Page MenuHomeFreeBSD
Files F146657785

D53747.id.diff
No OneTemporary
Actions

D53747.id.diff
View Options

diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr
--- a/libexec/rc/rc.subr
+++ b/libexec/rc/rc.subr
@@ -55,6 +55,7 @@
_svcj_generic_params="path=/ mount.nodevfs host=inherit"
JID=0
CPUSET="/bin/cpuset"
+SETAUDIT="/usr/sbin/setaudit"
# Cache the services that we loaded with load_rc_config.
_loaded_services=""
@@ -933,6 +934,9 @@
# Meant to be used in /etc/rc.conf to override
# ${command}.
#
+# ${name}_audit_user n Override the audit user for ${command},
+# specified as a user name or UID.
+#
# ${name}_chroot n Directory to chroot to before running ${command}
# Requires /usr to be mounted.
#
@@ -1151,6 +1155,15 @@
_cpusetcmd="$CPUSET -l $_cpuset"
fi
+ eval _audit_user=\$${name}_audit_user
+ if [ -z "$_audit_user" -a -n "$audit_user" ]; then
+ _audit_user=$audit_user
+ fi
+ _setauditcmd=
+ if [ -n "$_audit_user" ]; then
+ _setauditcmd="setaudit -U -a $_audit_user"
+ fi
+
# If a specific jail has a specific svcj request, honor it (YES/NO).
# If not (variable empty), evaluate the global svcj catch-all.
# A global YES can be overriden by a specific NO, and a global NO is overriden
@@ -1515,6 +1528,7 @@
_doit="\
${_nice:+nice -n $_nice }\
$_cpusetcmd \
+$_setauditcmd \
${_fib:+setfib -F $_fib }\
${_env:+env $_env }\
chroot ${_user:+-u $_user }${_group:+-g $_group }${_groups:+-G $_groups }\
@@ -1524,7 +1538,9 @@
_doit="\
${_fib:+setfib -F $_fib }\
${_env:+env $_env }\
-$_cpusetcmd $command $rc_flags $command_args"
+$_cpusetcmd \
+$_setauditcmd \
+$command $rc_flags $command_args"
if [ -n "$_user" ]; then
_doit="su -m $_user -c 'sh -c \"$_doit\"'"
fi
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -22,7 +22,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd October 5, 2025
+.Dd November 14, 2025
.Dt RC.CONF 5
.Os
.Sh NAME
@@ -190,6 +190,17 @@
always test whether or not the service is actually running.
Enabling this option is likely to increase your boot time if
services are enabled that utilize the force_depend check.
+.It Ao Ar name Ac Ns Va _audit_user
+.Pq Vt str
+A user name or UID to use as the
+.Xr audit 4
+user for the service.
+Run the chrooted service under this system group.
+By default, when an unprvileged user restarts a service using a utility
+such as sudo or doas, the service's will audit session will point to the
+unprivileged user, which may be undesirable.
+In that case, this variable can be used to override the audit user using
+.Xr setaudit 8 .
.It Ao Ar name Ac Ns Va _chroot
.Pq Vt str
.Xr chroot 8
@@ -209,7 +220,6 @@
value to run the service under.
.It Ao Ar name Ac Ns Va _group
.Pq Vt str
-Run the chrooted service under this system group.
Unlike the
.Ao Ar name Ac Ns Va _user
setting, this setting has no effect if the service is not chrooted.

File Metadata

Mime Type
text/plain
Expires
Thu, Mar 5, 11:51 AM (12 h, 12 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
29272841
Default Alt Text
D53747.id.diff (2 KB)

Event Timeline