FreeBSD Bugzilla – Attachment 158629 Details for
Bug 201300
Let jexec execute shell if no command is issued.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
alternate patch, including -l option
jexec.diff (text/plain), 5.60 KB, created by
Jamie Gritton
on 2015-07-11 22:00:37 UTC
(
hide
)
Description:
alternate patch, including -l option
Filename:
MIME Type:
Creator:
Jamie Gritton
Created:
2015-07-11 22:00:37 UTC
Size:
5.60 KB
patch
obsolete
>Index: usr.sbin/jexec/jexec.8 >=================================================================== >--- usr.sbin/jexec/jexec.8 (revision 285404) >+++ usr.sbin/jexec/jexec.8 (working copy) >@@ -25,7 +25,7 @@ > .\" > .\" $FreeBSD$ > .\" >-.Dd May 27, 2009 >+.Dd Jul 11, 2015 > .Dt JEXEC 8 > .Os > .Sh NAME >@@ -33,8 +33,9 @@ > .Nd "execute a command inside an existing jail" > .Sh SYNOPSIS > .Nm >+.Op Fl l > .Op Fl u Ar username | Fl U Ar username >-.Ar jail command ... >+.Ar jail Op Ar command ... > .Sh DESCRIPTION > The > .Nm >@@ -43,9 +44,17 @@ > inside the > .Ar jail > identified by its jid or name. >+If >+.Ar command >+is not specified then the user's shell is used. > .Pp > The following options are available: > .Bl -tag -width indent >+.It Fl l >+Execute in a clean environment. >+The environment is discarded except for >+.Ev HOME , SHELL , TERM , USER >+and anything from the login class capability database for the user. > .It Fl u Ar username > The user name from host environment as whom the > .Ar command >Index: usr.sbin/jexec/jexec.c >=================================================================== >--- usr.sbin/jexec/jexec.c (revision 285404) >+++ usr.sbin/jexec/jexec.c (working copy) >@@ -40,49 +40,37 @@ > #include <jail.h> > #include <limits.h> > #include <login_cap.h> >+#include <paths.h> >+#include <pwd.h> > #include <stdio.h> > #include <stdlib.h> > #include <string.h> >-#include <pwd.h> > #include <unistd.h> > >+extern char **environ; >+ >+static void get_user_info(const char *username, const struct passwd **pwdp, >+ login_cap_t **lcapp); > static void usage(void); > >-#define GET_USER_INFO do { \ >- pwd = getpwnam(username); \ >- if (pwd == NULL) { \ >- if (errno) \ >- err(1, "getpwnam: %s", username); \ >- else \ >- errx(1, "%s: no such user", username); \ >- } \ >- lcap = login_getpwclass(pwd); \ >- if (lcap == NULL) \ >- err(1, "getpwclass: %s", username); \ >- ngroups = ngroups_max; \ >- if (getgrouplist(username, pwd->pw_gid, groups, &ngroups) != 0) \ >- err(1, "getgrouplist: %s", username); \ >-} while (0) >- > int > main(int argc, char *argv[]) > { > int jid; > login_cap_t *lcap = NULL; >- struct passwd *pwd = NULL; >- gid_t *groups = NULL; >- int ch, ngroups, uflag, Uflag; >- long ngroups_max; >- char *username; >+ int ch, clean, uflag, Uflag; >+ char *cleanenv; >+ const struct passwd *pwd = NULL; >+ const char *username, *shell, *term; > >- ch = uflag = Uflag = 0; >+ ch = clean = uflag = Uflag = 0; > username = NULL; >- ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1; >- if ((groups = malloc(sizeof(gid_t) * ngroups_max)) == NULL) >- err(1, "malloc"); > >- while ((ch = getopt(argc, argv, "nu:U:")) != -1) { >+ while ((ch = getopt(argc, argv, "lnu:U:")) != -1) { > switch (ch) { >+ case 'l': >+ clean = 1; >+ break; > case 'n': > /* Specified name, now unused */ > break; >@@ -100,12 +88,15 @@ > } > argc -= optind; > argv += optind; >- if (argc < 2) >+ if (argc < 1) > usage(); > if (uflag && Uflag) > usage(); >- if (uflag) >- GET_USER_INFO; >+ if (uflag || (clean && !Uflag)) >+ /* User info from the home environment */ >+ get_user_info(username, &pwd, &lcap); >+ >+ /* Attach to the jail */ > jid = jail_getid(argv[0]); > if (jid < 0) > errx(1, "%s", jail_errmsg); >@@ -113,28 +104,88 @@ > err(1, "jail_attach(%d)", jid); > if (chdir("/") == -1) > err(1, "chdir(): /"); >- if (username != NULL) { >+ >+ /* Set up user environment */ >+ if (clean || username != NULL) { > if (Uflag) >- GET_USER_INFO; >- if (setgroups(ngroups, groups) != 0) >- err(1, "setgroups"); >+ /* User info from the jail environment */ >+ get_user_info(username, &pwd, &lcap); >+ if (clean) { >+ term = getenv("TERM"); >+ cleanenv = NULL; >+ environ = &cleanenv; >+ setenv("PATH", "/bin:/usr/bin", 1); >+ if (term != NULL) >+ setenv("TERM", term, 1); >+ } > if (setgid(pwd->pw_gid) != 0) > err(1, "setgid"); >- if (setusercontext(lcap, pwd, pwd->pw_uid, >- LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN) != 0) >+ if (setusercontext(lcap, pwd, pwd->pw_uid, username >+ ? LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN >+ : LOGIN_SETPATH | LOGIN_SETENV) != 0) > err(1, "setusercontext"); > login_close(lcap); >+ setenv("USER", pwd->pw_name, 1); >+ setenv("HOME", pwd->pw_dir, 1); >+ setenv("SHELL", >+ *pwd->pw_shell ? pwd->pw_shell : _PATH_BSHELL, 1); >+ if (clean && chdir(pwd->pw_dir) < 0) >+ err(1, "chdir: %s", pwd->pw_dir); >+ endpwent(); > } >- if (execvp(argv[1], argv + 1) == -1) >- err(1, "execvp(): %s", argv[1]); >+ >+ /* Run the specified command, or the shell */ >+ if (argc > 1) { >+ if (execvp(argv[1], argv + 1) < 0) >+ err(1, "execvp: %s", argv[1]); >+ } else { >+ if (!(shell = getenv("SHELL"))) >+ shell = _PATH_BSHELL; >+ if (execlp(shell, shell, "-i", NULL) < 0) >+ err(1, "execlp: %s", shell); >+ } > exit(0); > } > > static void >+get_user_info(const char *username, const struct passwd **pwdp, >+ login_cap_t **lcapp) >+{ >+ uid_t uid; >+ const struct passwd *pwd; >+ >+ errno = 0; >+ if (username) { >+ pwd = getpwnam(username); >+ if (pwd == NULL) { >+ if (errno) >+ err(1, "getpwnam: %s", username); >+ else >+ errx(1, "%s: no such user", username); >+ } >+ } else { >+ uid = getuid(); >+ pwd = getpwuid(uid); >+ if (pwd == NULL) { >+ if (errno) >+ err(1, "getpwuid: %d", uid); >+ else >+ errx(1, "unknown uid: %d", uid); >+ } >+ } >+ *pwdp = pwd; >+ *lcapp = login_getpwclass(pwd); >+ if (*lcapp == NULL) >+ err(1, "getpwclass: %s", pwd->pw_name); >+ if (initgroups(pwd->pw_name, pwd->pw_gid) < 0) >+ err(1, "initgroups: %s", pwd->pw_name); >+} >+ >+static void > usage(void) > { > > fprintf(stderr, "%s\n", >- "usage: jexec [-u username | -U username] jail command ..."); >+ "usage: jexec [-l] [-u username | -U username] jail [command ...]"); > exit(1); > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 201300
:
158277
| 158629