aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--lib/libutil/login.conf.52
-rw-r--r--lib/libutil/login_cap.c11
2 files changed, 11 insertions, 2 deletions
diff --git a/lib/libutil/login.conf.5 b/lib/libutil/login.conf.5
index b579bf588422..4a454621a447 100644
--- a/lib/libutil/login.conf.5
+++ b/lib/libutil/login.conf.5
@@ -60,6 +60,8 @@ to set user-defined environment settings which override those specified
in the system login capabilities database.
Only a subset of login capabilities may be overridden, typically those
which do not involve authentication, resource limits and accounting.
+NOTE: this feature is compile-time disabled by default due to potential
+security risks.
.Pp
Records in a class capabilities database consist of a number of
colon-separated fields.
diff --git a/lib/libutil/login_cap.c b/lib/libutil/login_cap.c
index dc93e2825a2c..bb4c080ed39f 100644
--- a/lib/libutil/login_cap.c
+++ b/lib/libutil/login_cap.c
@@ -193,8 +193,15 @@ login_getclassbyname(char const *name, const struct passwd *pwd)
static char *login_dbarray[] = { NULL, NULL, NULL };
- /* Switch to user mode before checking/reading its ~/.login_conf */
- /* - some NFSes have root read access disabled. */
+#ifndef _FILE_LOGIN_CONF_WORKS
+ dir = NULL;
+#endif
+ /*
+ * Switch to user mode before checking/reading its ~/.login_conf
+ * - some NFSes have root read access disabled.
+ *
+ * XXX: This fails to configure additional groups.
+ */
if (dir) {
euid = geteuid();
egid = getegid();