Imported Upstream version 1.7.4p6

[debian/sudo] / set_perms.c

diff --git a/set_perms.c b/set_perms.c
index 4e7dc9cf821533492c68fa3cf40d48f4b667c9a3..d028b2c39104867a67e1e894237f7109aab4b0d7 100644 (file)
--- a/set_perms.c
+++ b/set_perms.c
@@ -47,6 +47,10 @@
 #ifdef HAVE_LOGIN_CAP_H
 # include <login_cap.h>
 #endif
+#ifdef HAVE_PROJECT_H
+# include <project.h>
+# include <sys/task.h>
+#endif
 
 #include "sudo.h"
 
@@ -488,7 +492,8 @@ runas_setgroups()
 # ifdef HAVE_GETGROUPS
     static GETGROUPS_T *groups;
 # endif
-    struct passwd *pw;
+    static struct passwd *pw;
+    struct passwd *opw = pw;
 
     if (def_preserve_groups)
        return;
@@ -496,14 +501,18 @@ runas_setgroups()
     /*
      * Use stashed copy of runas groups if available, else initgroups and stash.
      */
-    if (ngroups == -1) {
-       pw = runas_pw ? runas_pw : sudo_user.pw;
+    pw = runas_pw ? runas_pw : sudo_user.pw;
+    if (pw != opw) {
 # ifdef HAVE_SETAUTHDB
        aix_setauthdb(pw->pw_name);
 # endif
        if (initgroups(pw->pw_name, pw->pw_gid) < 0)
            log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector");
 # ifdef HAVE_GETGROUPS
+       if (groups) {
+           efree(groups);
+           groups = NULL;
+       }
        if ((ngroups = getgroups(0, NULL)) > 0) {
            groups = emalloc2(ngroups, sizeof(GETGROUPS_T));
            if (getgroups(ngroups, groups) < 0)
@@ -542,6 +551,69 @@ restore_groups()
 
 #endif /* HAVE_INITGROUPS */
 
+#ifdef HAVE_PROJECT_H
+static void
+set_project(pw)
+    struct passwd *pw;
+{
+    struct project proj;
+    char buf[PROJECT_BUFSZ];
+    int errval;
+
+    /*
+     * Collect the default project for the user and settaskid
+     */
+    setprojent();
+    if (getdefaultproj(pw->pw_name, &proj, buf, sizeof(buf)) != NULL) {
+       errval = setproject(proj.pj_name, pw->pw_name, TASK_NORMAL);
+       switch(errval) {
+       case 0:
+           break;
+       case SETPROJ_ERR_TASK:
+           switch (errno) {
+           case EAGAIN:
+               warningx("resource control limit has been reached");
+               break;
+           case ESRCH:
+               warningx("user \"%s\" is not a member of project \"%s\"",
+                   pw->pw_name, proj.pj_name);
+               break;
+           case EACCES:
+               warningx("the invoking task is final");
+               break;
+           default:
+               warningx("could not join project \"%s\"", proj.pj_name);
+           }
+       case SETPROJ_ERR_POOL:
+           switch (errno) {
+           case EACCES:
+               warningx("no resource pool accepting default bindings "
+                   "exists for project \"%s\"", proj.pj_name);
+               break;
+           case ESRCH:
+               warningx("specified resource pool does not exist for "
+                   "project \"%s\"", proj.pj_name);
+               break;
+           default:
+               warningx("could not bind to default resource pool for "
+                   "project \"%s\"", proj.pj_name);
+           }
+           break;
+       default:
+           if (errval <= 0) {
+               warningx("setproject failed for project \"%s\"", proj.pj_name);
+           } else {
+               warningx("warning, resource control assignment failed for "
+                   "project \"%s\"", proj.pj_name);
+           }
+       }
+    } else {
+       warning("getdefaultproj");
+    }
+    endprojent();
+}
+#endif /* HAVE_PROJECT_H */
+
 static void
 runas_setup()
 {
@@ -553,6 +625,9 @@ runas_setup()
 
     if (runas_pw->pw_name != NULL) {
        gid = runas_gr ? runas_gr->gr_gid : runas_pw->pw_gid;
+#ifdef HAVE_PROJECT_H
+       set_project(runas_pw);
+#endif
 #ifdef HAVE_GETUSERATTR
        aix_prep_user(runas_pw->pw_name, user_ttypath);
 #endif