auth/box: don't bother switching to none

Changing the user to none doesn't do much for us
here. For kernel drivers that check the user of the
current proc we'll be none, but anything from devmnt
will still be accessed using creds from the original
attachment. Instead, running with none can be done
by chaining with auth/none:

auth/none auth/box ...

sys/man/8/auth

@@ -279,27 +279,24 @@ It's an easy way to run a command as
 .IR none .
 .PP
 .I Box
-sets up a restricted namespace and
-.IR exec's
-its arguments as the user
-.IR none .
-Components of the current namespace are bound
-into the child namespace with the
-.B -r 
-and 
-.B -c
-flags, using either
-.I MREPL 
-or
-.I MCREATE
-respectively. The only components
-in the child namespace will be those
-defined this way.
-By default all further kernel driver
-access is blocked. The
+executes its arguments in a minimal namespace.
+This namespace is derived by binding in the specified
+program to the same name within a new hierarchy.
+The same is done with the paths
+provided as arguments. Paths provided with the
+.B -r
+flag are bound with
+.IR MREPL ,
+and those provided with the
+.B -c 
+flag are bound with
+.IR MCREATE .
+.I Box
+removes access to all kernel drivers from
+the child namespace; the
 .B -e
 flag specifies a string of driver
-characters to keep in the child namespace.
+characters to keep.
 .PP
 .I As
 executes

sys/src/cmd/auth/box.c

@@ -163,17 +163,12 @@ main(int argc, char **argv)
 	mflags[nparts++] = MREPL;
 	argv[0] = b;
 
-	rfork(RFNAMEG|RFENVG);
+	rfork(RFNAMEG|RFFDG);
 	dfd = open("/dev/drivers", OWRITE|OCEXEC);
 	if(dfd < 0)
 		sysfatal("could not /dev/drivers: %r");
 
 	resolvenames(parts, nparts);
-
-	if(procsetuser("none") < 0)
-		sysfatal("cant become none: %r");
-	putenv("user", "none");
-
 	sandbox(parts, mflags, nparts);
 	
 	if(debug)