Attachment 158629 Details for Bug 201300 – alternate patch, including -l option

[patch] alternate patch, including -l option

jexec.diff (text/plain), 5.60 KB, created by Jamie Gritton on 2015-07-11 22:00:37 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jamie Gritton

Created: 2015-07-11 22:00:37 UTC

Size: 5.60 KB

patch

obsolete

>Index: usr.sbin/jexec/jexec.8
>===================================================================
>--- usr.sbin/jexec/jexec.8	(revision 285404)
>+++ usr.sbin/jexec/jexec.8	(working copy)
>@@ -25,7 +25,7 @@
> .\"
> .\" $FreeBSD$
> .\"
>-.Dd May 27, 2009
>+.Dd Jul 11, 2015
> .Dt JEXEC 8
> .Os
> .Sh NAME
>@@ -33,8 +33,9 @@
> .Nd "execute a command inside an existing jail"
> .Sh SYNOPSIS
> .Nm
>+.Op Fl l
> .Op Fl u Ar username | Fl U Ar username
>-.Ar jail command ...
>+.Ar jail Op Ar command ...
> .Sh DESCRIPTION
> The
> .Nm
>@@ -43,9 +44,17 @@
> inside the
> .Ar jail
> identified by its jid or name.
>+If
>+.Ar command
>+is not specified then the user's shell is used.
> .Pp
> The following options are available:
> .Bl -tag -width indent
>+.It Fl l
>+Execute in a clean environment.
>+The environment is discarded except for
>+.Ev HOME , SHELL , TERM , USER
>+and anything from the login class capability database for the user.
> .It Fl u Ar username
> The user name from host environment as whom the
> .Ar command
>Index: usr.sbin/jexec/jexec.c
>===================================================================
>--- usr.sbin/jexec/jexec.c	(revision 285404)
>+++ usr.sbin/jexec/jexec.c	(working copy)
>@@ -40,49 +40,37 @@
> #include <jail.h>
> #include <limits.h>
> #include <login_cap.h>
>+#include <paths.h>
>+#include <pwd.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
>-#include <pwd.h>
> #include <unistd.h>
> 
>+extern char **environ;
>+
>+static void	get_user_info(const char *username, const struct passwd **pwdp,
>+    login_cap_t **lcapp);
> static void	usage(void);
> 
>-#define GET_USER_INFO do {						\
>-	pwd = getpwnam(username);					\
>-	if (pwd == NULL) {						\
>-		if (errno)						\
>-			err(1, "getpwnam: %s", username);		\
>-		else							\
>-			errx(1, "%s: no such user", username);		\
>-	}								\
>-	lcap = login_getpwclass(pwd);					\
>-	if (lcap == NULL)						\
>-		err(1, "getpwclass: %s", username);			\
>-	ngroups = ngroups_max;						\
>-	if (getgrouplist(username, pwd->pw_gid, groups, &ngroups) != 0)	\
>-		err(1, "getgrouplist: %s", username);			\
>-} while (0)
>-
> int
> main(int argc, char *argv[])
> {
> 	int jid;
> 	login_cap_t *lcap = NULL;
>-	struct passwd *pwd = NULL;
>-	gid_t *groups = NULL;
>-	int ch, ngroups, uflag, Uflag;
>-	long ngroups_max;
>-	char *username;
>+	int ch, clean, uflag, Uflag;
>+	char *cleanenv;
>+	const struct passwd *pwd = NULL;
>+	const char *username, *shell, *term;
> 
>-	ch = uflag = Uflag = 0;
>+	ch = clean = uflag = Uflag = 0;
> 	username = NULL;
>-	ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1;
>-	if ((groups = malloc(sizeof(gid_t) * ngroups_max)) == NULL)
>-		err(1, "malloc");
> 
>-	while ((ch = getopt(argc, argv, "nu:U:")) != -1) {
>+	while ((ch = getopt(argc, argv, "lnu:U:")) != -1) {
> 		switch (ch) {
>+		case 'l':
>+			clean = 1;
>+			break;
> 		case 'n':
> 			/* Specified name, now unused */
> 			break;
>@@ -100,12 +88,15 @@
> 	}
> 	argc -= optind;
> 	argv += optind;
>-	if (argc < 2)
>+	if (argc < 1)
> 		usage();
> 	if (uflag && Uflag)
> 		usage();
>-	if (uflag)
>-		GET_USER_INFO;
>+	if (uflag || (clean && !Uflag))
>+		/* User info from the home environment */
>+		get_user_info(username, &pwd, &lcap);
>+
>+	/* Attach to the jail */
> 	jid = jail_getid(argv[0]);
> 	if (jid < 0)
> 		errx(1, "%s", jail_errmsg);
>@@ -113,28 +104,88 @@
> 		err(1, "jail_attach(%d)", jid);
> 	if (chdir("/") == -1)
> 		err(1, "chdir(): /");
>-	if (username != NULL) {
>+
>+	/* Set up user environment */
>+	if (clean || username != NULL) {
> 		if (Uflag)
>-			GET_USER_INFO;
>-		if (setgroups(ngroups, groups) != 0)
>-			err(1, "setgroups");
>+			/* User info from the jail environment */
>+			get_user_info(username, &pwd, &lcap);
>+		if (clean) {
>+			term = getenv("TERM");
>+			cleanenv = NULL;
>+			environ = &cleanenv;
>+			setenv("PATH", "/bin:/usr/bin", 1);
>+			if (term != NULL)
>+				setenv("TERM", term, 1);
>+		}
> 		if (setgid(pwd->pw_gid) != 0)
> 			err(1, "setgid");
>-		if (setusercontext(lcap, pwd, pwd->pw_uid,
>-		    LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN) != 0)
>+		if (setusercontext(lcap, pwd, pwd->pw_uid, username
>+		    ? LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN
>+		    : LOGIN_SETPATH | LOGIN_SETENV) != 0)
> 			err(1, "setusercontext");
> 		login_close(lcap);
>+		setenv("USER", pwd->pw_name, 1);
>+		setenv("HOME", pwd->pw_dir, 1);
>+		setenv("SHELL",
>+		    *pwd->pw_shell ? pwd->pw_shell : _PATH_BSHELL, 1);
>+		if (clean && chdir(pwd->pw_dir) < 0)
>+			err(1, "chdir: %s", pwd->pw_dir);
>+		endpwent();
> 	}
>-	if (execvp(argv[1], argv + 1) == -1)
>-		err(1, "execvp(): %s", argv[1]);
>+
>+	/* Run the specified command, or the shell */
>+	if (argc > 1) {
>+		if (execvp(argv[1], argv + 1) < 0)
>+			err(1, "execvp: %s", argv[1]);
>+	} else {
>+		if (!(shell = getenv("SHELL")))
>+			shell = _PATH_BSHELL;
>+		if (execlp(shell, shell, "-i", NULL) < 0)
>+			err(1, "execlp: %s", shell);
>+	}
> 	exit(0);
> }
> 
> static void
>+get_user_info(const char *username, const struct passwd **pwdp,
>+    login_cap_t **lcapp)
>+{
>+	uid_t uid;
>+	const struct passwd *pwd;
>+
>+	errno = 0;
>+	if (username) {
>+		pwd = getpwnam(username);
>+		if (pwd == NULL) {
>+			if (errno)
>+				err(1, "getpwnam: %s", username);
>+			else
>+				errx(1, "%s: no such user", username);
>+		}
>+	} else {
>+		uid = getuid();
>+		pwd = getpwuid(uid);
>+		if (pwd == NULL) {
>+			if (errno)
>+				err(1, "getpwuid: %d", uid);
>+			else
>+				errx(1, "unknown uid: %d", uid);
>+		}
>+	}
>+	*pwdp = pwd;
>+	*lcapp = login_getpwclass(pwd);
>+	if (*lcapp == NULL)
>+		err(1, "getpwclass: %s", pwd->pw_name);
>+	if (initgroups(pwd->pw_name, pwd->pw_gid) < 0)
>+		err(1, "initgroups: %s", pwd->pw_name);
>+}
>+
>+static void
> usage(void)
> {
> 
> 	fprintf(stderr, "%s\n",
>-		"usage: jexec [-u username | -U username] jail command ...");
>+	    "usage: jexec [-l] [-u username | -U username] jail [command ...]");
> 	exit(1); 
> }

Actions: View | Diff

Attachments on bug 201300: 158277 | 158629