auth/box: don't bother switching to none

Changing the user to none doesn't do much for us
here. For kernel drivers that check the user of the
current proc we'll be none, but anything from devmnt
will still be accessed using creds from the original
attachment. Instead, running with none can be done
by chaining with auth/none:

auth/none auth/box ...

sys/man/8/auth

@@ -279,27 +279,24 @@ It's an easy way to run a command as
 .IR none .
 .PP
 .I Box
-sets up a restricted namespace and
+executes its arguments in a minimal namespace.
-.IR exec's
+This namespace is derived by binding in the specified
-its arguments as the user
+program to the same name within a new hierarchy.
-.IR none .
+The same is done with the paths
-Components of the current namespace are bound
+provided as arguments. Paths provided with the
-into the child namespace with the
+.B -r
-.B -r 
+flag are bound with
-and 
+.IR MREPL ,
-.B -c
+and those provided with the
-flags, using either
+.B -c 
-.I MREPL 
+flag are bound with
-or
+.IR MCREATE .
-.I MCREATE
+.I Box
-respectively. The only components
+removes access to all kernel drivers from
-in the child namespace will be those
+the child namespace; the
-defined this way.
-By default all further kernel driver
-access is blocked. The
 .B -e
 flag specifies a string of driver
-characters to keep in the child namespace.
+characters to keep.
 .PP
 .I As
 executes

sys/src/cmd/auth/box.c

@@ -163,17 +163,12 @@ main(int argc, char **argv)
 	mflags[nparts++] = MREPL;
 	argv[0] = b;
 
-	rfork(RFNAMEG|RFENVG);
+	rfork(RFNAMEG|RFFDG);
 	dfd = open("/dev/drivers", OWRITE|OCEXEC);
 	if(dfd < 0)
 		sysfatal("could not /dev/drivers: %r");
 
 	resolvenames(parts, nparts);
-
-	if(procsetuser("none") < 0)
-		sysfatal("cant become none: %r");
-	putenv("user", "none");
-
 	sandbox(parts, mflags, nparts);
 	
 	if(debug)