From info@volginfo.ru  Fri May 30 02:52:57 2003
Return-Path: <info@volginfo.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9294C37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 30 May 2003 02:52:57 -0700 (PDT)
Received: from vsmi.ru (ns.vsmi.ru [217.23.84.98])
	by mx1.FreeBSD.org (Postfix) with SMTP id C360043FA3
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 30 May 2003 02:52:52 -0700 (PDT)
	(envelope-from info@volginfo.ru)
Received: (qmail 27178 invoked from network); 30 May 2003 09:52:49 -0000
Received: from unknown (HELO img.local) (192.168.0.1)
  by 192.168.0.50 with SMTP; 30 May 2003 09:52:49 -0000
Message-Id: <200305301352.53262.info@volginfo.ru>
Date: Fri, 30 May 2003 13:52:53 +0400
From: "Denis N. Peplin" <info@volginfo.ru>
To: FreeBSD-gnats-submit@freebsd.org
Subject: rc.subr incompatible with FreeBSD chroot

>Number:         52807
>Category:       misc
>Synopsis:       rc.subr incompatible with FreeBSD chroot
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    mtm
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 30 03:00:32 PDT 2003
>Closed-Date:    Sat Jun 07 03:58:39 PDT 2003
>Last-Modified:  Sat Jun 07 03:58:39 PDT 2003
>Originator:     Denis N. Peplin <info@volginfo.ru>
>Release:        FreeBSD 5.0-RELEASE i386
>Organization:
>Environment:
System: FreeBSD exp 5.0-RELEASE FreeBSD 5.0-RELEASE #0: Tue Jan 28 15:14:21 GMT 2003 root@:/usr/obj/usr/src/sys/GENERIC i386

>Description:
NetBSD man chroot(8):
SYNOPSIS
     chroot [-u user] [-g group] [-G group,group,...] newroot [command]
FreeBSD man chroot(8):
SYNOPSIS
     chroot newroot [command]
FreeBSD man rc.subr(8):
${name}_user
   User to run command as, using chroot(8).  if
   ${name}_chroot is set, otherwise uses su(1).  Only
   supported after /usr is mounted.

 ${name}_group
   Group to run the chrooted command as.

 ${name}_groups
   Comma separated list of supplementary groups to run
   the chrooted command with.

So, -u, -g, -G options is not supported in FreeBSD, but used in rc.subr.
I'm checked it in current versions of manuals and problem still exist.

>How-To-Repeat:
grep groups /etc/rc.subr
man chroot
man rc.subr
>Fix:
maybe, we should add NetBSD features to chroot?

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: mtm 
State-Changed-When: Sun Jun 1 21:51:54 PDT 2003 
State-Changed-Why:  
It's been on my mind to take care of this for a while. No time like 
the present :-) 
I will pull in NetBSD's modifications since I don't want to diverge 
rc.subr too much. Until then the work around is to modify rc.subr 
to su(1) before chroot(8). 


Responsible-Changed-From-To: freebsd-bugs->mtm 
Responsible-Changed-By: mtm 
Responsible-Changed-When: Sun Jun 1 21:51:54 PDT 2003 
Responsible-Changed-Why:  
It's been on my mind to take care of this for a while. No time like 
the present :-) 
I will pull in NetBSD's modifications since I don't want to diverge 
rc.subr too much. Until then the work around is to modify rc.subr 
to su(1) before chroot(8). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=52807 

From: Mike Makonnen <mtm@identd.net>
To: "Denis N. Peplin" <info@volginfo.ru>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: misc/52807: rc.subr incompatible with FreeBSD chroot
Date: Mon, 2 Jun 2003 02:02:25 -0400

 Here's the patch. Please try it and let me know how it goes.
 
 Cheers.
 -- 
 Mike Makonnen  | GPG-KEY: http://www.identd.net/~mtm/mtm.asc
 mtm@identd.net | D228 1A6F C64E 120A A1C9  A3AA DAE1 E2AF DBCC 68B9
 mtm@FreeBSD.Org| FreeBSD - The Power To Serve
 
 Index: usr.sbin/chroot/chroot.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.sbin/chroot/chroot.c,v
 retrieving revision 1.8
 diff -u -r1.8 chroot.c
 --- usr.sbin/chroot/chroot.c	3 May 2003 21:06:36 -0000	1.8
 +++ usr.sbin/chroot/chroot.c	2 Jun 2003 05:55:53 -0000
 @@ -47,8 +47,12 @@
  
  #include <sys/types.h>
  
 +#include <ctype.h>
  #include <err.h>
 +#include <grp.h>
 +#include <limits.h>
  #include <paths.h>
 +#include <pwd.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
 @@ -56,29 +60,112 @@
  
  static void usage(void);
  
 +char	*user;		/* user to switch to before running program */
 +char	*group;		/* group to switch to ... */
 +char	*grouplist;	/* group list to switch to ... */
 +
  int
  main(argc, argv)
  	int argc;
  	char *argv[];
  {
 -	int ch;
 -	const char *shell;
 -
 -	while ((ch = getopt(argc, argv, "")) != -1)
 +	struct group	*gp;
 +	struct passwd	*pw;
 +	char		*endp, *p;
 +	const char	*shell;
 +	gid_t		gid, gidlist[NGROUPS_MAX];
 +	uid_t		uid;
 +	int		ch, gids;
 +
 +	gid = 0;
 +	uid = 0;
 +	while ((ch = getopt(argc, argv, "G:g:u:")) != -1) {
  		switch(ch) {
 +		case 'u':
 +			user = optarg;
 +			if (*user == '\0')
 +				usage();
 +			break;
 +		case 'g':
 +			group = optarg;
 +			if (*group == '\0')
 +				usage();
 +			break;
 +		case 'G':
 +			grouplist = optarg;
 +			if (*grouplist == '\0')
 +				usage();
 +			break;
  		case '?':
  		default:
  			usage();
  		}
 +	}
  	argc -= optind;
  	argv += optind;
  
  	if (argc < 1)
  		usage();
  
 +	if (group != NULL) {
 +		if (isdigit((unsigned char)*group)) {
 +			gid = (gid_t)strtoul(group, &endp, 0);
 +			if (*endp != '\0')
 +				goto getgroup;
 +		} else {
 + getgroup:
 +			if ((gp = getgrnam(group)) != NULL)
 +				gid = gp->gr_gid;
 +			else
 +				errx(1, "no such group `%s'", group);
 +		}
 +	}
 +
 +	for (gids = 0;
 +	    (p = strsep(&grouplist, ",")) != NULL && gids < NGROUPS_MAX; ) {
 +		if (*p == '\0')
 +			continue;
 +
 +		if (isdigit((unsigned char)*p)) {
 +			gidlist[gids] = (gid_t)strtoul(p, &endp, 0);
 +			if (*endp != '\0')
 +				goto getglist;
 +		} else {
 + getglist:
 +			if ((gp = getgrnam(p)) != NULL)
 +				gidlist[gids] = gp->gr_gid;
 +			else
 +				errx(1, "no such group `%s'", p);
 +		}
 +		gids++;
 +	}
 +	if (p != NULL && gids == NGROUPS_MAX)
 +		errx(1, "too many supplementary groups provided");
 +
 +	if (user != NULL) {
 +		if (isdigit((unsigned char)*user)) {
 +			uid = (uid_t)strtoul(user, &endp, 0);
 +			if (*endp != '\0')
 +				goto getuser;
 +		} else {
 + getuser:
 +			if ((pw = getpwnam(user)) != NULL)
 +				uid = pw->pw_uid;
 +			else
 +				errx(1, "no such user `%s'", user);
 +		}
 +	}
 +
  	if (chdir(argv[0]) || chroot("."))
  		err(1, "%s", argv[0]);
  
 +	if (gids && setgroups(gids, gidlist) == -1)
 +		err(1, "setgroups");
 +	if (group && setgid(gid) == -1)
 +		err(1, "setgid");
 +	if (user && setuid(uid) == -1)
 +		err(1, "setuid");
 +
  	if (argv[1]) {
  		execvp(argv[1], &argv[1]);
  		err(1, "%s", argv[1]);
 @@ -94,6 +181,7 @@
  static void
  usage()
  {
 -	(void)fprintf(stderr, "usage: chroot newroot [command]\n");
 +	(void)fprintf(stderr, "usage: chroot [-g group] [-G group,group,...] "
 +	    "[-u user] newroot [command]\n");
  	exit(1);
  }

From: "Denis N. Peplin" <info@volginfo.ru>
To: Mike Makonnen <mtm@identd.net>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: misc/52807: rc.subr incompatible with FreeBSD chroot
Date: Mon, 2 Jun 2003 10:56:48 +0400

 Ok, it looks right!
State-Changed-From-To: analyzed->closed 
State-Changed-By: mtm 
State-Changed-When: Sat Jun 7 03:57:47 PDT 2003 
State-Changed-Why:  
Committed. 
Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=52807 
>Unformatted:
