diff options
| author | Kyle Evans <kevans@FreeBSD.org> | 2025-10-29 02:37:21 +0000 |
|---|---|---|
| committer | Kyle Evans <kevans@FreeBSD.org> | 2025-10-29 02:37:21 +0000 |
| commit | 98edcbcce0a4650084bd86e704cfa38bf590250c (patch) | |
| tree | 7b3f03127a916bfc952382bdb0d0598ddacc2a11 | |
| parent | 73551cd6eac29a6707c802c7d7fafcb560bf5e2b (diff) | |
| -rw-r--r-- | lib/libutil/login_class.c | 55 |
1 files changed, 30 insertions, 25 deletions
diff --git a/lib/libutil/login_class.c b/lib/libutil/login_class.c index c3c1b0ddda27..9478b4dc98ca 100644 --- a/lib/libutil/login_class.c +++ b/lib/libutil/login_class.c @@ -543,7 +543,7 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in /* we need a passwd entry to set these */ if (pwd == NULL) - flags &= ~(LOGIN_SETGROUP | LOGIN_SETLOGIN | LOGIN_SETMAC); + flags &= ~(LOGIN_SETGROUP | LOGIN_SETLOGIN); /* Set the process priority */ if (flags & LOGIN_SETPRIORITY) @@ -564,6 +564,27 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in } } + /* Set the sessions login */ + if ((flags & LOGIN_SETLOGIN) && setlogin(pwd->pw_name) != 0) { + syslog(LOG_ERR, "setlogin(%s): %m", pwd->pw_name); + login_close(llc); + return (-1); + } + + /* Inform the kernel about current login class */ + if (lc != NULL && lc->lc_class != NULL && (flags & LOGIN_SETLOGINCLASS)) { + error = setloginclass(lc->lc_class); + if (error != 0) { + syslog(LOG_ERR, "setloginclass(%s): %m", lc->lc_class); +#ifdef notyet + login_close(llc); + return (-1); +#endif + } + } + + setlogincontext(lc, pwd, flags); + /* Set up the user's MAC label. */ if ((flags & LOGIN_SETMAC) && mac_is_present(NULL) == 1) { const char *label_string; @@ -572,8 +593,10 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in label_string = login_getcapstr(lc, "label", NULL, NULL); if (label_string != NULL) { if (mac_from_text(&label, label_string) == -1) { - syslog(LOG_ERR, "mac_from_text('%s') for %s: %m", - pwd->pw_name, label_string); + syslog(LOG_ERR, "mac_from_text('%s') for %s %s: %m", + label_string, pwd != NULL ? "user" : "class", + pwd != NULL ? pwd->pw_name : lc->lc_class); + login_close(llc); return (-1); } if (mac_set_proc(label) == -1) @@ -582,33 +605,15 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in error = 0; mac_free(label); if (error != 0) { - syslog(LOG_ERR, "mac_set_proc('%s') for %s: %s", - label_string, pwd->pw_name, strerror(error)); + syslog(LOG_ERR, "mac_set_proc('%s') for %s %s: %s", + label_string, pwd != NULL ? "user" : "class", + pwd != NULL ? pwd->pw_name : lc->lc_class, strerror(error)); + login_close(llc); return (-1); } } } - /* Set the sessions login */ - if ((flags & LOGIN_SETLOGIN) && setlogin(pwd->pw_name) != 0) { - syslog(LOG_ERR, "setlogin(%s): %m", pwd->pw_name); - login_close(llc); - return (-1); - } - - /* Inform the kernel about current login class */ - if (lc != NULL && lc->lc_class != NULL && (flags & LOGIN_SETLOGINCLASS)) { - error = setloginclass(lc->lc_class); - if (error != 0) { - syslog(LOG_ERR, "setloginclass(%s): %m", lc->lc_class); -#ifdef notyet - login_close(llc); - return (-1); -#endif - } - } - - setlogincontext(lc, pwd, flags); login_close(llc); /* This needs to be done after anything that needs root privs */ |