Date: Sat, 15 Apr 2006 10:37:43 +0800 (CST) From: Cheng-Lung Sung <clsung@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/95777: [patch] -u|-U options in jexec Message-ID: <20060415023743.5D1C628493@going04.iis.sinica.edu.tw> Resent-Message-ID: <200604150240.k3F2eHvf006254@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 95777 >Category: bin >Synopsis: [patch] -u|-U options in jexec >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sat Apr 15 02:40:17 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Cheng-Lung Sung >Release: FreeBSD 6.1-PRERELEASE i386 >Organization: FreeBSD @ Taiwan >Environment: System: FreeBSD going04.iis.sinica.edu.tw 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #2: Fri Apr 7 12:57:51 CST 2006 root@going04.iis.sinica.edu.tw:/usr/obj/usr/src/sys/GENERIC i386 >Description: I think jexec command should be executed in different user, just like what jail(8) do. also refer to http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/94730 >How-To-Repeat: jexec <jid> cmd... jexec -u|-U username <jid> cmd... >Fix: --- /usr/src/usr.sbin/jexec/jexec.c Sat Jul 5 03:14:27 2003 +++ jexec/jexec.c Sat Apr 15 01:12:12 2006 @@ -30,26 +30,84 @@ #include <sys/jail.h> #include <err.h> +#include <errno.h> +#include <login_cap.h> #include <stdio.h> #include <stdlib.h> +#include <pwd.h> #include <unistd.h> static void usage(void); +#define GET_USER_INFO do { \ + pwd = getpwnam(username); \ + if (pwd == NULL) { \ + if (errno) \ + err(1, "getpwnam: %s", username); \ + else \ + errx(1, "%s: no such user", username); \ + } \ + lcap = login_getpwclass(pwd); \ + if (lcap == NULL) \ + err(1, "getpwclass: %s", username); \ + ngroups = NGROUPS; \ + if (getgrouplist(username, pwd->pw_gid, groups, &ngroups) != 0) \ + err(1, "getgrouplist: %s", username); \ +} while (0) + int main(int argc, char *argv[]) { int jid; + login_cap_t *lcap = NULL; + struct passwd *pwd = NULL; + gid_t groups[NGROUPS]; + int ch, ngroups, uflag, Uflag; + char *username; + ch = uflag = Uflag = 0; + username = NULL; - if (argc < 3) + while ((ch = getopt(argc, argv, "u:U:")) != -1) { + switch (ch) { + case 'u': + username = optarg; + uflag = 1; + break; + case 'U': + username = optarg; + Uflag = 1; + break; + default: + usage(); + } + } + argc -= optind; + argv += optind; + if (argc < 2) + usage(); + if (uflag && Uflag) usage(); - jid = (int)strtol(argv[1], NULL, 10); + if (uflag) + GET_USER_INFO; + jid = (int)strtol(argv[0], NULL, 10); if (jail_attach(jid) == -1) err(1, "jail_attach(): %d", jid); if (chdir("/") == -1) err(1, "chdir(): /"); - if (execvp(argv[2], argv + 2) == -1) - err(1, "execvp(): %s", argv[2]); + if (username != NULL) { + if (Uflag) + GET_USER_INFO; + if (setgroups(ngroups, groups) != 0) + err(1, "setgroups"); + if (setgid(pwd->pw_gid) != 0) + err(1, "setgid"); + if (setusercontext(lcap, pwd, pwd->pw_uid, + LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN) != 0) + err(1, "setusercontext"); + login_close(lcap); + } + if (execvp(argv[1], argv + 1) == -1) + err(1, "execvp(): %s", argv[1]); exit(0); } @@ -57,6 +115,8 @@ usage(void) { - fprintf(stderr, "usage: jexec jid command [...]\n"); + fprintf(stderr, "%s%s\n", + "usage: jexec [-u username | -U username]", + " jid command [...]"); exit(1); } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060415023743.5D1C628493>