On 2022-02-06, Ted Unangst wrote: > On 2022-02-05, Matthew Martin wrote: > > On Sat, Jan 29, 2022 at 06:25:32PM -0600, Matthew Martin wrote: > > > On Sat, Jan 29, 2022 at 07:10:00PM -0500, Ted Unangst wrote: > > > > I believe it would be better to add setrtable to id pledge. > > > > ping > > > > Also are there any opinions on adding LOGIN_SETRTABLE to doas? > > I think this diff looks fine. > > For doas, we can use setall with an extra note in the man page.
Final auction for oks. I think all the login.conf.d changes are in now. Plan is add setrtable to pledge first so people don't get caught, then libc. > > > Index: doas.1 > =================================================================== > RCS file: /home/cvs/src/usr.bin/doas/doas.1,v > retrieving revision 1.25 > diff -u -p -r1.25 doas.1 > --- doas.1 16 Jan 2021 09:18:41 -0000 1.25 > +++ doas.1 6 Feb 2022 18:41:53 -0000 > @@ -54,6 +54,8 @@ and > and the > .Xr umask 2 > are set to values appropriate for the target user. > +Other values may also be set as specified in > +.Pa /etc/login.conf . > .Ev DOAS_USER > is set to the name of the user executing > .Nm . > Index: doas.c > =================================================================== > RCS file: /home/cvs/src/usr.bin/doas/doas.c,v > retrieving revision 1.93 > diff -u -p -r1.93 doas.c > --- doas.c 30 Nov 2021 20:08:15 -0000 1.93 > +++ doas.c 6 Feb 2022 18:39:38 -0000 > @@ -450,10 +450,7 @@ main(int argc, char **argv) > if (targpw == NULL) > errx(1, "no passwd entry for target"); > > - if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP | > - LOGIN_SETPATH | > - LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK | > - LOGIN_SETUSER) != 0) > + if (setusercontext(NULL, targpw, target, LOGIN_SETALL) == -1) > errx(1, "failed to set user context for target"); > > if (pledge("stdio rpath exec", NULL) == -1) > >