check for login_cap.h and use setusercontext if available

diff --git a/configure b/configure
index 4ae9b691414d9181b4e84ab9158c88abe9e763cc..bd1b94f57666b02e96c24fc6f9005a84ef5a03aa 100755 (executable)
--- a/configure
+++ b/configure
@@ -451,6 +451,17 @@ int main(void) {
 }'
 check_func "ndir_h" "$src"
 
+#
+# Check for login_cap.h.
+#
+src='
+#include <sys/types.h>
+#include <login_cap.h>
+int main(void) {
+       return 0;
+}'
+check_func "login_cap_h" "$src"
+
 #
 #
 #

diff --git a/doas.c b/doas.c
index dea68f823181e1595e940a2666457dbb1a2fd799..c95dee3b7af0ff87a9b0d22d1263037aa4a5967d 100644 (file)
--- a/doas.c
+++ b/doas.c
@@ -20,6 +20,9 @@
 #include <sys/ioctl.h>
 
 #include <limits.h>
+#ifdef HAVE_LOGIN_CAP_H
+#include <login_cap.h>
+#endif
 #include <string.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -379,12 +382,19 @@ main(int argc, char **argv)
            rule->options & PERSIST);
 #endif
 
+#ifdef HAVE_LOGIN_CAP_H
+       if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |
+           LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
+           LOGIN_SETUSER) != 0)
+               errx(1, "failed to set user context for target");
+#else
        if (setresgid(targpw->pw_gid, targpw->pw_gid, targpw->pw_gid) != 0)
                err(1, "setresgid");
        if (initgroups(targpw->pw_name, targpw->pw_gid) != 0)
                err(1, "initgroups");
        if (setresuid(target, target, target) != 0)
                err(1, "setresuid");
+#endif
 
        if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
                cwd = "(failed)";