1) Back out ~/.login_conf disable

2) Pick only "me" class from ~/.login_conf as documented
svn path=/head/; revision=83923
2001-09-25 11:07:26 +00:00 · 2001-09-25 11:07:26 +00:00 · e36b245ca8 · 2020-12-20 02:59:44 +00:00
commit e36b245ca8
parent 3273a63ed9
2 changed files with 5 additions and 8 deletions
--- a/lib/libutil/login.conf.5
+++ b/lib/libutil/login.conf.5
@ -60,8 +60,6 @@ to set user-defined environment settings which override those specified
 in the system login capabilities database.
 Only a subset of login capabilities may be overridden, typically those
 which do not involve authentication, resource limits and accounting.
-NOTE: this feature is compile-time disabled by default due to potential
-security risks.
 .Pp
 Records in a class capabilities database consist of a number of
 colon-separated fields.
--- a/lib/libutil/login_cap.c
+++ b/lib/libutil/login_cap.c
@ -184,18 +184,17 @@ login_getclassbyname(char const *name, const struct passwd *pwd)
    login_cap_t	*lc;
  
    if ((lc = malloc(sizeof(login_cap_t))) != NULL) {
-	int	    r, i = 0;
+	int         r, me, i = 0;
 	uid_t euid = 0;
 	gid_t egid = 0;
 	const char  *msg = NULL;
-	const char  *dir = (pwd == NULL) ? NULL : pwd->pw_dir;
+	const char  *dir;
 	char	    userpath[MAXPATHLEN];

 	static char *login_dbarray[] = { NULL, NULL, NULL };

-#ifndef _FILE_LOGIN_CONF_WORKS
-	dir = NULL;
-#endif
+	me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0);
+	dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir;
 	/*
 	 * Switch to user mode before checking/reading its ~/.login_conf
 	 * - some NFSes have root read access disabled.
@ -227,7 +226,7 @@ login_getclassbyname(char const *name, const struct passwd *pwd)

 	switch (cgetent(&lc->lc_cap, login_dbarray, (char*)name)) {
 	case -1:		/* Failed, entry does not exist */
-	    if (strcmp(name, LOGIN_MECLASS) == 0)
+	    if (me)
 		break;	/* Don't retry default on 'me' */
 	    if (i == 0)
 	        r = -1;