bin/67262: jail improvement: run command as user which exists only
in jail
Dmitry Sivachenko
mitya at demos.su
Thu May 27 11:02:03 PDT 2004
>Number: 67262
>Category: bin
>Synopsis: jail improvement: run command as user which exists only in jail
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu May 27 11:00:41 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator: Dmitry Sivachenko
>Release: FreeBSD 5.2-CURRENT i386
>Organization:
>Environment:
System: FreeBSD tear.demos.su 5.2-CURRENT FreeBSD 5.2-CURRENT #0: Tue May 11 18:42:38 MSD 2004 mitya at tear.demos.su:/usr/obj/usr/src/sys/TEAR i386
>Description:
Currently '-u' option to jail(8) can be used to run a command under specific
user credentials. This particular user must exist in the host environment.
I propose a new '-U' option to specify a user which exists only in jailed
environment and not in the host system.
>How-To-Repeat:
>Fix:
Index: jail.8
===================================================================
RCS file: /home/ncvs/src/usr.sbin/jail/jail.8,v
retrieving revision 1.52
diff -u -r1.52 jail.8
--- jail.8 20 May 2004 06:37:44 -0000 1.52
+++ jail.8 27 May 2004 17:44:33 -0000
@@ -42,7 +42,7 @@
.Sh SYNOPSIS
.Nm
.Op Fl i
-.Op Fl u Ar username
+.Op Fl u Ar username | Fl U Ar username
.Ar path hostname ip-number command ...
.Sh DESCRIPTION
The
@@ -54,7 +54,11 @@
.It Fl i
Output the jail identifier of the newly created jail.
.It Fl u Ar username
-The user name as whom the
+The user name from host environment as whom the
+.Ar command
+should run.
+.It Fl U Ar username
+The user name from jailed environment as whom the
.Ar command
should run.
.It Ar path
Index: jail.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/jail/jail.c,v
retrieving revision 1.14
diff -u -r1.14 jail.c
--- jail.c 6 Jul 2003 12:44:11 -0000 1.14
+++ jail.c 27 May 2004 17:44:33 -0000
@@ -27,6 +27,17 @@
static void usage(void);
+#define GET_USER_INFO \
+ pwd = getpwnam(username); \
+ if (pwd == NULL) \
+ err(1, "getpwnam: %s", username); \
+ lcap = login_getpwclass(pwd); \
+ if (lcap == NULL) \
+ err(1, "getpwclass: %s", username); \
+ ngroups = NGROUPS; \
+ if (getgrouplist(username, pwd->pw_gid, groups, &ngroups) != 0) \
+ err(1, "getgrouplist: %s", username);
+
int
main(int argc, char **argv)
{
@@ -34,19 +45,28 @@
struct jail j;
struct passwd *pwd;
struct in_addr in;
- int ch, groups[NGROUPS], i, iflag, ngroups;
+ int ch, groups[NGROUPS], i, iflag, uflag, Uflag, ngroups;
char *username;
- iflag = 0;
+ iflag = uflag = Uflag = 0;
username = NULL;
- while ((ch = getopt(argc, argv, "iu:")) != -1) {
+ while ((ch = getopt(argc, argv, "iu:U:")) != -1) {
switch (ch) {
case 'i':
iflag = 1;
break;
case 'u':
+ if (Uflag)
+ usage();
+ username = optarg;
+ uflag = 1;
+ break;
+ case 'U':
+ if (uflag)
+ usage();
username = optarg;
+ Uflag = 1;
break;
default:
usage();
@@ -57,16 +77,8 @@
if (argc < 4)
usage();
- if (username != NULL) {
- pwd = getpwnam(username);
- if (pwd == NULL)
- err(1, "getpwnam: %s", username);
- lcap = login_getpwclass(pwd);
- if (lcap == NULL)
- err(1, "getpwclass: %s", username);
- ngroups = NGROUPS;
- if (getgrouplist(username, pwd->pw_gid, groups, &ngroups) != 0)
- err(1, "getgrouplist: %s", username);
+ if (uflag) {
+ GET_USER_INFO
}
if (chdir(argv[0]) != 0)
err(1, "chdir: %s", argv[0]);
@@ -85,6 +97,9 @@
fflush(stdout);
}
if (username != NULL) {
+ if (Uflag) {
+ GET_USER_INFO
+ }
if (setgroups(ngroups, groups) != 0)
err(1, "setgroups");
if (setgid(pwd->pw_gid) != 0)
@@ -104,6 +119,6 @@
{
(void)fprintf(stderr,
- "usage: jail [-i] [-u username] path hostname ip-number command ...\n");
+ "usage: jail [-i] [-u username | -U username] path hostname ip-number command ...\n");
exit(1);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list