Add a new '-s' option to su(1): if the flag is present, attempt to

also set the user's MAC label as part of the user credential setup by setting setusercontext(3)'s SETMAC flag. By default, change only traditional process properties. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
svn path=/head/; revision=105758
2002-10-23 03:19:34 +00:00 · 2002-10-23 03:19:34 +00:00 · 1494905bb6 · 2020-12-20 02:59:44 +00:00
commit 1494905bb6
parent 84333872d8
2 changed files with 23 additions and 5 deletions
--- a/usr.bin/su/su.1
+++ b/usr.bin/su/su.1
@ -41,7 +41,7 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl
-.Op Fl flm
+.Op Fl flms
 .Op Fl c Ar class
 .Op Ar login Op Ar args
 .Sh DESCRIPTION
@ -122,6 +122,14 @@ and the caller's real uid is
 non-zero,
 .Nm
 will fail.
+.It Fl s
+Set the MAC label to the user's default label as part of the user
+credential setup.
+Setting the MAC label may fail if the MAC label of the invoking process
+isn't sufficient to transition to the user's default MAC label.
+If the label cannot be set,
+.Nm
+will fail.
 .It Fl c Ar class
 Use the settings of the specified login class.
 Only allowed for the super-user.
--- a/usr.bin/su/su.c
+++ b/usr.bin/su/su.c
@ -127,7 +127,7 @@ main(int argc, char *argv[])
 	}		np;
 	uid_t		ruid;
 	int		asme, ch, asthem, fastlogin, prio, i, setwhat, retcode,
-			statusp, child_pid, child_pgrp, ret_pid;
+			statusp, child_pid, child_pgrp, ret_pid, setmaclabel;
 	char		*username, *cleanenv, *class, shellbuf[MAXPATHLEN];
 	const char	*p, *user, *shell, *mytty, **nargv;

@ -137,8 +137,9 @@ main(int argc, char *argv[])
 	asme = asthem = fastlogin = statusp = 0;
 	user = "root";
 	iscsh = UNSET;
+	setmaclabel = 0;

-	while ((ch = getopt(argc, argv, "-flmc:")) != -1)
+	while ((ch = getopt(argc, argv, "-flmsc:")) != -1)
 		switch ((char)ch) {
 		case 'f':
 			fastlogin = 1;
@ -152,6 +153,9 @@ main(int argc, char *argv[])
 			asme = 1;
 			asthem = 0;
 			break;
+		case 's':
+			setmaclabel = 1;
+			break;
 		case 'c':
 			class = optarg;
 			break;
@ -359,7 +363,13 @@ main(int argc, char *argv[])
 		 * Umask Login records (wtmp, etc) Path
 		 */
 		setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK |
-			   LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP);
+			   LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP |
+			   LOGIN_SETMAC);
+		/*
+		 * If -s is present, also set the MAC label.
+		 */
+		if (setmaclabel)
+			setwhat |= LOGIN_SETMAC;
 		/*
 		 * Don't touch resource/priority settings if -m has been used
 		 * or -l and -c hasn't, and we're not su'ing to root.
@ -462,7 +472,7 @@ static void
 usage(void)
 {

-	fprintf(stderr, "usage: su [-] [-flm] [-c class] [login [args]]\n");
+	fprintf(stderr, "usage: su [-] [-flms] [-c class] [login [args]]\n");
 	exit(1);
 }