login -f changing session getlogin(2)

Thu Oct 1 18:59:00 UTC 2015

This issue has bothered me forever.

As root running 'login -f someuser' and then exit, logname(1) and
getlogin(2) will forever return that user's name, rather than root.

The issue is that login(1) uses setlogin(2) without ever restoring the
login from the parent when it exits.

This is easily fixed by something like:

Index: usr.bin/login/login.c
===================================================================

--- usr.bin/login/login.c     (revision 288456)
+++ usr.bin/login/login.c     (working copy)
@@ -166,6 +166,7 @@
        gid_t egid;
        char *term;
        char *p, *ttyn;
+       char oldlogname[MAXLOGNAME];
        char tname[sizeof(_PATH_TTY) + 10];
        char *arg0;
        const char *tp;
@@ -545,6 +546,9 @@
        }
        pam_session_established = 1;

+       if (getlogin_r(oldlogname, sizeof(oldlogname)) != 0)
+               oldlogname[0] = '\0';
+
        /*
         * We must fork() before setuid() because we need to call
         * pam_close_session() as root.
@@ -567,6 +571,8 @@
                (void)sigprocmask(SIG_SETMASK, &omask, NULL);
                waitpid(pid, &status, 0);
                (void)sigprocmask(SIG_BLOCK, &mask, NULL);
+               if (oldlogname[0] != '\0')
+                       setlogin(oldlogname);
                bail(NO_SLEEP_EXIT, 0);
        }


I'm not sure this is the right way though.

My initial instinct was to use setsid(2) in the child but that clobbers
the terminal.

It makes me wonder if there's bigger architectural issues here that need
addressing with session and login. Perhaps login -f is just a special
case though.

Thanks,
Bryan Drewery

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20151001/f3b49d5d/attachment.bin>
