From owner-freebsd-bugs@FreeBSD.ORG Sat Apr 15 02:40:21 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C60216A408 for ; Sat, 15 Apr 2006 02:40:21 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C7B943D49 for ; Sat, 15 Apr 2006 02:40:18 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k3F2eHKT006255 for ; Sat, 15 Apr 2006 02:40:17 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k3F2eHvf006254; Sat, 15 Apr 2006 02:40:17 GMT (envelope-from gnats) Resent-Date: Sat, 15 Apr 2006 02:40:17 GMT Resent-Message-Id: <200604150240.k3F2eHvf006254@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Cheng-Lung Sung Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02D6716A400 for ; Sat, 15 Apr 2006 02:37:31 +0000 (UTC) (envelope-from clsung@going04.iis.sinica.edu.tw) Received: from going04.iis.sinica.edu.tw (going04.iis.sinica.edu.tw [140.109.19.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id A5B9943D45 for ; Sat, 15 Apr 2006 02:37:30 +0000 (GMT) (envelope-from clsung@going04.iis.sinica.edu.tw) Received: by going04.iis.sinica.edu.tw (Postfix, from userid 1002) id 5D1C628493; Sat, 15 Apr 2006 10:37:43 +0800 (CST) Message-Id: <20060415023743.5D1C628493@going04.iis.sinica.edu.tw> Date: Sat, 15 Apr 2006 10:37:43 +0800 (CST) From: Cheng-Lung Sung To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: bin/95777: [patch] -u|-U options in jexec X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Cheng-Lung Sung List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Apr 2006 02:40:21 -0000 >Number: 95777 >Category: bin >Synopsis: [patch] -u|-U options in jexec >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sat Apr 15 02:40:17 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Cheng-Lung Sung >Release: FreeBSD 6.1-PRERELEASE i386 >Organization: FreeBSD @ Taiwan >Environment: System: FreeBSD going04.iis.sinica.edu.tw 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #2: Fri Apr 7 12:57:51 CST 2006 root@going04.iis.sinica.edu.tw:/usr/obj/usr/src/sys/GENERIC i386 >Description: I think jexec command should be executed in different user, just like what jail(8) do. also refer to http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/94730 >How-To-Repeat: jexec cmd... jexec -u|-U username cmd... >Fix: --- /usr/src/usr.sbin/jexec/jexec.c Sat Jul 5 03:14:27 2003 +++ jexec/jexec.c Sat Apr 15 01:12:12 2006 @@ -30,26 +30,84 @@ #include #include +#include +#include #include #include +#include #include static void usage(void); +#define GET_USER_INFO do { \ + pwd = getpwnam(username); \ + if (pwd == NULL) { \ + if (errno) \ + err(1, "getpwnam: %s", username); \ + else \ + errx(1, "%s: no such user", username); \ + } \ + lcap = login_getpwclass(pwd); \ + if (lcap == NULL) \ + err(1, "getpwclass: %s", username); \ + ngroups = NGROUPS; \ + if (getgrouplist(username, pwd->pw_gid, groups, &ngroups) != 0) \ + err(1, "getgrouplist: %s", username); \ +} while (0) + int main(int argc, char *argv[]) { int jid; + login_cap_t *lcap = NULL; + struct passwd *pwd = NULL; + gid_t groups[NGROUPS]; + int ch, ngroups, uflag, Uflag; + char *username; + ch = uflag = Uflag = 0; + username = NULL; - if (argc < 3) + while ((ch = getopt(argc, argv, "u:U:")) != -1) { + switch (ch) { + case 'u': + username = optarg; + uflag = 1; + break; + case 'U': + username = optarg; + Uflag = 1; + break; + default: + usage(); + } + } + argc -= optind; + argv += optind; + if (argc < 2) + usage(); + if (uflag && Uflag) usage(); - jid = (int)strtol(argv[1], NULL, 10); + if (uflag) + GET_USER_INFO; + jid = (int)strtol(argv[0], NULL, 10); if (jail_attach(jid) == -1) err(1, "jail_attach(): %d", jid); if (chdir("/") == -1) err(1, "chdir(): /"); - if (execvp(argv[2], argv + 2) == -1) - err(1, "execvp(): %s", argv[2]); + if (username != NULL) { + if (Uflag) + GET_USER_INFO; + if (setgroups(ngroups, groups) != 0) + err(1, "setgroups"); + if (setgid(pwd->pw_gid) != 0) + err(1, "setgid"); + if (setusercontext(lcap, pwd, pwd->pw_uid, + LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN) != 0) + err(1, "setusercontext"); + login_close(lcap); + } + if (execvp(argv[1], argv + 1) == -1) + err(1, "execvp(): %s", argv[1]); exit(0); } @@ -57,6 +115,8 @@ usage(void) { - fprintf(stderr, "usage: jexec jid command [...]\n"); + fprintf(stderr, "%s%s\n", + "usage: jexec [-u username | -U username]", + " jid command [...]"); exit(1); } >Release-Note: >Audit-Trail: >Unformatted: