From nobody Tue Nov 18 16:24:46 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4d9qhG610Tz6HNYN for ; Tue, 18 Nov 2025 16:24:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4d9qhG3145z4Jl1 for ; Tue, 18 Nov 2025 16:24:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1763483086; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=T9iwIMW5FCOEKsqQucm7CeBeQM7tuckQWJJgiA9TXes=; b=aGhmE3eWrJ2yG4i5cQ80V5fhohUYLmbX0YabOHFlA9sUcAkbKBcpIH1xLcvsQhldmqLsKm OPAi4ndfAxYGkon0M6+fOqcUGbrXsHbkM74DDEQcB8VwnQCvOhsQ4LITgIPgi/7FZS3SPZ DR/nsIcqk659LsyOb8ZnaiKotCaHKBArUi0e57pvhidX3iZ3xBQv4Eog1LiquiUiRAZO+T 8/SHfSGYO6yuJSuQ1byO5uUqvRpVh7JJXJkyXyFs0lxK05tNnGfmHWajRDZMSuAuBrfpy/ 7Ntduan2zZnaqn8TdUN8EIQP/sU6L9UOk6vbyH90z1Zl3N4kcvOps2g6BzRrKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1763483086; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=T9iwIMW5FCOEKsqQucm7CeBeQM7tuckQWJJgiA9TXes=; b=jR6QYOetFfd7Mjyz9s/BGG86kD0ZkYyo7I+mXYE0TggDkytelWqBrdDBn2ylspoaqZEWMu bMs+iwghOeq8POMfaOebnfXo42AseMnWmQCwewlqlqOLuXfLG+W5fIiPXGl6EzkpIKIO1l KyFPdDt+x2NQ/xC717cQxac+QeEb43PsJbLbw7fk5LTh2rbxJ4R9Zg483vB1UukXbRumhS +rBFQGwjvyN7QOi1I2xwX1W2HX3CtEapuQbM8kz8AuYhS47bKM6GjDFuNV51EN3jzNHV9s g3SGO1+JHUkXJr6NU94Vbh88EnC2YzX9zq6CXprUK/JwNLE3OURdOWocEGj2gQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1763483086; a=rsa-sha256; cv=none; b=f2O+DXCKTXvcQFG4gomtcwZUULnw26PmWGjAU1MOmMC8YibD5CM78jhDmi+Qk+3ljh/jUS 0wBF8Ulv/GbBN1GApnGwkT677l6xQg81OoVC9kwCsETrpiLo+5kT2Ebk81LPQBeI4idLmj tC2XFb3GZ94a+hJ8b4Hoq5opIYJNnV2/F5eEYFRWpyh5zrYlfUIrnppvwhqSfPMk+QObsu bBatE6Ug9B+H7uhdgFXaALb+1axIXh7KSrDB73Qp0BEBgStGXlIYW6fa30FLlVGdHx6yYt JirlAvZiuX3JcAgGvExQQpEaY7b464Dvio60D4kusiQs60wXEyxuQo2+oBLHLw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4d9qhG1Jdsz11pP for ; Tue, 18 Nov 2025 16:24:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 88ae by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 18 Nov 2025 16:24:46 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: 39ee24182b92 - main - rc.subr: Support setting the audit user when starting services List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 39ee24182b92114d006abc2b8095334a1d8a083c Auto-Submitted: auto-generated Date: Tue, 18 Nov 2025 16:24:46 +0000 Message-Id: <691c9dce.88ae.1f053f59@gitrepo.freebsd.org> The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=39ee24182b92114d006abc2b8095334a1d8a083c commit 39ee24182b92114d006abc2b8095334a1d8a083c Author: Mark Johnston AuthorDate: 2025-11-17 16:45:58 +0000 Commit: Mark Johnston CommitDate: 2025-11-18 16:24:21 +0000 rc.subr: Support setting the audit user when starting services When an unprivileged user restarts a service using, e.g., sudo, the service runs with the audit user ID set to that of the unprivileged user. This can have surprising effects: for instance, a user that restarts a jail that is running sshd will end up with their UID attached to all audit logs associated with users who log in via that sshd instance. (sshd will set the audit user, but this is disallowed in jails by default.) Add support for rc.conf directives which cause rc to override the audit user. Specifically, make _audit_user=foo cause the audit user to be set to "foo" for service . A plain audit_user=foo directive causes all services to be started as foo. Note, like other similar rc features, this feature is limited to rc services which are run by executing a command. Shell functions can't be wrapped this way. Reviewed by: 0mp MFC after: 2 weeks Sponsored by: Modirum MDPay Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D53747 --- libexec/rc/rc.subr | 18 +++++++++++++++++- share/man/man5/rc.conf.5 | 14 ++++++++++++-- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr index b0b255e8b6ff..5199a915297d 100644 --- a/libexec/rc/rc.subr +++ b/libexec/rc/rc.subr @@ -55,6 +55,7 @@ JAIL_CMD=/usr/sbin/jail _svcj_generic_params="path=/ mount.nodevfs host=inherit" JID=0 CPUSET="/bin/cpuset" +SETAUDIT="/usr/sbin/setaudit" # Cache the services that we loaded with load_rc_config. _loaded_services="" @@ -933,6 +934,9 @@ startmsg() # Meant to be used in /etc/rc.conf to override # ${command}. # +# ${name}_audit_user n Override the audit user for ${command}, +# specified as a user name or UID. +# # ${name}_chroot n Directory to chroot to before running ${command} # Requires /usr to be mounted. # @@ -1151,6 +1155,15 @@ run_rc_command() _cpusetcmd="$CPUSET -l $_cpuset" fi + eval _audit_user=\$${name}_audit_user + if [ -z "$_audit_user" -a -n "$audit_user" ]; then + _audit_user=$audit_user + fi + _setauditcmd= + if [ -n "$_audit_user" ]; then + _setauditcmd="setaudit -U -a $_audit_user" + fi + # If a specific jail has a specific svcj request, honor it (YES/NO). # If not (variable empty), evaluate the global svcj catch-all. # A global YES can be overriden by a specific NO, and a global NO is overriden @@ -1515,6 +1528,7 @@ run_rc_command() _doit="\ ${_nice:+nice -n $_nice }\ $_cpusetcmd \ +$_setauditcmd \ ${_fib:+setfib -F $_fib }\ ${_env:+env $_env }\ chroot ${_user:+-u $_user }${_group:+-g $_group }${_groups:+-G $_groups }\ @@ -1524,7 +1538,9 @@ $_chroot $command $rc_flags $command_args" _doit="\ ${_fib:+setfib -F $_fib }\ ${_env:+env $_env }\ -$_cpusetcmd $command $rc_flags $command_args" +$_cpusetcmd \ +$_setauditcmd \ +$command $rc_flags $command_args" if [ -n "$_user" ]; then _doit="su -m $_user -c 'sh -c \"$_doit\"'" fi diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index 6274c1ee5b94..fa8d8aab8c4e 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -22,7 +22,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd October 5, 2025 +.Dd November 14, 2025 .Dt RC.CONF 5 .Os .Sh NAME @@ -190,6 +190,17 @@ Setting this option will bypass that check at boot time and always test whether or not the service is actually running. Enabling this option is likely to increase your boot time if services are enabled that utilize the force_depend check. +.It Ao Ar name Ac Ns Va _audit_user +.Pq Vt str +A user name or UID to use as the +.Xr audit 4 +user for the service. +Run the chrooted service under this system group. +By default, when an unprvileged user restarts a service using a utility +such as sudo or doas, the service's will audit session will point to the +unprivileged user, which may be undesirable. +In that case, this variable can be used to override the audit user using +.Xr setaudit 8 . .It Ao Ar name Ac Ns Va _chroot .Pq Vt str .Xr chroot 8 @@ -209,7 +220,6 @@ The value to run the service under. .It Ao Ar name Ac Ns Va _group .Pq Vt str -Run the chrooted service under this system group. Unlike the .Ao Ar name Ac Ns Va _user setting, this setting has no effect if the service is not chrooted.