On 2022-02-06, Ted Unangst wrote:
> On 2022-02-05, Matthew Martin wrote:
> > On Sat, Jan 29, 2022 at 06:25:32PM -0600, Matthew Martin wrote:
> > > On Sat, Jan 29, 2022 at 07:10:00PM -0500, Ted Unangst wrote:
> > > > I believe it would be better to add setrtable to id pledge.
> >
> > ping
> >
> > Also are there any opinions on adding LOGIN_SETRTABLE to doas?
>
> I think this diff looks fine.
>
> For doas, we can use setall with an extra note in the man page.
Final auction for oks. I think all the login.conf.d changes are in now.
Plan is add setrtable to pledge first so people don't get caught, then libc.
>
>
> Index: doas.1
> ===================================================================
> RCS file: /home/cvs/src/usr.bin/doas/doas.1,v
> retrieving revision 1.25
> diff -u -p -r1.25 doas.1
> --- doas.1 16 Jan 2021 09:18:41 -0000 1.25
> +++ doas.1 6 Feb 2022 18:41:53 -0000
> @@ -54,6 +54,8 @@ and
> and the
> .Xr umask 2
> are set to values appropriate for the target user.
> +Other values may also be set as specified in
> +.Pa /etc/login.conf .
> .Ev DOAS_USER
> is set to the name of the user executing
> .Nm .
> Index: doas.c
> ===================================================================
> RCS file: /home/cvs/src/usr.bin/doas/doas.c,v
> retrieving revision 1.93
> diff -u -p -r1.93 doas.c
> --- doas.c 30 Nov 2021 20:08:15 -0000 1.93
> +++ doas.c 6 Feb 2022 18:39:38 -0000
> @@ -450,10 +450,7 @@ main(int argc, char **argv)
> if (targpw == NULL)
> errx(1, "no passwd entry for target");
>
> - if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |
> - LOGIN_SETPATH |
> - LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
> - LOGIN_SETUSER) != 0)
> + if (setusercontext(NULL, targpw, target, LOGIN_SETALL) == -1)
> errx(1, "failed to set user context for target");
>
> if (pledge("stdio rpath exec", NULL) == -1)
>
>
