Date: Thu, 27 May 2004 21:49:35 +0400 (MSD) From: Dmitry Sivachenko <mitya@demos.su> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/67262: jail improvement: run command as user which exists only in jail Message-ID: <200405271749.i4RHnZQ0080390@tear.demos.su> Resent-Message-ID: <200405271800.i4RI0gP3002709@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 67262 >Category: bin >Synopsis: jail improvement: run command as user which exists only in jail >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu May 27 11:00:41 PDT 2004 >Closed-Date: >Last-Modified: >Originator: Dmitry Sivachenko >Release: FreeBSD 5.2-CURRENT i386 >Organization: >Environment: System: FreeBSD tear.demos.su 5.2-CURRENT FreeBSD 5.2-CURRENT #0: Tue May 11 18:42:38 MSD 2004 mitya@tear.demos.su:/usr/obj/usr/src/sys/TEAR i386 >Description: Currently '-u' option to jail(8) can be used to run a command under specific user credentials. This particular user must exist in the host environment. I propose a new '-U' option to specify a user which exists only in jailed environment and not in the host system. >How-To-Repeat: >Fix: Index: jail.8 =================================================================== RCS file: /home/ncvs/src/usr.sbin/jail/jail.8,v retrieving revision 1.52 diff -u -r1.52 jail.8 --- jail.8 20 May 2004 06:37:44 -0000 1.52 +++ jail.8 27 May 2004 17:44:33 -0000 @@ -42,7 +42,7 @@ .Sh SYNOPSIS .Nm .Op Fl i -.Op Fl u Ar username +.Op Fl u Ar username | Fl U Ar username .Ar path hostname ip-number command ... .Sh DESCRIPTION The @@ -54,7 +54,11 @@ .It Fl i Output the jail identifier of the newly created jail. .It Fl u Ar username -The user name as whom the +The user name from host environment as whom the +.Ar command +should run. +.It Fl U Ar username +The user name from jailed environment as whom the .Ar command should run. .It Ar path Index: jail.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/jail/jail.c,v retrieving revision 1.14 diff -u -r1.14 jail.c --- jail.c 6 Jul 2003 12:44:11 -0000 1.14 +++ jail.c 27 May 2004 17:44:33 -0000 @@ -27,6 +27,17 @@ static void usage(void); +#define GET_USER_INFO \ + pwd = getpwnam(username); \ + if (pwd == NULL) \ + err(1, "getpwnam: %s", username); \ + lcap = login_getpwclass(pwd); \ + if (lcap == NULL) \ + err(1, "getpwclass: %s", username); \ + ngroups = NGROUPS; \ + if (getgrouplist(username, pwd->pw_gid, groups, &ngroups) != 0) \ + err(1, "getgrouplist: %s", username); + int main(int argc, char **argv) { @@ -34,19 +45,28 @@ struct jail j; struct passwd *pwd; struct in_addr in; - int ch, groups[NGROUPS], i, iflag, ngroups; + int ch, groups[NGROUPS], i, iflag, uflag, Uflag, ngroups; char *username; - iflag = 0; + iflag = uflag = Uflag = 0; username = NULL; - while ((ch = getopt(argc, argv, "iu:")) != -1) { + while ((ch = getopt(argc, argv, "iu:U:")) != -1) { switch (ch) { case 'i': iflag = 1; break; case 'u': + if (Uflag) + usage(); + username = optarg; + uflag = 1; + break; + case 'U': + if (uflag) + usage(); username = optarg; + Uflag = 1; break; default: usage(); @@ -57,16 +77,8 @@ if (argc < 4) usage(); - if (username != NULL) { - pwd = getpwnam(username); - if (pwd == NULL) - err(1, "getpwnam: %s", username); - lcap = login_getpwclass(pwd); - if (lcap == NULL) - err(1, "getpwclass: %s", username); - ngroups = NGROUPS; - if (getgrouplist(username, pwd->pw_gid, groups, &ngroups) != 0) - err(1, "getgrouplist: %s", username); + if (uflag) { + GET_USER_INFO } if (chdir(argv[0]) != 0) err(1, "chdir: %s", argv[0]); @@ -85,6 +97,9 @@ fflush(stdout); } if (username != NULL) { + if (Uflag) { + GET_USER_INFO + } if (setgroups(ngroups, groups) != 0) err(1, "setgroups"); if (setgid(pwd->pw_gid) != 0) @@ -104,6 +119,6 @@ { (void)fprintf(stderr, - "usage: jail [-i] [-u username] path hostname ip-number command ...\n"); + "usage: jail [-i] [-u username | -U username] path hostname ip-number command ...\n"); exit(1); } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200405271749.i4RHnZQ0080390>