diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-10-23 03:19:34 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-10-23 03:19:34 +0000 |
commit | 22d94f8404dad00a5e11e10268dd1939db2db7aa (patch) | |
tree | 99bf913c042891ee89b412a42025ac2a45b8a480 /usr.bin | |
parent | 7b9f8f277bf2b3ee0ff52374c50ca8e380c1f095 (diff) | |
download | FreeBSD-src-22d94f8404dad00a5e11e10268dd1939db2db7aa.zip FreeBSD-src-22d94f8404dad00a5e11e10268dd1939db2db7aa.tar.gz |
Add a new '-s' option to su(1): if the flag is present, attempt to
also set the user's MAC label as part of the user credential setup
by setting setusercontext(3)'s SETMAC flag. By default, change only
traditional process properties.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/su/su.1 | 10 | ||||
-rw-r--r-- | usr.bin/su/su.c | 18 |
2 files changed, 23 insertions, 5 deletions
diff --git a/usr.bin/su/su.1 b/usr.bin/su/su.1 index 472d5db..a3f2a29 100644 --- a/usr.bin/su/su.1 +++ b/usr.bin/su/su.1 @@ -41,7 +41,7 @@ .Sh SYNOPSIS .Nm .Op Fl -.Op Fl flm +.Op Fl flms .Op Fl c Ar class .Op Ar login Op Ar args .Sh DESCRIPTION @@ -122,6 +122,14 @@ and the caller's real uid is non-zero, .Nm will fail. +.It Fl s +Set the MAC label to the user's default label as part of the user +credential setup. +Setting the MAC label may fail if the MAC label of the invoking process +isn't sufficient to transition to the user's default MAC label. +If the label cannot be set, +.Nm +will fail. .It Fl c Ar class Use the settings of the specified login class. Only allowed for the super-user. diff --git a/usr.bin/su/su.c b/usr.bin/su/su.c index 9191b87..434b4c7 100644 --- a/usr.bin/su/su.c +++ b/usr.bin/su/su.c @@ -127,7 +127,7 @@ main(int argc, char *argv[]) } np; uid_t ruid; int asme, ch, asthem, fastlogin, prio, i, setwhat, retcode, - statusp, child_pid, child_pgrp, ret_pid; + statusp, child_pid, child_pgrp, ret_pid, setmaclabel; char *username, *cleanenv, *class, shellbuf[MAXPATHLEN]; const char *p, *user, *shell, *mytty, **nargv; @@ -137,8 +137,9 @@ main(int argc, char *argv[]) asme = asthem = fastlogin = statusp = 0; user = "root"; iscsh = UNSET; + setmaclabel = 0; - while ((ch = getopt(argc, argv, "-flmc:")) != -1) + while ((ch = getopt(argc, argv, "-flmsc:")) != -1) switch ((char)ch) { case 'f': fastlogin = 1; @@ -152,6 +153,9 @@ main(int argc, char *argv[]) asme = 1; asthem = 0; break; + case 's': + setmaclabel = 1; + break; case 'c': class = optarg; break; @@ -359,7 +363,13 @@ main(int argc, char *argv[]) * Umask Login records (wtmp, etc) Path */ setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK | - LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP); + LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP | + LOGIN_SETMAC); + /* + * If -s is present, also set the MAC label. + */ + if (setmaclabel) + setwhat |= LOGIN_SETMAC; /* * Don't touch resource/priority settings if -m has been used * or -l and -c hasn't, and we're not su'ing to root. @@ -462,7 +472,7 @@ static void usage(void) { - fprintf(stderr, "usage: su [-] [-flm] [-c class] [login [args]]\n"); + fprintf(stderr, "usage: su [-] [-flms] [-c class] [login [args]]\n"); exit(1); } |