For now, set only the resource limits and process priority associated

with a class, rather than all aspects of the class when switching classes for an inetd service. Because we hard-code /daemon in the current inetd implementation, using SETALL has unfortunate side-effects involving the MAC code, and potentially other credential related settings in the future. This change maintains the DoS-resistent aspects of the class behavior, which is all that is promised in the inetd man page. A larger set of diffs providing more pluggability and configurability was deferred for this more simple approach in the short term. Reviewed by: ache Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-01-08 17:10:11 +00:00 · 2003-01-08 17:10:11 +00:00 · 15e90ad4c5
commit 15e90ad4c5
parent 69c9999d0c
1 changed files with 2 additions and 1 deletions
--- a/usr.sbin/inetd/inetd.c
+++ b/usr.sbin/inetd/inetd.c
@ -812,7 +812,8 @@ main(int argc, char **argv)
 				}
 #ifdef LOGIN_CAP
 				if (setusercontext(lc, pwd, pwd->pw_uid,
-				    LOGIN_SETALL) != 0) {
+				    LOGIN_SETRESOURCES | LOGIN_SETPRIORITY)
+				    != 0) {
 					syslog(LOG_ERR,
 					 "%s: can't setusercontext(..%s..): %m",
 					 sep->se_service, sep->se_user);