jail: only chdir to user's home directory when user is specified

jail(8) with the "exec.clean" parameter not only cleans the enviromnent variables before running commands, but also changes to the user's home directory. While this makes sense when auser is specified (via one of the exec.*_user parameters), it leads to all commands being run in the jail's /root directory even in the absence of an explicitly specified user. This can lead to problems when e.g. rc scripts are run from that non-world-readable directory, and run counter to expectations that jail startup is analogous to system startup. Restrict this behvaiour to only users exlicitly specified, either via the command line or jail parameters, but not the implicit root user. While this changes long-stand practice, it's the more intuitive action. jexec(8) has the same problem, and the same fix. PR: 277210 Reported by: johannes.kunde at gmail Differential Revision: https://reviews.freebsd.org/D46226
2024-11-14 22:32:30 +01:00 · 2024-08-12 15:23:28 -07:00 · 2024-08-12 15:23:28 -07:00 · 5cf7054917
commit 5cf7054917
parent 97c31cc800
4 changed files with 14 additions and 4 deletions
--- a/usr.sbin/jail/command.c
+++ b/usr.sbin/jail/command.c
@ -788,7 +788,7 @@ run_command(struct cfjail *j)
 		setenv("HOME", pwd->pw_dir, 1);
 		setenv("SHELL",
 		    *pwd->pw_shell ? pwd->pw_shell : _PATH_BSHELL, 1);
-		if (clean && chdir(pwd->pw_dir) < 0) {
+		if (clean && username && chdir(pwd->pw_dir) < 0) {
 			jail_warnx(j, "chdir %s: %s",
 			    pwd->pw_dir, strerror(errno));
 			exit(1);
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd June 24, 2024
+.Dd August 12, 2024
 .Dt JAIL 8
 .Os
 .Sh NAME
@ -873,8 +873,13 @@ are set to the target login's default values.
 is set to the target login.
 .Ev TERM
 is imported from the current environment.
+.Ev PATH
+is set to "/bin:/usr/bin".
 The environment variables from the login class capability database for the
 target login are also set.
+If a user is specified (as with
+.Va exec.jail_user ) ,
+commands are run from that (possibly jailed) user's directory.
 .It Va exec.jail_user
 The user to run commands as, when running in the jail environment.
 The default is to run the commands as the current user.
--- a/usr.sbin/jexec/jexec.8
+++ b/usr.sbin/jexec/jexec.8
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd October 7, 2023
+.Dd August 12, 2024
 .Dt JEXEC 8
 .Os
 .Sh NAME
@ -55,6 +55,11 @@ The environment is discarded except for
 and anything from the login class capability database for the user.
 .Ev PATH
 is set to "/bin:/usr/bin".
+If a user is specified (via
+.Fl u
+or
+.Fl U ) ,
+commands are run from that (possibly jailed) user's directory.
 .It Fl u Ar username
 The user name from host environment as whom the
 .Ar command
--- a/usr.sbin/jexec/jexec.c
+++ b/usr.sbin/jexec/jexec.c
@ -129,7 +129,7 @@ main(int argc, char *argv[])
 		setenv("HOME", pwd->pw_dir, 1);
 		setenv("SHELL",
 		    *pwd->pw_shell ? pwd->pw_shell : _PATH_BSHELL, 1);
-		if (clean && chdir(pwd->pw_dir) < 0)
+		if (clean && username && chdir(pwd->pw_dir) < 0)
 			err(1, "chdir: %s", pwd->pw_dir);
 		endpwent();
 	}