For now, set only the resource limits and process priority associated

with a class, rather than all aspects of the class when switching
classes for an inetd service.  Because we hard-code /daemon in the
current inetd implementation, using SETALL has unfortunate side-effects
involving the MAC code, and potentially other credential related
settings in the future.  This change maintains the DoS-resistent
aspects of the class behavior, which is all that is promised in the
inetd man page.

A larger set of diffs providing more pluggability and configurability
was deferred for this more simple approach in the short term.

Reviewed by:	ache
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 2 insertions, 1 deletions

diff --git a/usr.sbin/inetd/inetd.c b/usr.sbin/inetd/inetd.c
index ad847fb..d47691e 100644
--- a/usr.sbin/inetd/inetd.c
+++ b/usr.sbin/inetd/inetd.c
@@ -812,7 +812,8 @@ main(int argc, char **argv)
 				}
 #ifdef LOGIN_CAP
 				if (setusercontext(lc, pwd, pwd->pw_uid,
-				    LOGIN_SETALL) != 0) {
+				    LOGIN_SETRESOURCES | LOGIN_SETPRIORITY)
+				    != 0) {
 					syslog(LOG_ERR,
 					 "%s: can't setusercontext(..%s..): %m",
 					 sep->se_service, sep->se_user);