diff options
| -rw-r--r-- | lib/libutil/login.conf.5 | 2 | ||||
| -rw-r--r-- | lib/libutil/login_cap.c | 11 |
2 files changed, 11 insertions, 2 deletions
diff --git a/lib/libutil/login.conf.5 b/lib/libutil/login.conf.5 index b579bf588422..4a454621a447 100644 --- a/lib/libutil/login.conf.5 +++ b/lib/libutil/login.conf.5 @@ -60,6 +60,8 @@ to set user-defined environment settings which override those specified in the system login capabilities database. Only a subset of login capabilities may be overridden, typically those which do not involve authentication, resource limits and accounting. +NOTE: this feature is compile-time disabled by default due to potential +security risks. .Pp Records in a class capabilities database consist of a number of colon-separated fields. diff --git a/lib/libutil/login_cap.c b/lib/libutil/login_cap.c index dc93e2825a2c..bb4c080ed39f 100644 --- a/lib/libutil/login_cap.c +++ b/lib/libutil/login_cap.c @@ -193,8 +193,15 @@ login_getclassbyname(char const *name, const struct passwd *pwd) static char *login_dbarray[] = { NULL, NULL, NULL }; - /* Switch to user mode before checking/reading its ~/.login_conf */ - /* - some NFSes have root read access disabled. */ +#ifndef _FILE_LOGIN_CONF_WORKS + dir = NULL; +#endif + /* + * Switch to user mode before checking/reading its ~/.login_conf + * - some NFSes have root read access disabled. + * + * XXX: This fails to configure additional groups. + */ if (dir) { euid = geteuid(); egid = getegid(); |