On 2022-02-05, Matthew Martin wrote:
> On Sat, Jan 29, 2022 at 06:25:32PM -0600, Matthew Martin wrote:
> > On Sat, Jan 29, 2022 at 07:10:00PM -0500, Ted Unangst wrote:
> > > I believe it would be better to add setrtable to id pledge.
>
> ping
>
> Also are there any opinions on adding LOGIN_SETRTABLE to doas?
I think this diff looks fine.
For doas, we can use setall with an extra note in the man page.
Index: doas.1
===================================================================
RCS file: /home/cvs/src/usr.bin/doas/doas.1,v
retrieving revision 1.25
diff -u -p -r1.25 doas.1
--- doas.1 16 Jan 2021 09:18:41 -0000 1.25
+++ doas.1 6 Feb 2022 18:41:53 -0000
@@ -54,6 +54,8 @@ and
and the
.Xr umask 2
are set to values appropriate for the target user.
+Other values may also be set as specified in
+.Pa /etc/login.conf .
.Ev DOAS_USER
is set to the name of the user executing
.Nm .
Index: doas.c
===================================================================
RCS file: /home/cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.93
diff -u -p -r1.93 doas.c
--- doas.c 30 Nov 2021 20:08:15 -0000 1.93
+++ doas.c 6 Feb 2022 18:39:38 -0000
@@ -450,10 +450,7 @@ main(int argc, char **argv)
if (targpw == NULL)
errx(1, "no passwd entry for target");
- if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |
- LOGIN_SETPATH |
- LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
- LOGIN_SETUSER) != 0)
+ if (setusercontext(NULL, targpw, target, LOGIN_SETALL) == -1)
errx(1, "failed to set user context for target");
if (pledge("stdio rpath exec", NULL) == -1)
