sponsored by: Snow B.V., the Netherlands dcons(4) fixed by: kan
2008-08-20 08:31:58 +00:00
{ NULL, 0, 0 }
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
};
void
setclassresources(login_cap_t *lc)
{
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
struct login_res *lr;
Various bugfixes.
1997-01-07 16:28:12 +00:00
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
if (lc == NULL)
return;
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
for (lr = resources; lr->what != NULL; ++lr) {
struct rlimit rlim;
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
/*
* The login.conf file can have <limit>, <limit>-max, and
* <limit>-cur entries.
* What we do is get the current current- and maximum- limits.
* Then, we try to get an entry for <limit> from the capability,
* using the current and max limits we just got as the
* default/error values.
* *Then*, we try looking for <limit>-cur and <limit>-max,
* again using the appropriate values as the default/error
* conditions.
*/
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
if (getrlimit(lr->why, &rlim) != 0)
syslog(LOG_ERR, "getting %s resource limit: %m", lr->what);
else {
include and whitespace cleanup.
2008-10-20 16:48:18 +00:00
char name_cur[40];
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
char name_max[40];
rlim_t rcur = rlim.rlim_cur;
rlim_t rmax = rlim.rlim_max;
sprintf(name_cur, "%s-cur", lr->what);
sprintf(name_max, "%s-max", lr->what);
rcur = (*lr->who)(lc, lr->what, rcur, rcur);
rmax = (*lr->who)(lc, lr->what, rmax, rmax);
rlim.rlim_cur = (*lr->who)(lc, name_cur, rcur, rcur);
rlim.rlim_max = (*lr->who)(lc, name_max, rmax, rmax);
include and whitespace cleanup.
2008-10-20 16:48:18 +00:00
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
if (setrlimit(lr->why, &rlim) == -1)
syslog(LOG_WARNING, "set class '%s' resource limit %s: %m", lc->lc_class, lr->what);
}
}
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
}
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
static struct login_vars {
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
const char *tag;
const char *var;
const char *def;
Add additional field 'overwrite' to login_vars. It mainly needed to handle "term" according to manpage, i.e. not overwrite it, if already present in environment.
2002-06-28 14:45:30 +00:00
int overwrite;
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
} pathvars[] = {
Add additional field 'overwrite' to login_vars. It mainly needed to handle "term" according to manpage, i.e. not overwrite it, if already present in environment.
2002-06-28 14:45:30 +00:00
{ "path", "PATH", NULL, 1},
{ "cdpath", "CDPATH", NULL, 1},
{ "manpath", "MANPATH", NULL, 1},
{ NULL, NULL, NULL, 0}
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
}, envars[] = {
Add additional field 'overwrite' to login_vars. It mainly needed to handle "term" according to manpage, i.e. not overwrite it, if already present in environment.
2002-06-28 14:45:30 +00:00
{ "lang", "LANG", NULL, 1},
{ "charset", "MM_CHARSET", NULL, 1},
login.conf(5): split MAIL env var out into a "mail" capability This allows it to be easily suppressed in, e.g., the "daemon" class where it will not be properly expanded. This is a part of D21481. Submitted by: Andrew Gierth <andrew_tao173.riddles.org.uk>
2020-02-05 04:17:14 +00:00
{ "mail", "MAIL", NULL, 1},
Add additional field 'overwrite' to login_vars. It mainly needed to handle "term" according to manpage, i.e. not overwrite it, if already present in environment.
2002-06-28 14:45:30 +00:00
{ "timezone", "TZ", NULL, 1},
{ "term", "TERM", NULL, 0},
{ NULL, NULL, NULL, 0}
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
};
static char *
Const poisoning.
2002-04-08 11:04:56 +00:00
substvar(const char * var, const struct passwd * pwd, int hlen, int pch, int nlen)
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
{
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
char *np = NULL;
if (var != NULL) {
int tildes = 0;
int dollas = 0;
char *p;
Avoid assigning a const char * to a char *. MFC after: 3 weeks
2008-11-04 13:49:53 +00:00
const char *q;
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
if (pwd != NULL) {
Avoid assigning a const char * to a char *. MFC after: 3 weeks
2008-11-04 13:49:53 +00:00
for (q = var; *q != '\0'; ++q) {
tildes += (*q == '~');
dollas += (*q == '$');
}
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
}
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
np = malloc(strlen(var) + (dollas * nlen)
- dollas + (tildes * (pch+hlen))
- tildes + 1);
if (np != NULL) {
p = strcpy(np, var);
if (pwd != NULL) {
/*
* This loop does user username and homedir substitutions
* for unescaped $ (username) and ~ (homedir)
*/
while (*(p += strcspn(p, "~$")) != '\0') {
int l = strlen(p);
fix potential memory overwrite in escape parsing PR: 11687 Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
1999-05-13 16:16:46 +00:00
if (p > np && *(p-1) == '\\') /* Escaped: */
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
memmove(p - 1, p, l + 1); /* Slide-out the backslash */
else if (*p == '~') {
int v = pch && *(p+1) != '/'; /* Avoid double // */
memmove(p + hlen + v, p + 1, l); /* Subst homedir */
memmove(p, pwd->pw_dir, hlen);
if (v)
p[hlen] = '/';
p += hlen + v;
}
else /* if (*p == '$') */ {
memmove(p + nlen, p + 1, l); /* Subst username */
memmove(p, pwd->pw_name, nlen);
p += nlen;
}
}
}
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
}
}
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
Parenthesize return values.
2008-10-20 16:51:43 +00:00
return (np);
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
}
void
setclassenvironment(login_cap_t *lc, const struct passwd * pwd, int paths)
{
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
struct login_vars *vars = paths ? pathvars : envars;
int hlen = pwd ? strlen(pwd->pw_dir) : 0;
int nlen = pwd ? strlen(pwd->pw_name) : 0;
char pch = 0;
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
if (hlen && pwd->pw_dir[hlen-1] != '/')
++pch;
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
while (vars->tag != NULL) {
Const poisoning.
2002-04-08 11:04:56 +00:00
const char * var = paths ? login_getpath(lc, vars->tag, NULL)
: login_getcapstr(lc, vars->tag, NULL, NULL);
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
char * np = substvar(var, pwd, hlen, pch, nlen);
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
if (np != NULL) {
Add additional field 'overwrite' to login_vars. It mainly needed to handle "term" according to manpage, i.e. not overwrite it, if already present in environment.
2002-06-28 14:45:30 +00:00
setenv(vars->var, np, vars->overwrite);
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
free(np);
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
} else if (vars->def != NULL) {
setenv(vars->var, vars->def, 0);
}
++vars;
}
/*
* If we're not processing paths, then see if there is a setenv list by
* which the admin and/or user may set an arbitrary set of env vars.
*/
if (!paths) {
ANSIfy, WARNSify, CONSTify. Bit of style(9)-ify.
2003-10-18 10:04:16 +00:00
const char **set_env = login_getcaplist(lc, "setenv", ",");
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
if (set_env != NULL) {
while (*set_env != NULL) {
char *p = strchr(*set_env, '=');
setclassenvironment: trim leading spaces in variable names Trim leading spaces in variable names when the list is e.g. pretty-formatted in /etc/login.conf or ~/.login_conf. PR: 247947 Reviewed by: allanjude Differential Revision: https://reviews.freebsd.org/D25649
2021-04-11 22:02:12 +00:00
if (p != NULL && p != *set_env) { /* Discard invalid entries */
const char *ep;
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
char *np;
*p++ = '\0';
setclassenvironment: trim leading spaces in variable names Trim leading spaces in variable names when the list is e.g. pretty-formatted in /etc/login.conf or ~/.login_conf. PR: 247947 Reviewed by: allanjude Differential Revision: https://reviews.freebsd.org/D25649
2021-04-11 22:02:12 +00:00
/* Strip leading spaces from variable name */
ep = *set_env;
while (*ep == ' ' || *ep == '\t')
ep++;
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
if ((np = substvar(p, pwd, hlen, pch, nlen)) != NULL) {
setclassenvironment: trim leading spaces in variable names Trim leading spaces in variable names when the list is e.g. pretty-formatted in /etc/login.conf or ~/.login_conf. PR: 247947 Reviewed by: allanjude Differential Revision: https://reviews.freebsd.org/D25649
2021-04-11 22:02:12 +00:00
setenv(ep, np, 1);
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
free(np);
}
}
++set_env;
}
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
}
}
}
Add support for a new login capability, cpumask which allows login sessions to be pinned to cpus by login class.
2008-07-25 19:58:14 +00:00
static int
list2cpuset(const char *list, cpuset_t *mask)
{
enum { NONE, NUM, DASH } state;
int lastnum;
int curnum;
const char *l;
state = NONE;
curnum = lastnum = 0;
for (l = list; *l != '\0';) {
if (isdigit(*l)) {
curnum = atoi(l);
if (curnum > CPU_SETSIZE)
errx(EXIT_FAILURE,
"Only %d cpus supported", CPU_SETSIZE);
while (isdigit(*l))
l++;
switch (state) {
case NONE:
lastnum = curnum;
state = NUM;
break;
case DASH:
for (; lastnum <= curnum; lastnum++)
CPU_SET(lastnum, mask);
state = NONE;
break;
case NUM:
default:
return (0);
}
continue;
}
switch (*l) {
case ',':
switch (state) {
case NONE:
break;
case NUM:
CPU_SET(curnum, mask);
state = NONE;
break;
case DASH:
return (0);
break;
}
break;
case '-':
if (state != NUM)
return (0);
state = DASH;
break;
default:
return (0);
}
l++;
}
switch (state) {
case NONE:
break;
case NUM:
CPU_SET(curnum, mask);
break;
case DASH:
return (0);
}
Parenthesize return values.
2008-10-20 16:51:43 +00:00
return (1);
Add support for a new login capability, cpumask which allows login sessions to be pinned to cpus by login class.
2008-07-25 19:58:14 +00:00
}
void
setclasscpumask(login_cap_t *lc)
{
const char *maskstr;
cpuset_t maskset;
cpusetid_t setid;
maskstr = login_getcapstr(lc, "cpumask", NULL, NULL);
CPU_ZERO(&maskset);
if (maskstr == NULL)
return;
if (strcasecmp("default", maskstr) == 0)
return;
if (!list2cpuset(maskstr, &maskset)) {
syslog(LOG_WARNING,
"list2cpuset(%s) invalid mask specification", maskstr);
return;
}
if (cpuset(&setid) != 0) {
syslog(LOG_ERR, "cpuset(): %s", strerror(errno));
return;
}
if (cpuset_setaffinity(CPU_LEVEL_CPUSET, CPU_WHICH_PID, -1,
sizeof(maskset), &maskset) != 0)
syslog(LOG_ERR, "cpuset_setaffinity(%s): %s", maskstr,
strerror(errno));
}
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
/*
* setclasscontext()
*
* For the login class <class>, set various class context values
* (limits, mainly) to the values for that class. Which values are
* set are controlled by <flags> -- see <login_class.h> for the
* possible values.
*
* setclasscontext() can only set resources, priority, and umask.
*/
int
setclasscontext(const char *classname, unsigned int flags)
{
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
int rc;
login_cap_t *lc;
lc = login_getclassbyname(classname, NULL);
flags &= LOGIN_SETRESOURCES | LOGIN_SETPRIORITY |
LOGIN_SETUMASK | LOGIN_SETPATH;
rc = lc ? setusercontext(lc, NULL, 0, flags) : -1;
login_close(lc);
Parenthesize return values.
2008-10-20 16:51:43 +00:00
return (rc);
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
}
setclassumask(): Accept 'inherit' as a value 'inherit' explicitly indicates that the umask should not be changed. Reviewed by: emaste Approved by: emaste (mentor) MFC after: 3 days Relnotes: yes Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40687
2023-06-20 19:41:04 +00:00
static const char * const inherit_enum[] = {
"inherit",
NULL
};
setusercontext(): Set umask in a separate function, setclassumask() Reviewed by: emaste Approved by: emaste (mentor) MFC after: 3 days Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40686
2023-06-20 16:46:31 +00:00
/*
* Private function setting umask from the login class.
*/
static void
setclassumask(login_cap_t *lc, const struct passwd *pwd)
{
/*
* Make it unlikely that someone would input our default sentinel
* indicating no specification.
*/
const rlim_t def_val = INT64_MIN + 1, err_val = INT64_MIN;
setclassumask(): Accept 'inherit' as a value 'inherit' explicitly indicates that the umask should not be changed. Reviewed by: emaste Approved by: emaste (mentor) MFC after: 3 days Relnotes: yes Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40687
2023-06-20 19:41:04 +00:00
rlim_t val;
/* If value is "inherit", nothing to change. */
if (login_getcapenum(lc, "umask", inherit_enum) == 0)
return;
val = login_getcapnum(lc, "umask", def_val, err_val);
setusercontext(): Set umask in a separate function, setclassumask() Reviewed by: emaste Approved by: emaste (mentor) MFC after: 3 days Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40686
2023-06-20 16:46:31 +00:00
if (val != def_val) {
if (val < 0 || val > UINT16_MAX) {
/* We get here also on 'err_val'. */
syslog(LOG_WARNING,
"%s%s%sLogin class '%s': "
"Invalid umask specification: '%s'",
pwd ? "Login '" : "",
pwd ? pwd->pw_name : "",
pwd ? "': " : "",
lc->lc_class,
login_getcapstr(lc, "umask", "", ""));
} else {
const mode_t mode = val;
umask(mode);
}
}
}
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
/*
Fix one kind of style(9) bug and a typo in a comment. Tested with: md5(1)
2007-05-01 18:50:33 +00:00
* Private function which takes care of processing
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
*/
setusercontext(): umask: Set it only once (in the common case) Simplify the code and make it more coherent (umask was the only context setting not modified by setlogincontext() directly). Preserve the current behavior of not changing the umask if none is specified in the login class capabilities database, but without the superfluous umask() dance. (The only exception to this is that a special value no user is likely to input in the database now stands for no specification.) If some user has a 'umask' override in its '~/.login_conf', the umask will still be set twice as before (as is the case for all other context settings overriden in '~/.login_conf'). Log a warning in case of an invalid umask specification. This change makes it apparent that the value of LOGIN_DEFUMASK doesn't matter. It will be removed in a subsequent commit. PR: 271747 Reviewed by: emaste, kib (earlier version) Approved by: emaste MFC after: 3 days Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40344
2023-05-25 12:18:45 +00:00
static void
setlogincontext(login_cap_t *lc, const struct passwd *pwd, unsigned long flags)
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
{
setlogincontext(): Comply to style(9) Remove indentation by inverting the big 'if (lc)' and using 'return'. Use explicit binary operators to produce booleans. Reviewed by: emaste, kib, dchagin Approved by: emaste (mentor) MFC after: 3 days Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40346
2023-05-25 14:29:22 +00:00
if (lc == NULL)
return;
/* Set resources. */
if ((flags & LOGIN_SETRESOURCES) != 0)
setclassresources(lc);
/* See if there's a umask override. */
if ((flags & LOGIN_SETUMASK) != 0)
setclassumask(lc, pwd);
/* Set paths. */
if ((flags & LOGIN_SETPATH) != 0)
setclassenvironment(lc, pwd, 1);
/* Set environment. */
if ((flags & LOGIN_SETENV) != 0)
setclassenvironment(lc, pwd, 0);
/* Set cpu affinity. */
if ((flags & LOGIN_SETCPUMASK) != 0)
setclasscpumask(lc);
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
}
setusercontext(): Move priority setting in new setclasspriority() In preparation for setting priorities from '~/.login_conf' and to ease reading of setusercontext(). No functional change. Reviewed by: emaste Approved by: emaste (mentor) MFC after: 3 days Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40350
2023-05-29 17:09:36 +00:00
/*
* Private function to set process priority.
*/
static void
setclasspriority(login_cap_t * const lc, struct passwd const * const pwd)
{
login_cap.h: Remove LOGIN_DEFPRI This is an implementation detail which is likely to become irrelevant in the future, as we move to not resetting the priority if the corresponding capability is not present in the configuration file ('/etc/login.conf'). GitHub's code search and Google show no use of this public constant, and it doesn't exist in OpenBSD and NetBSD. So, remove this definition and its sole use in-tree. PR: 276570 (exp-run) Reviewed by: emaste Approved by: emaste (mentor) MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D43609
2024-01-25 22:25:10 +00:00
const rlim_t def_val = 0, err_val = INT64_MIN;
setclasspriority(): New possible value 'inherit' It indicates to the login.conf machinery (setusercontext() / setclasscontext()) to leave priority alone, effectively inheriting it from the parent process. PR: 271749 Reviewed by: emaste, yuripv Approved by: emaste (mentor) MFC after: 3 days Relnotes: yes Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40690
2023-06-21 08:53:37 +00:00
rlim_t p;
setusercontext(): Move priority setting in new setclasspriority() In preparation for setting priorities from '~/.login_conf' and to ease reading of setusercontext(). No functional change. Reviewed by: emaste Approved by: emaste (mentor) MFC after: 3 days Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40350
2023-05-29 17:09:36 +00:00
int rc;
setclasspriority(): New possible value 'inherit' It indicates to the login.conf machinery (setusercontext() / setclasscontext()) to leave priority alone, effectively inheriting it from the parent process. PR: 271749 Reviewed by: emaste, yuripv Approved by: emaste (mentor) MFC after: 3 days Relnotes: yes Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40690
2023-06-21 08:53:37 +00:00
/* If value is "inherit", nothing to change. */
if (login_getcapenum(lc, "priority", inherit_enum) == 0)
return;
p = login_getcapnum(lc, "priority", def_val, err_val);
setusercontext(): Move priority setting in new setclasspriority() In preparation for setting priorities from '~/.login_conf' and to ease reading of setusercontext(). No functional change. Reviewed by: emaste Approved by: emaste (mentor) MFC after: 3 days Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40350
2023-05-29 17:09:36 +00:00
if (p == err_val) {
/* Invariant: 'lc' != NULL. */
syslog(LOG_WARNING,
"%s%s%sLogin class '%s': "
"Invalid priority specification: '%s'",
pwd ? "Login '" : "",
pwd ? pwd->pw_name : "",
pwd ? "': " : "",
lc->lc_class,
login_getcapstr(lc, "priority", "", ""));
/* Reset the priority, as if the capability was not present. */
p = def_val;
}
if (p > PRIO_MAX) {
struct rtprio rtp;
rtp.type = RTP_PRIO_IDLE;
p += RTP_PRIO_MIN - (PRIO_MAX + 1);
rtp.prio = p > RTP_PRIO_MAX ? RTP_PRIO_MAX : p;
rc = rtprio(RTP_SET, 0, &rtp);
} else if (p < PRIO_MIN) {
struct rtprio rtp;
rtp.type = RTP_PRIO_REALTIME;
p += RTP_PRIO_MAX - (PRIO_MIN - 1);
rtp.prio = p < RTP_PRIO_MIN ? RTP_PRIO_MIN : p;
rc = rtprio(RTP_SET, 0, &rtp);
} else
rc = setpriority(PRIO_PROCESS, 0, (int)p);
if (rc != 0)
syslog(LOG_WARNING,
"%s%s%sLogin class '%s': "
"Setting priority failed: %m",
pwd ? "Login '" : "",
pwd ? pwd->pw_name : "",
pwd ? "': " : "",
lc ? lc->lc_class : "<none>");
}
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
/*
* setusercontext()
*
* Given a login class <lc> and a user in <pwd>, with a uid <uid>,
* set the context as in setclasscontext(). <flags> controls which
* values are set.
*
* The difference between setclasscontext() and setusercontext() is
* that the former sets things up for an already-existing process,
* while the latter sets things up from a root context. Such as might
* be called from login(1).
*
*/
int
setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned int flags)
{
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
login_cap_t *llc = NULL;
If LOGIN_SETMAC is set and MAC is enabled in the kernel, then see if the user has a 'label' entry in their login class. If so, attempt to set that label on the process as part of the credential setup. If we're unable to parse the label, or unable to set the label, fail. In the future, we may also want to warn if a label is set but the kernel doesn't support MAC. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-23 03:17:22 +00:00
int error;
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
if (lc == NULL) {
if (pwd != NULL && (lc = login_getpwclass(pwd)) != NULL)
llc = lc; /* free this when we're done */
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
}
if (flags & LOGIN_SETPATH)
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
pathvars[0].def = uid ? _PATH_DEFPATH : _PATH_STDPATH;
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
/* we need a passwd entry to set these */
if (pwd == NULL)
Add LOGIN_SETMAC to the list of flags that can't be set without class information, since we rely on the pwd entry to know what MAC labels to set as part of the login process. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-11-12 22:30:01 +00:00
flags &= ~(LOGIN_SETGROUP | LOGIN_SETLOGIN | LOGIN_SETMAC);
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
/* Set the process priority */
setusercontext(): Move priority setting in new setclasspriority() In preparation for setting priorities from '~/.login_conf' and to ease reading of setusercontext(). No functional change. Reviewed by: emaste Approved by: emaste (mentor) MFC after: 3 days Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40350
2023-05-29 17:09:36 +00:00
if (flags & LOGIN_SETPRIORITY)
setclasspriority(lc, pwd);
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
/* Setup the user's group permissions */
if (flags & LOGIN_SETGROUP) {
if (setgid(pwd->pw_gid) != 0) {
Print uid/gid as u_long per bde suggestion
1998-07-29 14:05:01 +00:00
syslog(LOG_ERR, "setgid(%lu): %m", (u_long)pwd->pw_gid);
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
login_close(llc);
Parenthesize return values.
2008-10-20 16:51:43 +00:00
return (-1);
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
}
if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) {
Print uid/gid as u_long per bde suggestion
1998-07-29 14:05:01 +00:00
syslog(LOG_ERR, "initgroups(%s,%lu): %m", pwd->pw_name,
(u_long)pwd->pw_gid);
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
login_close(llc);
Parenthesize return values.
2008-10-20 16:51:43 +00:00
return (-1);
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
}
}
If LOGIN_SETMAC is set and MAC is enabled in the kernel, then see if the user has a 'label' entry in their login class. If so, attempt to set that label on the process as part of the credential setup. If we're unable to parse the label, or unable to set the label, fail. In the future, we may also want to warn if a label is set but the kernel doesn't support MAC. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-23 03:17:22 +00:00
/* Set up the user's MAC label. */
if ((flags & LOGIN_SETMAC) && mac_is_present(NULL) == 1) {
const char *label_string;
mac_t label;
label_string = login_getcapstr(lc, "label", NULL, NULL);
if (label_string != NULL) {
if (mac_from_text(&label, label_string) == -1) {
syslog(LOG_ERR, "mac_from_text('%s') for %s: %m",
pwd->pw_name, label_string);
Parenthesize return values.
2008-10-20 16:51:43 +00:00
return (-1);
If LOGIN_SETMAC is set and MAC is enabled in the kernel, then see if the user has a 'label' entry in their login class. If so, attempt to set that label on the process as part of the credential setup. If we're unable to parse the label, or unable to set the label, fail. In the future, we may also want to warn if a label is set but the kernel doesn't support MAC. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-23 03:17:22 +00:00
}
if (mac_set_proc(label) == -1)
error = errno;
else
error = 0;
mac_free(label);
if (error != 0) {
syslog(LOG_ERR, "mac_set_proc('%s') for %s: %s",
label_string, pwd->pw_name, strerror(error));
Parenthesize return values.
2008-10-20 16:51:43 +00:00
return (-1);
If LOGIN_SETMAC is set and MAC is enabled in the kernel, then see if the user has a 'label' entry in their login class. If so, attempt to set that label on the process as part of the credential setup. If we're unable to parse the label, or unable to set the label, fail. In the future, we may also want to warn if a label is set but the kernel doesn't support MAC. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-23 03:17:22 +00:00
}
}
}
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
/* Set the sessions login */
if ((flags & LOGIN_SETLOGIN) && setlogin(pwd->pw_name) != 0) {
syslog(LOG_ERR, "setlogin(%s): %m", pwd->pw_name);
login_close(llc);
Parenthesize return values.
2008-10-20 16:51:43 +00:00
return (-1);
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
}
Add two new system calls, setloginclass(2) and getloginclass(2). This makes it possible for the kernel to track login class the process is assigned to, which is required for RCTL. This change also make setusercontext(3) call setloginclass(2) and makes it possible to retrieve current login class using id(1). Reviewed by: kib (as part of a larger patch)
2011-03-05 12:40:35 +00:00
/* Inform the kernel about current login class */
if (lc != NULL && lc->lc_class != NULL && (flags & LOGIN_SETLOGINCLASS)) {
error = setloginclass(lc->lc_class);
if (error != 0) {
syslog(LOG_ERR, "setloginclass(%s): %m", lc->lc_class);
#ifdef notyet
login_close(llc);
return (-1);
#endif
}
}
setusercontext(): umask: Set it only once (in the common case) Simplify the code and make it more coherent (umask was the only context setting not modified by setlogincontext() directly). Preserve the current behavior of not changing the umask if none is specified in the login class capabilities database, but without the superfluous umask() dance. (The only exception to this is that a special value no user is likely to input in the database now stands for no specification.) If some user has a 'umask' override in its '~/.login_conf', the umask will still be set twice as before (as is the case for all other context settings overriden in '~/.login_conf'). Log a warning in case of an invalid umask specification. This change makes it apparent that the value of LOGIN_DEFUMASK doesn't matter. It will be removed in a subsequent commit. PR: 271747 Reviewed by: emaste, kib (earlier version) Approved by: emaste MFC after: 3 days Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40344
2023-05-25 12:18:45 +00:00
setlogincontext(lc, pwd, flags);
Various bugfixes.
1997-01-07 16:28:12 +00:00
login_close(llc);
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
/* This needs to be done after anything that needs root privs */
if ((flags & LOGIN_SETUSER) && setuid(uid) != 0) {
Print uid/gid as u_long per bde suggestion
1998-07-29 14:05:01 +00:00
syslog(LOG_ERR, "setuid(%lu): %m", (u_long)uid);
Parenthesize return values.
2008-10-20 16:51:43 +00:00
return (-1); /* Paranoia again */
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
}
/*
* Now, we repeat some of the above for the user's private entries
*/
setusercontext(): Apply personal settings only on matching effective UID Commit 35305a8dc114 (r211393) added a check on whether 'uid' was equal to getuid() before calling setlogincontext(). Doing so still allows a setuid program to apply resource limits and priorities specified in a user-controlled configuration file ('~/.login_conf') where a non-setuid program could not. Plug the hole by checking instead that the process' effective UID is the target one (which is likely what was meant in the initial commit). PR: 271750 Reviewed by: kib, des MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40351
2023-05-30 16:35:08 +00:00
if (geteuid() == uid && (lc = login_getuserclass(pwd)) != NULL) {
setusercontext(): umask: Set it only once (in the common case) Simplify the code and make it more coherent (umask was the only context setting not modified by setlogincontext() directly). Preserve the current behavior of not changing the umask if none is specified in the login class capabilities database, but without the superfluous umask() dance. (The only exception to this is that a special value no user is likely to input in the database now stands for no specification.) If some user has a 'umask' override in its '~/.login_conf', the umask will still be set twice as before (as is the case for all other context settings overriden in '~/.login_conf'). Log a warning in case of an invalid umask specification. This change makes it apparent that the value of LOGIN_DEFUMASK doesn't matter. It will be removed in a subsequent commit. PR: 271747 Reviewed by: emaste, kib (earlier version) Approved by: emaste MFC after: 3 days Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40344
2023-05-25 12:18:45 +00:00
setlogincontext(lc, pwd, flags);
setusercontext(): Set priority from '~/.login_conf' as well Setting the process priority is done only when the current process' effective UID corresponds to that for which context is to be set. Consequently, setting priority is done with appropriate credentials and will fail if the target user tries to raise it unduly via his '~/.login_conf'. PR: 271751 Reviewed by: kib, Andrew Gierth <andrew_tao173.riddles.org.uk> Approved by: emaste (mentor) MFC after: 3 days Relnotes: yes Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40352
2023-05-30 15:14:50 +00:00
if (flags & LOGIN_SETPRIORITY)
setclasspriority(lc, pwd);
Summary of login.conf support changes: o Incorporated BSDI code and enhancements, better logging for error checking (which has been shown to be a problem, and is therefore justified, imho); also some minor things we were missing, including better quad_t math, which checks for under/overflows. o setusercontext() now allows user resource limit overrides, but does this AFTER dropping root privs, to restrict the user to droping hard limits and set soft limits within the kernel's allowed user limits. o umask() only set once, and only if requested. o add _secure_path(), and use in login.conf to guard against symlinks etc. and non-root owned or non-user owned files being used. Derived from BSDI contributed code. o revamped authentication code to BSDI's latest api, which includes deleting authenticate() and adding auth_check() and a few other functions. This is still marked as depecated in BSDI, but is included for completeness. No other source in the tree uses this anyway, so it is now bracketed with #ifdef LOGIN_CAP_AUTH which is by default not defined. Only auth_checknologin() and auth_cat() are actually used in module login_auth.c. o AUTH_NONE definition removed (collided with other includes in the tree). [bde] o BSDI's login_getclass() now accepts a char *classname parameter rather than struct passwd *pwd. We now do likewise, but added login_getpwclass() for (sort of) backwards compatiblity, namely because we handle root as a special case for the default class. This will require quite a few changes elsewhere in the source tree. o We no longer pretend to support rlim_t as a long type. o Revised code formatting to be more bsd-ish style.
1997-05-10 18:55:38 +00:00
login_close(lc);
}
Parenthesize return values.
2008-10-20 16:51:43 +00:00
return (0);
Library functions relating to the login class capabilities database, including manpages. See also login_cap.h.
1997-01-04 16:50:08 +00:00
}
Reference in a new issue Copy permalink