Implement login classes sepcification as user[/loginclass]

By default inetd run things with the same limits as from /etc/rc
(daemon class) to not break anything as in good old days.

2 files changed, 56 insertions, 10 deletions

diff --git a/usr.sbin/inetd/inetd.8 b/usr.sbin/inetd/inetd.8
index ae7664a..dd73d49 100644
--- a/usr.sbin/inetd/inetd.8
+++ b/usr.sbin/inetd/inetd.8
@@ -30,7 +30,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     from: @(#)inetd.8	8.3 (Berkeley) 4/13/94
-.\"	$Id: inetd.8,v 1.13 1997/02/22 16:05:51 peter Exp $
+.\"	$Id: inetd.8,v 1.14 1997/09/19 06:26:30 charnier Exp $
 .\"
 .Dd February 7, 1996
 .Dt INETD 8
@@ -101,7 +101,7 @@ service name
 socket type
 protocol
 {wait|nowait}[/max-child]
-user
+user[/login-class]
 server program
 server program arguments
 .Ed
@@ -114,7 +114,7 @@ service, the entry would contain these fields:
 service name/version
 socket type
 rpc/protocol
-user
+user[/login-class]
 server program
 server program arguments
 .Ed
@@ -275,7 +275,10 @@ The
 .Em user
 entry should contain the user name of the user as whom the server
 should run.  This allows for servers to be given less permission
-than root.
+than root. Optional
+.Em login-class
+suffix separated by ``/'' allows to specify login class different
+than default ``daemon'' login class.
 .Pp
 The
 .Em server-program
@@ -470,6 +473,7 @@ program attempted to renounce the privileged state associated with a
 socket but was unable to.
 .El
 .Sh SEE ALSO
+.Xr login.conf 5 ,
 .Xr passwd 5 ,
 .Xr rpc 5 ,
 .Xr services 5 ,
diff --git a/usr.sbin/inetd/inetd.c b/usr.sbin/inetd/inetd.c
index 680ef8e..af01882 100644
--- a/usr.sbin/inetd/inetd.c
+++ b/usr.sbin/inetd/inetd.c
@@ -42,7 +42,7 @@ static const char copyright[] =
 static char sccsid[] = "@(#)from: inetd.c	8.4 (Berkeley) 4/13/94";
 #endif
 static const char rcsid[] =
-	"$Id$";
+	"$Id: inetd.c,v 1.26 1997/09/19 06:26:31 charnier Exp $";
 #endif /* not lint */
 
 /*
@@ -132,6 +132,10 @@ static const char rcsid[] =
 
 #ifdef LOGIN_CAP
 #include <login_cap.h>
+
+/* see init.c */
+#define RESOURCE_RC "daemon"
+
 #endif
 
 #include "pathnames.h"
@@ -162,6 +166,9 @@ struct	servtab {
 	short	se_numchild;		/* current number of children */
 	pid_t	*se_pids;		/* array of child pids */
 	char	*se_user;		/* user name to run as */
+#ifdef  LOGIN_CAP
+	char    *se_class;              /* login class name to run with */
+#endif
 	struct	biltin *se_bi;		/* if built-in, description */
 	char	*se_server;		/* server program */
 #define	MAXARGV 20
@@ -513,11 +520,15 @@ main(argc, argv, envp)
 					_exit(EX_NOUSER);
 				}
 #ifdef LOGIN_CAP
-				/*
-				 * Establish the class now, falls back to
-				 * the "default" if unavailable.
-				 */
-				lc = login_getpwclass(pwd);
+				if ((lc = login_getclass(sep->se_class)) == NULL) {
+					/* error syslogged by getclass */
+					syslog(LOG_ERR,
+					    "%s/%s: %s: login class error",
+						sep->se_service, sep->se_proto);
+					if (sep->se_socktype != SOCK_STREAM)
+						recv(0, buf, sizeof (buf), 0);
+					_exit(EX_NOUSER);
+				}
 #endif
 				if (setsid() < 0) {
 					syslog(LOG_ERR,
@@ -650,6 +661,15 @@ config(signo)
 				new->se_service, new->se_proto, new->se_user);
 			continue;
 		}
+#ifdef LOGIN_CAP
+		if (login_getclass(new->se_class) == NULL) {
+			/* error syslogged by getclass */
+			syslog(LOG_ERR,
+				"%s/%s: login class error, service ignored",
+				new->se_service, new->se_proto);
+			continue;
+		}
+#endif
 		for (sep = servtab; sep; sep = sep->se_next)
 			if (strcmp(sep->se_service, new->se_service) == 0 &&
 			    strcmp(sep->se_proto, new->se_proto) == 0)
@@ -684,6 +704,10 @@ config(signo)
 			sep->se_accept = new->se_accept;
 			if (new->se_user)
 				SWAP(sep->se_user, new->se_user);
+#ifdef LOGIN_CAP
+			if (new->se_class)
+				SWAP(sep->se_class, new->se_class);
+#endif
 			if (new->se_server)
 				SWAP(sep->se_server, new->se_server);
 			for (i = 0; i < MAXARGV; i++)
@@ -1129,6 +1153,13 @@ more:
 		}
 	}
 	sep->se_user = newstr(sskip(&cp));
+#ifdef LOGIN_CAP
+	if ((s = strrchr(sep->se_user, '/')) != NULL) {
+		*s = '\0';
+		sep->se_class = newstr(s + 1);
+	} else
+		sep->se_class = newstr(RESOURCE_RC);
+#endif
 	sep->se_server = newstr(sskip(&cp));
 	if (strcmp(sep->se_server, "internal") == 0) {
 		struct biltin *bi;
@@ -1185,6 +1216,10 @@ freeconfig(cp)
 		free(cp->se_proto);
 	if (cp->se_user)
 		free(cp->se_user);
+#ifdef LOGIN_CAP
+	if (cp->se_class)
+		free(cp->se_class);
+#endif
 	if (cp->se_server)
 		free(cp->se_server);
 	if (cp->se_pids)
@@ -1608,9 +1643,16 @@ print_service(action, sep)
 	struct servtab *sep;
 {
 	fprintf(stderr,
+#ifdef LOGIN_CAP
+	    "%s: %s proto=%s accept=%d max=%d user=%s class=%s builtin=%x server=%s\n",
+#else
 	    "%s: %s proto=%s accept=%d max=%d user=%s builtin=%x server=%s\n",
+#endif
 	    action, sep->se_service, sep->se_proto,
 	    sep->se_accept, sep->se_maxchild, sep->se_user,
+#ifdef LOGIN_CAP
+	    sep->se_class,
+#endif
 	    (int)sep->se_bi, sep->se_server);
 }