From owner-svn-src-stable@freebsd.org Thu Jul 30 04:53:55 2015 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D9289AD17E; Thu, 30 Jul 2015 04:53:55 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F117B1F30; Thu, 30 Jul 2015 04:53:54 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t6U4rseh033497; Thu, 30 Jul 2015 04:53:54 GMT (envelope-from jamie@FreeBSD.org) Received: (from jamie@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t6U4rsLf033495; Thu, 30 Jul 2015 04:53:54 GMT (envelope-from jamie@FreeBSD.org) Message-Id: <201507300453.t6U4rsLf033495@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jamie set sender to jamie@FreeBSD.org using -f From: Jamie Gritton Date: Thu, 30 Jul 2015 04:53:54 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r286064 - stable/10/usr.sbin/jexec X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2015 04:53:55 -0000 Author: jamie Date: Thu Jul 30 04:53:53 2015 New Revision: 286064 URL: https://svnweb.freebsd.org/changeset/base/286064 Log: MFC r285420: Run a shell in the jail when no command is specified. Add a new flag, -l, for a clean environment, same as jail(8) exec.clean. Change the GET_USER_INFO macro into a function. PR: 201300 Submitted by: Willem Jan Withagen Modified: stable/10/usr.sbin/jexec/jexec.8 stable/10/usr.sbin/jexec/jexec.c Directory Properties: stable/10/ (props changed) Modified: stable/10/usr.sbin/jexec/jexec.8 ============================================================================== --- stable/10/usr.sbin/jexec/jexec.8 Thu Jul 30 04:01:00 2015 (r286063) +++ stable/10/usr.sbin/jexec/jexec.8 Thu Jul 30 04:53:53 2015 (r286064) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd May 27, 2009 +.Dd Jul 11, 2015 .Dt JEXEC 8 .Os .Sh NAME @@ -33,8 +33,9 @@ .Nd "execute a command inside an existing jail" .Sh SYNOPSIS .Nm +.Op Fl l .Op Fl u Ar username | Fl U Ar username -.Ar jail command ... +.Ar jail Op Ar command ... .Sh DESCRIPTION The .Nm @@ -43,9 +44,17 @@ utility executes inside the .Ar jail identified by its jid or name. +If +.Ar command +is not specified then the user's shell is used. .Pp The following options are available: .Bl -tag -width indent +.It Fl l +Execute in a clean environment. +The environment is discarded except for +.Ev HOME , SHELL , TERM , USER , +and anything from the login class capability database for the user. .It Fl u Ar username The user name from host environment as whom the .Ar command Modified: stable/10/usr.sbin/jexec/jexec.c ============================================================================== --- stable/10/usr.sbin/jexec/jexec.c Thu Jul 30 04:01:00 2015 (r286063) +++ stable/10/usr.sbin/jexec/jexec.c Thu Jul 30 04:53:53 2015 (r286064) @@ -40,49 +40,37 @@ #include #include #include +#include +#include #include #include #include -#include #include -static void usage(void); +extern char **environ; -#define GET_USER_INFO do { \ - pwd = getpwnam(username); \ - if (pwd == NULL) { \ - if (errno) \ - err(1, "getpwnam: %s", username); \ - else \ - errx(1, "%s: no such user", username); \ - } \ - lcap = login_getpwclass(pwd); \ - if (lcap == NULL) \ - err(1, "getpwclass: %s", username); \ - ngroups = ngroups_max; \ - if (getgrouplist(username, pwd->pw_gid, groups, &ngroups) != 0) \ - err(1, "getgrouplist: %s", username); \ -} while (0) +static void get_user_info(const char *username, const struct passwd **pwdp, + login_cap_t **lcapp); +static void usage(void); int main(int argc, char *argv[]) { int jid; login_cap_t *lcap = NULL; - struct passwd *pwd = NULL; - gid_t *groups = NULL; - int ch, ngroups, uflag, Uflag; - long ngroups_max; - char *username; + int ch, clean, uflag, Uflag; + char *cleanenv; + const struct passwd *pwd = NULL; + const char *username, *shell, *term; - ch = uflag = Uflag = 0; + ch = clean = uflag = Uflag = 0; username = NULL; - ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1; - if ((groups = malloc(sizeof(gid_t) * ngroups_max)) == NULL) - err(1, "malloc"); - while ((ch = getopt(argc, argv, "nu:U:")) != -1) { + while ((ch = getopt(argc, argv, "lnu:U:")) != -1) { switch (ch) { + case 'l': + clean = 1; + break; case 'n': /* Specified name, now unused */ break; @@ -100,12 +88,15 @@ main(int argc, char *argv[]) } argc -= optind; argv += optind; - if (argc < 2) + if (argc < 1) usage(); if (uflag && Uflag) usage(); - if (uflag) - GET_USER_INFO; + if (uflag || (clean && !Uflag)) + /* User info from the home environment */ + get_user_info(username, &pwd, &lcap); + + /* Attach to the jail */ jid = jail_getid(argv[0]); if (jid < 0) errx(1, "%s", jail_errmsg); @@ -113,28 +104,88 @@ main(int argc, char *argv[]) err(1, "jail_attach(%d)", jid); if (chdir("/") == -1) err(1, "chdir(): /"); - if (username != NULL) { + + /* Set up user environment */ + if (clean || username != NULL) { if (Uflag) - GET_USER_INFO; - if (setgroups(ngroups, groups) != 0) - err(1, "setgroups"); + /* User info from the jail environment */ + get_user_info(username, &pwd, &lcap); + if (clean) { + term = getenv("TERM"); + cleanenv = NULL; + environ = &cleanenv; + setenv("PATH", "/bin:/usr/bin", 1); + if (term != NULL) + setenv("TERM", term, 1); + } if (setgid(pwd->pw_gid) != 0) err(1, "setgid"); - if (setusercontext(lcap, pwd, pwd->pw_uid, - LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN) != 0) + if (setusercontext(lcap, pwd, pwd->pw_uid, username + ? LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN + : LOGIN_SETPATH | LOGIN_SETENV) != 0) err(1, "setusercontext"); login_close(lcap); + setenv("USER", pwd->pw_name, 1); + setenv("HOME", pwd->pw_dir, 1); + setenv("SHELL", + *pwd->pw_shell ? pwd->pw_shell : _PATH_BSHELL, 1); + if (clean && chdir(pwd->pw_dir) < 0) + err(1, "chdir: %s", pwd->pw_dir); + endpwent(); + } + + /* Run the specified command, or the shell */ + if (argc > 1) { + if (execvp(argv[1], argv + 1) < 0) + err(1, "execvp: %s", argv[1]); + } else { + if (!(shell = getenv("SHELL"))) + shell = _PATH_BSHELL; + if (execlp(shell, shell, "-i", NULL) < 0) + err(1, "execlp: %s", shell); } - if (execvp(argv[1], argv + 1) == -1) - err(1, "execvp(): %s", argv[1]); exit(0); } static void +get_user_info(const char *username, const struct passwd **pwdp, + login_cap_t **lcapp) +{ + uid_t uid; + const struct passwd *pwd; + + errno = 0; + if (username) { + pwd = getpwnam(username); + if (pwd == NULL) { + if (errno) + err(1, "getpwnam: %s", username); + else + errx(1, "%s: no such user", username); + } + } else { + uid = getuid(); + pwd = getpwuid(uid); + if (pwd == NULL) { + if (errno) + err(1, "getpwuid: %d", uid); + else + errx(1, "unknown uid: %d", uid); + } + } + *pwdp = pwd; + *lcapp = login_getpwclass(pwd); + if (*lcapp == NULL) + err(1, "getpwclass: %s", pwd->pw_name); + if (initgroups(pwd->pw_name, pwd->pw_gid) < 0) + err(1, "initgroups: %s", pwd->pw_name); +} + +static void usage(void) { fprintf(stderr, "%s\n", - "usage: jexec [-u username | -U username] jail command ..."); + "usage: jexec [-l] [-u username | -U username] jail [command ...]"); exit(1); }