libauth: add procsetuser() function to change user id of the calling process

Provide a central function to change the user id of the calling process. This is mostly used by programs to become the none user, followed by a call to newns().
2020-12-19 17:46:55 +01:00 · 2020-12-19 17:46:55 +01:00 · fc5070c600
commit fc5070c600
parent daccd2b226
6 changed files with 40 additions and 2 deletions
--- a/sys/include/ape/auth.h
+++ b/sys/include/ape/auth.h
@ -102,6 +102,8 @@ extern	int	amount(int, char*, int, char*);

 extern	int	login(char*, char*, char*);

+extern	int	procsetuser(char*);
+
 typedef struct Attr Attr;
 enum {
 	AttrNameval,		/* name=val -- when matching, must have name=val */
--- a/sys/include/auth.h
+++ b/sys/include/auth.h
@ -92,6 +92,8 @@ extern	int	amount(int, char*, int, char*);

 extern	int	login(char*, char*, char*);

+extern	int	procsetuser(char*);
+
 typedef struct Attr Attr;
 enum {
 	AttrNameval,		/* name=val -- when matching, must have name=val */
--- a/sys/man/2/auth
+++ b/sys/man/2/auth
@ -1,6 +1,6 @@
 .TH AUTH 2
 .SH NAME
-amount, newns, addns, login, noworld, auth_proxy, fauth_proxy, auth_allocrpc, auth_freerpc, auth_rpc, auth_getkey, amount_getkey, auth_freeAI, auth_chuid, auth_challenge, auth_response, auth_freechal, auth_respond, auth_respondAI, auth_userpasswd, auth_getuserpasswd, auth_getinfo \- routines for authenticating users
+amount, newns, addns, login, noworld, procsetuser, auth_proxy, fauth_proxy, auth_allocrpc, auth_freerpc, auth_rpc, auth_getkey, amount_getkey, auth_freeAI, auth_chuid, auth_challenge, auth_response, auth_freechal, auth_respond, auth_respondAI, auth_userpasswd, auth_getuserpasswd, auth_getinfo \- routines for authenticating users
 .SH SYNOPSIS
 .nf
 .PP
@ -27,6 +27,9 @@ int		login(char *user, char *password, char *namespace);
 int		noworld(char *user);
 .PP
 .B
+int		procsetuser(char *user);
+.PP
+.B
 AuthInfo*	auth_proxy(int fd, AuthGetkey *getkey, char *fmt, ...);
 .PP
 .B
@ -130,7 +133,7 @@ and
 .IR amount .
 .PP
 .I Login
-changes the user id of the process
+changes the user id of the process to
 .I user
 and recreates the namespace using the file
 .I namespace
@ -151,6 +154,15 @@ Otherwise, it returns 0.
 is used by telnetd and ftpd to provide sandboxed
 access for some users.
 .PP
+.I Procsetuser
+changes the user id of the process to
+.I user
+but keeps the namespace unchanged.
+Only hostowner can change the user to
+anything other than the
+.B none
+user.
+.PP
 The following routines use the
 .B AuthInfo
 structure returned after a successful authentication by
--- a/sys/src/ape/lib/auth/mkfile
+++ b/sys/src/ape/lib/auth/mkfile
@ -18,6 +18,7 @@ OFILES=\
 	login.$O\
 	newns.$O\
 	noworld.$O\
+	procsetuser.$O\
 	passtokey.$O\

 HFILES=\
--- a/sys/src/libauth/mkfile
+++ b/sys/src/libauth/mkfile
@ -17,6 +17,7 @@ OFILES=\
 	login.$O\
 	newns.$O\
 	noworld.$O\
+	procsetuser.$O\

 HFILES=\
 	/sys/include/auth.h\
--- a/sys/src/libauth/procsetuser.c
+++ b/sys/src/libauth/procsetuser.c
@ -0,0 +1,20 @@
+#include <u.h>
+#include <libc.h>
+#include <auth.h>
+
+int
+procsetuser(char *user)
+{
+	int fd, n;
+
+	fd = open("#c/user", OWRITE|OCEXEC);
+	if(fd < 0)
+		return -1;
+	n = strlen(user);
+	if(write(fd, user, n) != n){
+		close(fd);
+		return -1;
+	}
+	close(fd);
+	return 0;
+}