From 1494905bb6e4aab3a0a034b667ac44e091e567d6 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Wed, 23 Oct 2002 03:19:34 +0000 Subject: [PATCH] Add a new '-s' option to su(1): if the flag is present, attempt to also set the user's MAC label as part of the user credential setup by setting setusercontext(3)'s SETMAC flag. By default, change only traditional process properties. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- usr.bin/su/su.1 | 10 +++++++++- usr.bin/su/su.c | 18 ++++++++++++++---- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/usr.bin/su/su.1 b/usr.bin/su/su.1 index 472d5db3ba2..a3f2a2965fd 100644 --- a/usr.bin/su/su.1 +++ b/usr.bin/su/su.1 @@ -41,7 +41,7 @@ .Sh SYNOPSIS .Nm .Op Fl -.Op Fl flm +.Op Fl flms .Op Fl c Ar class .Op Ar login Op Ar args .Sh DESCRIPTION @@ -122,6 +122,14 @@ and the caller's real uid is non-zero, .Nm will fail. +.It Fl s +Set the MAC label to the user's default label as part of the user +credential setup. +Setting the MAC label may fail if the MAC label of the invoking process +isn't sufficient to transition to the user's default MAC label. +If the label cannot be set, +.Nm +will fail. .It Fl c Ar class Use the settings of the specified login class. Only allowed for the super-user. diff --git a/usr.bin/su/su.c b/usr.bin/su/su.c index 9191b87a42d..434b4c7b441 100644 --- a/usr.bin/su/su.c +++ b/usr.bin/su/su.c @@ -127,7 +127,7 @@ main(int argc, char *argv[]) } np; uid_t ruid; int asme, ch, asthem, fastlogin, prio, i, setwhat, retcode, - statusp, child_pid, child_pgrp, ret_pid; + statusp, child_pid, child_pgrp, ret_pid, setmaclabel; char *username, *cleanenv, *class, shellbuf[MAXPATHLEN]; const char *p, *user, *shell, *mytty, **nargv; @@ -137,8 +137,9 @@ main(int argc, char *argv[]) asme = asthem = fastlogin = statusp = 0; user = "root"; iscsh = UNSET; + setmaclabel = 0; - while ((ch = getopt(argc, argv, "-flmc:")) != -1) + while ((ch = getopt(argc, argv, "-flmsc:")) != -1) switch ((char)ch) { case 'f': fastlogin = 1; @@ -152,6 +153,9 @@ main(int argc, char *argv[]) asme = 1; asthem = 0; break; + case 's': + setmaclabel = 1; + break; case 'c': class = optarg; break; @@ -359,7 +363,13 @@ main(int argc, char *argv[]) * Umask Login records (wtmp, etc) Path */ setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK | - LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP); + LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP | + LOGIN_SETMAC); + /* + * If -s is present, also set the MAC label. + */ + if (setmaclabel) + setwhat |= LOGIN_SETMAC; /* * Don't touch resource/priority settings if -m has been used * or -l and -c hasn't, and we're not su'ing to root. @@ -462,7 +472,7 @@ static void usage(void) { - fprintf(stderr, "usage: su [-] [-flm] [-c class] [login [args]]\n"); + fprintf(stderr, "usage: su [-] [-flms] [-c class] [login [args]]\n"); exit(1); }