From: Duncan Overbruck <mail@duncano.de>
Date: Thu, 5 Nov 2020 20:00:16 +0000 (+0100)
Subject: check for login_cap.h and use setusercontext if available
X-Git-Tag: v6.8~25
X-Git-Url: https://git.armaanb.net/?p=opendoas.git;a=commitdiff_plain;h=fd03103c045c958756f5f3f03f13604bd80eaa1d

check for login_cap.h and use setusercontext if available
---

diff --git a/configure b/configure
index 4ae9b69..bd1b94f 100755
--- a/configure
+++ b/configure
@@ -451,6 +451,17 @@ int main(void) {
 }'
 check_func "ndir_h" "$src"
 
+#
+# Check for login_cap.h.
+#
+src='
+#include <sys/types.h>
+#include <login_cap.h>
+int main(void) {
+	return 0;
+}'
+check_func "login_cap_h" "$src"
+
 #
 #
 #
diff --git a/doas.c b/doas.c
index dea68f8..c95dee3 100644
--- a/doas.c
+++ b/doas.c
@@ -20,6 +20,9 @@
 #include <sys/ioctl.h>
 
 #include <limits.h>
+#ifdef HAVE_LOGIN_CAP_H
+#include <login_cap.h>
+#endif
 #include <string.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -379,12 +382,19 @@ main(int argc, char **argv)
 	    rule->options & PERSIST);
 #endif
 
+#ifdef HAVE_LOGIN_CAP_H
+	if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |
+	    LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
+	    LOGIN_SETUSER) != 0)
+		errx(1, "failed to set user context for target");
+#else
 	if (setresgid(targpw->pw_gid, targpw->pw_gid, targpw->pw_gid) != 0)
 		err(1, "setresgid");
 	if (initgroups(targpw->pw_name, targpw->pw_gid) != 0)
 		err(1, "initgroups");
 	if (setresuid(target, target, target) != 0)
 		err(1, "setresuid");
+#endif
 
 	if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
 		cwd = "(failed)";