call setusercontext(3) before chroot. ok miod@ sthen@

1 files changed, 13 insertions, 9 deletions

diff --git a/usr.sbin/nsd/nsd.c b/usr.sbin/nsd/nsd.c
index b2eec51837b..de356f05187 100644
--- a/usr.sbin/nsd/nsd.c
+++ b/usr.sbin/nsd/nsd.c
@@ -950,6 +950,19 @@ main(int argc, char *argv[])
 		exit(1);
 	}
 
+	/* Set user context */
+#ifdef HAVE_GETPWNAM
+	if (*nsd.username) {
+#ifdef HAVE_SETUSERCONTEXT
+		/* setusercontext sets resource limits from login config */
+		if (setusercontext(NULL, pwd, nsd.uid,
+			LOGIN_SETALL & ~LOGIN_SETUSER & ~LOGIN_SETGROUP) != 0)
+			log_msg(LOG_WARNING, "unable to setusercontext %s: %s",
+				nsd.username, strerror(errno));
+#endif /* HAVE_SETUSERCONTEXT */
+	}
+#endif /* HAVE_GETPWNAM */
+
 #ifdef HAVE_CHROOT
 	/* Chroot */
 	if (nsd.chrootdir && strlen(nsd.chrootdir)) {
@@ -1001,20 +1014,11 @@ main(int argc, char *argv[])
 	/* Drop the permissions */
 #ifdef HAVE_GETPWNAM
 	if (*nsd.username) {
-#ifdef HAVE_SETUSERCONTEXT
-		/* setusercontext does initgroups, setuid, setgid, and
-		 * also resource limits from login config, but we
-		 * still call setresuid, setresgid to be sure to set all uid */
-		if (setusercontext(NULL, pwd, nsd.uid, LOGIN_SETALL) != 0)
-			log_msg(LOG_WARNING, "unable to setusercontext %s: %s",
-				nsd.username, strerror(errno));
-#else /* !HAVE_SETUSERCONTEXT */
  #ifdef HAVE_INITGROUPS
 		if(initgroups(nsd.username, nsd.gid) != 0)
 			log_msg(LOG_WARNING, "unable to initgroups %s: %s",
 				nsd.username, strerror(errno));
  #endif /* HAVE_INITGROUPS */
-#endif /* HAVE_SETUSERCONTEXT */
 		endpwent();
 
 #ifdef HAVE_SETRESGID