summaryrefslogtreecommitdiffstats
path: root/usr.bin
diff options
context:
space:
mode:
authorrwatson <rwatson@FreeBSD.org>2002-10-23 03:19:34 +0000
committerrwatson <rwatson@FreeBSD.org>2002-10-23 03:19:34 +0000
commit22d94f8404dad00a5e11e10268dd1939db2db7aa (patch)
tree99bf913c042891ee89b412a42025ac2a45b8a480 /usr.bin
parent7b9f8f277bf2b3ee0ff52374c50ca8e380c1f095 (diff)
downloadFreeBSD-src-22d94f8404dad00a5e11e10268dd1939db2db7aa.zip
FreeBSD-src-22d94f8404dad00a5e11e10268dd1939db2db7aa.tar.gz
Add a new '-s' option to su(1): if the flag is present, attempt to
also set the user's MAC label as part of the user credential setup by setting setusercontext(3)'s SETMAC flag. By default, change only traditional process properties. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/su/su.110
-rw-r--r--usr.bin/su/su.c18
2 files changed, 23 insertions, 5 deletions
diff --git a/usr.bin/su/su.1 b/usr.bin/su/su.1
index 472d5db..a3f2a29 100644
--- a/usr.bin/su/su.1
+++ b/usr.bin/su/su.1
@@ -41,7 +41,7 @@
.Sh SYNOPSIS
.Nm
.Op Fl
-.Op Fl flm
+.Op Fl flms
.Op Fl c Ar class
.Op Ar login Op Ar args
.Sh DESCRIPTION
@@ -122,6 +122,14 @@ and the caller's real uid is
non-zero,
.Nm
will fail.
+.It Fl s
+Set the MAC label to the user's default label as part of the user
+credential setup.
+Setting the MAC label may fail if the MAC label of the invoking process
+isn't sufficient to transition to the user's default MAC label.
+If the label cannot be set,
+.Nm
+will fail.
.It Fl c Ar class
Use the settings of the specified login class.
Only allowed for the super-user.
diff --git a/usr.bin/su/su.c b/usr.bin/su/su.c
index 9191b87..434b4c7 100644
--- a/usr.bin/su/su.c
+++ b/usr.bin/su/su.c
@@ -127,7 +127,7 @@ main(int argc, char *argv[])
} np;
uid_t ruid;
int asme, ch, asthem, fastlogin, prio, i, setwhat, retcode,
- statusp, child_pid, child_pgrp, ret_pid;
+ statusp, child_pid, child_pgrp, ret_pid, setmaclabel;
char *username, *cleanenv, *class, shellbuf[MAXPATHLEN];
const char *p, *user, *shell, *mytty, **nargv;
@@ -137,8 +137,9 @@ main(int argc, char *argv[])
asme = asthem = fastlogin = statusp = 0;
user = "root";
iscsh = UNSET;
+ setmaclabel = 0;
- while ((ch = getopt(argc, argv, "-flmc:")) != -1)
+ while ((ch = getopt(argc, argv, "-flmsc:")) != -1)
switch ((char)ch) {
case 'f':
fastlogin = 1;
@@ -152,6 +153,9 @@ main(int argc, char *argv[])
asme = 1;
asthem = 0;
break;
+ case 's':
+ setmaclabel = 1;
+ break;
case 'c':
class = optarg;
break;
@@ -359,7 +363,13 @@ main(int argc, char *argv[])
* Umask Login records (wtmp, etc) Path
*/
setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK |
- LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP);
+ LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP |
+ LOGIN_SETMAC);
+ /*
+ * If -s is present, also set the MAC label.
+ */
+ if (setmaclabel)
+ setwhat |= LOGIN_SETMAC;
/*
* Don't touch resource/priority settings if -m has been used
* or -l and -c hasn't, and we're not su'ing to root.
@@ -462,7 +472,7 @@ static void
usage(void)
{
- fprintf(stderr, "usage: su [-] [-flm] [-c class] [login [args]]\n");
+ fprintf(stderr, "usage: su [-] [-flms] [-c class] [login [args]]\n");
exit(1);
}
OpenPOWER on IntegriCloud