From owner-freebsd-hackers  Wed May 21 18:25:01 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id SAA20740
          for hackers-outgoing; Wed, 21 May 1997 18:25:01 -0700 (PDT)
Received: from jocki.domestic.de (kuebart.stuttgart.netsurf.de [194.233.216.182])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA20698
          for <hackers@freebsd.org>; Wed, 21 May 1997 18:24:47 -0700 (PDT)
Received: (from joki@localhost)
	by jocki.domestic.de (8.8.5/8.8.5) id DAA00519
	for hackers@freebsd.org; Thu, 22 May 1997 03:24:33 +0200 (CEST)
Message-ID: <XFMail.970522032432.joki@jocki.domestic.de>
X-Mailer: XFMail 1.0 [p0] on FreeBSD
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="_=XFMail.1.0.p0.FreeBSD:970522011654:232=_"
In-Reply-To: <199705210715.AAA04019@dog.farm.org>
Date: Wed, 21 May 1997 10:39:37 +0200 (CEST)
From: Joachim Kuebart <joki@kuebart.stuttgart.netsurf.de>
To: hackers@freebsd.org
Subject: Re: xdm and login.conf
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

This message is in MIME format
--_=XFMail.1.0.p0.FreeBSD:970522011654:232=_
Content-Type: text/plain; charset=iso-8859-1

Hi!

OK, attached you find a source and a Makefile for my setusercontext proggy.
You only have to set up an Xsession file (shown below) and make xdm use it by
setting the "session" resource in /usr/X11R6/lib/X11/xdm/xdm-config correctly.

Comments on the "ugliness" are very welcome. This is my first contribution!

SECURITY NOTICE:
This program represents a _major_ security hazard. Users can use it to change
to any uid and gid by setting the environment variable "USER" prior to running
the program. This includes root access. I found no other way of accomplishing
the task without use of setuid/setgid bits.
Use is therefore restricted to desktop installations.
It is not fit to be included in the ports tree in this form.

On 21-May-97 at 07:15:38 Dmitry Kohmanyuk wrote:
>In article <XFMail.970520203302.joki@jocki.domestic.de> you wrote:
>
>> Hey guys, youīre too slow. I solved the problem (for me) by calling
>> setusercontext from the global Xsession. All programs of a session are childs
>> to this process (I hope!). In order to call setusercontext I wrote a small C
>> program which is available from me.
>
>> For those who are interested:
>> setusercontext.c calls setusercontext() to get the same permissions and
limits
>> and environment variables as the user needs. It then execve()īs a shell
>> (/bin/sh) with those privileges. This shell is the shell that xdm uses to run
>> Xsession. When the shell terminates, the session is finished.
>
>ehm, how about posting the source to the list?  please! (I know it's trivial,
>but anyway.  And it can be made a package..)
>
>> In order to do this with the least possible overhead I have set the
interpreter
>> for Xsession to setusercontext, i.e.:
>
>>         /usr/X11R6/lib/X11/xdm/Xsession:
>>         #!/usr/local/bin/setusercontext
>>         #
>>         # Rest of Xsession follows
>
>that's a real win.

cu Jo

---------------------------------------------------------------------
FreeBSD - top breeders recommend it          <http://www.freebsd.org>
Joachim Kuebart                                    <joa@delos.lf.net>
Tel: +49 711 653706                        <joa@stuttgart.netsurf.de>
Germany                           <joki@kuebart.stuttgart.netsurf.de>

--_=XFMail.1.0.p0.FreeBSD:970522011654:232=_
Content-Type: text/plain;
 charset=us-ascii; name=setusercontext.c; SizeOnDisk=1405
Content-Description: setusercontext.c
Content-Transfer-Encoding: none
Content-Disposition: attachment; filename="setusercontext.c"

/*
 * Program to set the user context according to the userīs login class
 * from /etc/login.conf.
 * This program runs a subshell in the userīs class context.
 *
 * The standard FreeBSD 2.2.2 or later login(1) does this automatically
 * xdm, for example, doesnīt, and this is where this program comes in :-)
 *
 */

#include <sys/types.h>
#include <login_cap.h>
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

extern char **environ;

int
main(int argc, char *argv[])
{
	char *login;
	struct passwd *pwent;
	char **execargv;
	int i;

	/*
	 * Get passwd struct by evaluating USER env. variable
	 */
	if ((login = getenv("USER")) == NULL) {
		fprintf(stderr, "%s: Canīt determine userīs login name\n",
			argv[0]);
		return 1;
	}
	if ((pwent = getpwnam(login)) == NULL) {
		fprintf(stderr, "%s: Canīt get userīs passwd entry\n", argv[0]);
		return 1;
	}

	/*
	 * Call setusercontext() to set userīs context.
	 */
	if (setusercontext(NULL, pwent, pwent->pw_uid, LOGIN_SETALL) != 0) {
		fprintf(stderr, "%s: Canīt set userīs context\n", argv[0]);
		return 1;
	}

	if ((execargv = malloc((argc+1) * sizeof(char*))) == NULL) {
		fprintf(stderr, "%s: Canīt start subshell\n", argv[0]);
		return 1;
	}

	/*
	 * Execute the subshell
	 */
	execargv[0] = "sh";
	for (i=1; i<argc; i++) execargv[i] = argv[i];
	execargv[argc] = NULL;
	execve("/bin/sh", execargv, environ);

	return 1;
};


--_=XFMail.1.0.p0.FreeBSD:970522011654:232=_
Content-Disposition: attachment; filename="Makefile"
Content-Transfer-Encoding: none
Content-Description: Makefile for setusercontext
Content-Type: text/plain; charset=us-ascii; name=Makefile; SizeOnDisk=203

# Makefile for the setusercontext program

PROG	= setusercontext
NOMAN	= noman
BINDIR	= /usr/local/bin
CFLAGS	= -Wall
LDFLAGS	= -lutil
BINMODE	= 6111
BINOWN	= root
BINGRP	= wheel

.include <bsd.prog.mk>

--_=XFMail.1.0.p0.FreeBSD:970522011654:232=_--
End of MIME message