check for login_cap.h and use setusercontext if available

[opendoas.git] / doas.c

diff --git a/doas.c b/doas.c
index dea68f823181e1595e940a2666457dbb1a2fd799..c95dee3b7af0ff87a9b0d22d1263037aa4a5967d 100644 (file)
--- a/doas.c
+++ b/doas.c
@@ -20,6 +20,9 @@
 #include <sys/ioctl.h>
 
 #include <limits.h>
+#ifdef HAVE_LOGIN_CAP_H
+#include <login_cap.h>
+#endif
 #include <string.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -379,12 +382,19 @@ main(int argc, char **argv)
            rule->options & PERSIST);
 #endif
 
+#ifdef HAVE_LOGIN_CAP_H
+       if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |
+           LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
+           LOGIN_SETUSER) != 0)
+               errx(1, "failed to set user context for target");
+#else
        if (setresgid(targpw->pw_gid, targpw->pw_gid, targpw->pw_gid) != 0)
                err(1, "setresgid");
        if (initgroups(targpw->pw_name, targpw->pw_gid) != 0)
                err(1, "initgroups");
        if (setresuid(target, target, target) != 0)
                err(1, "setresuid");
+#endif
 
        if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
                cwd = "(failed)";