From owner-freebsd-emulation Tue Apr 24 6:48:37 2001 Delivered-To: freebsd-emulation@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 4F78137B43C; Tue, 24 Apr 2001 06:48:35 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f3ODn5f15358; Tue, 24 Apr 2001 09:49:06 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Tue, 24 Apr 2001 09:49:05 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: marcel@FreeBSD.org Cc: emulation@FreeBSD.org Subject: initgroups() change for Linux emulator Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-emulation@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In order to get Linux su working under jail(), I had to apply the attached patch. This problem was originally pointed out by Attila Nagy , who observed that su failed with a permission warning in jail() when running with a Debian environment. I'm not sure what unfortunate side effects this change might have, but I'm very interested by the possibility of executing a full Linux environment under jail(), so I'll keep trying and fixing problems as we identify them. The fix simply converts a suser() call to a suser_xxx() call for initgroups, to allow appropriately privileged linux ABI processes to change their groups in a jail(). Providing compatibility for capabilities will be a lot harder... Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services Index: linux_misc.c =================================================================== RCS file: /home/ncvs/src/sys/compat/linux/linux_misc.c,v retrieving revision 1.98 diff -u -r1.98 linux_misc.c --- linux_misc.c 2001/04/01 06:37:40 1.98 +++ linux_misc.c 2001/04/23 17:59:53 @@ -969,7 +969,7 @@ * Keep cr_groups[0] unchanged to prevent that. */ - if ((error = suser(p)) != 0) + if ((error = suser_xxx(NULL, p, PRISON_ROOT)) != 0) return (error); if (ngrp >= NGROUPS) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-emulation" in the body of the message