equal
deleted
inserted
replaced
17 * information: Portions Copyright [yyyy] [name of copyright owner] |
17 * information: Portions Copyright [yyyy] [name of copyright owner] |
18 * |
18 * |
19 * CDDL HEADER END |
19 * CDDL HEADER END |
20 */ |
20 */ |
21 /* |
21 /* |
22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. |
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. |
23 * Use is subject to license terms. |
23 * Use is subject to license terms. |
24 */ |
24 */ |
25 |
25 |
26 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ |
26 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ |
27 /* All Rights Reserved */ |
27 /* All Rights Reserved */ |
862 "adt_alloc_event(ADT_su_logout): %m"); |
862 "adt_alloc_event(ADT_su_logout): %m"); |
863 return; |
863 return; |
864 } |
864 } |
865 if ((priv = priv_allocset()) == NULL) { |
865 if ((priv = priv_allocset()) == NULL) { |
866 syslog(LOG_AUTH | LOG_ALERT, |
866 syslog(LOG_AUTH | LOG_ALERT, |
867 "su audit_logout: could not alloc privs: %m"); |
867 "su audit_logout: could not alloc basic privs: %m"); |
868 adt_free_event(event); |
868 adt_free_event(event); |
869 return; |
869 return; |
870 } |
870 } |
871 |
871 |
872 /* |
872 /* |
905 "su audit_logout: could not chdir /: %m"); |
905 "su audit_logout: could not chdir /: %m"); |
906 } |
906 } |
907 /* |
907 /* |
908 * Reduce privileges to just those needed. |
908 * Reduce privileges to just those needed. |
909 */ |
909 */ |
910 priv_emptyset(priv); |
910 priv_basicset(priv); |
|
911 (void) priv_delset(priv, PRIV_PROC_EXEC); |
|
912 (void) priv_delset(priv, PRIV_PROC_FORK); |
|
913 (void) priv_delset(priv, PRIV_PROC_INFO); |
|
914 (void) priv_delset(priv, PRIV_PROC_SESSION); |
|
915 (void) priv_delset(priv, PRIV_FILE_LINK_ANY); |
911 if ((priv_addset(priv, PRIV_PROC_AUDIT) != 0) || |
916 if ((priv_addset(priv, PRIV_PROC_AUDIT) != 0) || |
912 (setppriv(PRIV_SET, PRIV_PERMITTED, priv) != 0)) { |
917 (setppriv(PRIV_SET, PRIV_PERMITTED, priv) != 0)) { |
913 syslog(LOG_AUTH | LOG_ALERT, |
918 syslog(LOG_AUTH | LOG_ALERT, |
914 "su audit_logout: could not reduce privs: %m"); |
919 "su audit_logout: could not reduce privs: %m"); |
915 } |
920 } |