aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobert Watson <rwatson@FreeBSD.org>2001-09-20 21:21:12 +0000
committerRobert Watson <rwatson@FreeBSD.org>2001-09-20 21:21:12 +0000
commitd16c4f3675b7343d43606113a86c8525df6f4400 (patch)
tree70736621a1317b5dd0d8f78b98d9a4f28c95ac58
parent3b0158c4b4aad8d75ac32c3e91d5fc5a03c2bedf (diff)
downloadsrc-d16c4f3675b7343d43606113a86c8525df6f4400.tar.gz
src-d16c4f3675b7343d43606113a86c8525df6f4400.zip
MFC/MFS per-user .login_conf disable + adjacent comment.
login.conf.5: 1.37 login_cap.c: 1.22, 1.23
Notes
Notes: svn path=/stable/3/; revision=83740
-rw-r--r--lib/libutil/login.conf.52
-rw-r--r--lib/libutil/login_cap.c11
2 files changed, 11 insertions, 2 deletions
diff --git a/lib/libutil/login.conf.5 b/lib/libutil/login.conf.5
index 4c0f783ec34a..53decde74bc7 100644
--- a/lib/libutil/login.conf.5
+++ b/lib/libutil/login.conf.5
@@ -58,6 +58,8 @@ to set user-defined environment settings which override those specified
in the system login capabilities database.
Only a subset of login capabilities may be overridden, typically those
which do not involve authentication, resource limits and accounting.
+NOTE: this feature is compile-time disabled by default due to potential
+security risks.
.Pp
Records in a class capabilities database consist of a number of
colon-separated fields.
diff --git a/lib/libutil/login_cap.c b/lib/libutil/login_cap.c
index af27766e5064..d5a4387058e8 100644
--- a/lib/libutil/login_cap.c
+++ b/lib/libutil/login_cap.c
@@ -192,8 +192,15 @@ login_getclassbyname(char const *name, const struct passwd *pwd)
static char *login_dbarray[] = { NULL, NULL, NULL };
- /* Switch to user mode before checking/reading its ~/.login_conf */
- /* - some NFSes have root read access disabled. */
+#ifndef _FILE_LOGIN_CONF_WORKS
+ dir = NULL;
+#endif
+ /*
+ * Switch to user mode before checking/reading its ~/.login_conf
+ * - some NFSes have root read access disabled.
+ *
+ * XXX: This fails to configure additional groups.
+ */
if (dir) {
euid = geteuid();
egid = getegid();