The consensus seems to be that "chroot -u" should apply the settings in /etc/login.conf by default. Since this is a non-standard flag we can do what we like with it. I should have used setusercontext() when I added -u to chroot in the first place.
We can add a "-c class" option in the future if there turns out to be a need for it. - todd Index: usr.sbin/chroot/chroot.8 =================================================================== RCS file: /cvs/src/usr.sbin/chroot/chroot.8,v retrieving revision 1.14 diff -u -p -u -r1.14 chroot.8 --- usr.sbin/chroot/chroot.8 8 Jul 2010 06:52:30 -0000 1.14 +++ usr.sbin/chroot/chroot.8 19 May 2015 15:47:52 -0000 @@ -77,6 +77,11 @@ and databases unless overridden by the .Fl g option. +Additional settings may be applied as specified in +.Xr login.conf 5 +depending on +.Ar user Ns 's +login class. .El .Sh ENVIRONMENT .Bl -tag -width SHELL @@ -95,6 +100,7 @@ is used. .Sh SEE ALSO .Xr ldd 1 , .Xr group 5 , +.Xr login.conf 5 , .Xr passwd 5 , .Xr environ 7 .Sh HISTORY Index: usr.sbin/chroot/chroot.c =================================================================== RCS file: /cvs/src/usr.sbin/chroot/chroot.c,v retrieving revision 1.13 diff -u -p -u -r1.13 chroot.c --- usr.sbin/chroot/chroot.c 27 Oct 2009 23:59:51 -0000 1.13 +++ usr.sbin/chroot/chroot.c 19 May 2015 15:48:29 -0000 @@ -35,6 +35,7 @@ #include <errno.h> #include <grp.h> #include <limits.h> +#include <login_cap.h> #include <paths.h> #include <pwd.h> #include <stdio.h> @@ -50,11 +51,14 @@ main(int argc, char **argv) { struct group *grp; struct passwd *pwd; + login_cap_t *lc; const char *shell; char *user, *group, *grouplist; gid_t gidlist[NGROUPS_MAX]; int ch, ngids; + int flags = LOGIN_SETALL & ~(LOGIN_SETLOGIN|LOGIN_SETUSER); + lc = NULL; ngids = 0; pwd = NULL; user = grouplist = NULL; @@ -80,8 +84,12 @@ main(int argc, char **argv) if (argc < 1) usage(); - if (user != NULL && (pwd = getpwnam(user)) == NULL) - errx(1, "no such user `%s'", user); + if (user != NULL) { + if ((pwd = getpwnam(user)) == NULL) + errx(1, "no such user `%s'", user); + if ((lc = login_getclass(pwd->pw_class)) == NULL) + err(1, "unable to get login class for `%s'", user); + } while ((group = strsep(&grouplist, ",")) != NULL) { if (*group == '\0') @@ -99,11 +107,11 @@ main(int argc, char **argv) err(1, "setgid"); if (setgroups(ngids, gidlist) != 0) err(1, "setgroups"); - } else if (pwd != NULL) { - if (setgid(pwd->pw_gid) != 0) - err(1, "setgid"); - if (initgroups(user, pwd->pw_gid) == -1) - err(1, "initgroups"); + flags &= ~LOGIN_SETGROUP; + } + if (lc != NULL) { + if (setusercontext(lc, pwd, pwd->pw_uid, flags) == -1) + err(1, "setusercontext"); } if (chroot(argv[0]) != 0 || chdir("/") != 0) @@ -115,7 +123,6 @@ main(int argc, char **argv) setlogin(pwd->pw_name); if (setuid(pwd->pw_uid) != 0) err(1, "setuid"); - endgrent(); } if (argv[1]) {