PERFORCE change 15740 for review

Fri Aug 9 14:57:03 GMT 2002

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15740

Change 15740 by rwatson at rwatson_paprika on 2002/08/09 07:56:52

	Modify su interaction with setusercontext() so that the MAC
	label is not set by default, only if -s is specified.  This
	changes the default so that only UNIX credential elements
	are set, improving compatibility.  If setting the MAC label
	fails, su will fail.

Affected files ...

.. //depot/projects/trustedbsd/mac/usr.bin/su/su.1#4 edit
.. //depot/projects/trustedbsd/mac/usr.bin/su/su.c#8 edit

Differences ...

==== //depot/projects/trustedbsd/mac/usr.bin/su/su.1#4 (text+ko) ====

@@ -41,7 +41,7 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl
-.Op Fl flm
+.Op Fl flms
 .Op Fl c Ar class
 .Op Ar login Op Ar args
 .Sh DESCRIPTION
@@ -122,6 +122,14 @@
 non-zero,
 .Nm
 will fail.
+.It Fl s
+Set the MAC label to the user's default label as part of the user
+credential setup.
+Setting the MAC label may fail if the MAC label of the invoking process
+isn't sufficient to transition to the user's default MAC label.
+If the label cannot be set,
+.Nm
+will fail.
 .It Fl c Ar class
 Use the settings of the specified login class.
 Only allowed for the super-user.

==== //depot/projects/trustedbsd/mac/usr.bin/su/su.c#8 (text+ko) ====

@@ -128,7 +128,7 @@
 	uid_t		ruid;
 	gid_t		gid;
 	int		asme, ch, asthem, fastlogin, prio, i, setwhat, retcode,
-			statusp, child_pid, child_pgrp, ret_pid;
+			statusp, child_pid, child_pgrp, ret_pid, setmaclabel;
 	char		*username, *cleanenv, *class, shellbuf[MAXPATHLEN];
 	const char	*p, *user, *shell, *mytty, **nargv;
 
@@ -138,8 +138,9 @@
 	asme = asthem = fastlogin = statusp = 0;
 	user = "root";
 	iscsh = UNSET;
+	setmaclabel = 0;
 
-	while ((ch = getopt(argc, argv, "-flmc:")) != -1)
+	while ((ch = getopt(argc, argv, "-flmsc:")) != -1)
 		switch ((char)ch) {
 		case 'f':
 			fastlogin = 1;
@@ -153,6 +154,9 @@
 			asme = 1;
 			asthem = 0;
 			break;
+		case 's':
+			setmaclabel = 1;
+			break;
 		case 'c':
 			class = optarg;
 			break;
@@ -355,7 +359,13 @@
 		 * Umask Login records (wtmp, etc) Path
 		 */
 		setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK |
-			   LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP);
+			   LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP |
+			   LOGIN_SETLABEL);
+		/*
+		 * If -l is present, also set the MAC label.
+		 */
+		if (setmaclabel)
+			setwhat |= LOGIN_SETLABEL;
 		/*
 		 * Don't touch resource/priority settings if -m has been used
 		 * or -l and -c hasn't, and we're not su'ing to root.
@@ -458,7 +468,7 @@
 usage(void)
 {
 
-	fprintf(stderr, "usage: su [-] [-flm] [-c class] [login [args]]\n");
+	fprintf(stderr, "usage: su [-] [-flms] [-c class] [login [args]]\n");
 	exit(1);
 }
 
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

