1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License, Version 1.0 only
   6  * (the "License").  You may not use this file except in compliance
   7  * with the License.
   8  *
   9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  10  * or http://www.opensolaris.org/os/licensing.
  11  * See the License for the specific language governing permissions
  12  * and limitations under the License.
  13  *
  14  * When distributing Covered Code, include this CDDL HEADER in each
  15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  16  * If applicable, add the following below this CDDL HEADER, with the
  17  * fields enclosed by brackets "[]" replaced with your own identifying
  18  * information: Portions Copyright [yyyy] [name of copyright owner]
  19  *
  20  * CDDL HEADER END
  21  */
  22 /*
  23  * Copyright (c) 2013 Gary Mills
  24  *
  25  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  26  * Use is subject to license terms.
  27  */
  28 
  29 #include <sys/types.h>
  30 #include <sys/task.h>
  31 
  32 #include <alloca.h>
  33 #include <libproc.h>
  34 #include <libintl.h>
  35 #include <libgen.h>
  36 #include <limits.h>
  37 #include <project.h>
  38 #include <pwd.h>
  39 #include <secdb.h>
  40 #include <stdio.h>
  41 #include <stdlib.h>
  42 #include <string.h>
  43 #include <sys/varargs.h>
  44 #include <unistd.h>
  45 #include <errno.h>
  46 #include <signal.h>
  47 #include <priv_utils.h>
  48 
  49 #include "utils.h"
  50 
  51 #define OPTIONS_STRING  "Fc:lp:v"
  52 #define NENV            8
  53 #define ENVSIZE         255
  54 #define PATH            "PATH=/usr/bin"
  55 #define SUPATH          "PATH=/usr/sbin:/usr/bin"
  56 #define SHELL           "/usr/bin/sh"
  57 #define SHELL2          "/sbin/sh"
  58 #define TIMEZONEFILE    "/etc/default/init"
  59 #define LOGINFILE       "/etc/default/login"
  60 #define GLOBAL_ERR_SZ   1024
  61 #define GRAB_RETRY_MAX  100
  62 
  63 static const char *pname;
  64 extern char **environ;
  65 static char *supath = SUPATH;
  66 static char *path = PATH;
  67 static char global_error[GLOBAL_ERR_SZ];
  68 static int verbose = 0;
  69 
  70 static priv_set_t *nset;
  71 
  72 /* Private definitions for libproject */
  73 extern projid_t setproject_proc(const char *, const char *, int, pid_t,
  74     struct ps_prochandle *, struct project *);
  75 extern priv_set_t *setproject_initpriv(void);
  76 
  77 static void usage(void);
  78 
  79 static void preserve_error(const char *format, ...);
  80 
  81 static int update_running_proc(int, char *, char *);
  82 static int set_ids(struct ps_prochandle *, struct project *,
  83     struct passwd *);
  84 static struct passwd *match_user(uid_t, char *, int);
  85 static void setproject_err(char *, char *, int, struct project *);
  86 
  87 static void
  88 usage(void)
  89 {
  90         (void) fprintf(stderr, gettext("usage: \n\t%s [-v] [-p project] "
  91             "[-c pid | [-Fl] [command [args ...]]]\n"), pname);
  92         exit(2);
  93 }
  94 
  95 int
  96 main(int argc, char *argv[])
  97 {
  98         int c;
  99         struct passwd *pw;
 100         char *projname = NULL;
 101         uid_t uid;
 102         int login_flag = 0;
 103         int finalize_flag = TASK_NORMAL;
 104         int newproj_flag = 0;
 105         taskid_t taskid;
 106         char *shell;
 107         char *env[NENV];
 108         char **targs;
 109         char *filename, *procname = NULL;
 110         int error;
 111 
 112         nset = setproject_initpriv();
 113         if (nset == NULL)
 114                 die(gettext("privilege initialization failed\n"));
 115 
 116         pname = getpname(argv[0]);
 117 
 118         while ((c = getopt(argc, argv, OPTIONS_STRING)) != EOF) {
 119                 switch (c) {
 120                 case 'v':
 121                         verbose = 1;
 122                         break;
 123                 case 'p':
 124                         newproj_flag = 1;
 125                         projname = optarg;
 126                         break;
 127                 case 'F':
 128                         finalize_flag = TASK_FINAL;
 129                         break;
 130                 case 'l':
 131                         login_flag++;
 132                         break;
 133                 case 'c':
 134                         procname = optarg;
 135                         break;
 136                 case '?':
 137                 default:
 138                         usage();
 139                         /*NOTREACHED*/
 140                 }
 141         }
 142 
 143         /* -c option is invalid with -F, -l, or a specified command */
 144         if ((procname != NULL) &&
 145             (finalize_flag == TASK_FINAL || login_flag || optind < argc))
 146                 usage();
 147 
 148         if (procname != NULL) {
 149                 /* Change project/task of an existing process */
 150                 return (update_running_proc(newproj_flag, procname, projname));
 151         }
 152 
 153         /*
 154          * Get user data, so that we can confirm project membership as
 155          * well as construct an appropriate login environment.
 156          */
 157         uid = getuid();
 158         if ((pw = match_user(uid, projname, 1)) == NULL) {
 159                 die("%s\n", global_error);
 160         }
 161 
 162         /*
 163          * If no projname was specified, we're just creating a new task
 164          * under the current project, so we can just set the new taskid.
 165          * If our project is changing, we need to update any attendant
 166          * pool/rctl bindings, so let setproject() do the dirty work.
 167          */
 168         (void) __priv_bracket(PRIV_ON);
 169         if (projname == NULL) {
 170                 if (settaskid(getprojid(), finalize_flag) == -1)
 171                         if (errno == EAGAIN)
 172                                 die(gettext("resource control limit has been "
 173                                     "reached"));
 174                         else
 175                                 die(gettext("settaskid failed"));
 176         } else {
 177                 if ((error = setproject(projname,
 178                     pw->pw_name, finalize_flag)) != 0) {
 179                         setproject_err(pw->pw_name, projname, error, NULL);
 180                         if (error < 0)
 181                                 die("%s\n", global_error);
 182                         else
 183                                 warn("%s\n", global_error);
 184                 }
 185         }
 186         __priv_relinquish();
 187 
 188         taskid = gettaskid();
 189 
 190         if (verbose)
 191                 (void) fprintf(stderr, "%d\n", (int)taskid);
 192 
 193         /*
 194          * Validate user's shell from passwd database.
 195          */
 196         if (strcmp(pw->pw_shell, "") == 0) {
 197                 if (access(SHELL, X_OK) == 0)
 198                         pw->pw_shell = SHELL;
 199                 else
 200                         pw->pw_shell = SHELL2;
 201         }
 202 
 203         if (login_flag) {
 204                 /*
 205                  * Since we've been invoked as a "simulated login", set up the
 206                  * environment.
 207                  */
 208                 char *cur_tz = getenv("TZ");
 209                 char *cur_term = getenv("TERM");
 210 
 211                 char **envnext;
 212 
 213                 size_t len_home = strlen(pw->pw_dir) + strlen("HOME=") + 1;
 214                 size_t len_logname = strlen(pw->pw_name) + strlen("LOGNAME=") +
 215                     1;
 216                 size_t len_shell = strlen(pw->pw_shell) + strlen("SHELL=") + 1;
 217                 size_t len_mail = strlen(pw->pw_name) +
 218                     strlen("MAIL=/var/mail/") + 1;
 219                 size_t len_tz;
 220                 size_t len_term;
 221 
 222                 char *env_home = safe_malloc(len_home);
 223                 char *env_logname = safe_malloc(len_logname);
 224                 char *env_shell = safe_malloc(len_shell);
 225                 char *env_mail = safe_malloc(len_mail);
 226                 char *env_tz;
 227                 char *env_term;
 228 
 229                 (void) snprintf(env_home, len_home, "HOME=%s", pw->pw_dir);
 230                 (void) snprintf(env_logname, len_logname, "LOGNAME=%s",
 231                     pw->pw_name);
 232                 (void) snprintf(env_shell, len_shell, "SHELL=%s", pw->pw_shell);
 233                 (void) snprintf(env_mail, len_mail, "MAIL=/var/mail/%s",
 234                     pw->pw_name);
 235 
 236                 env[0] = env_home;
 237                 env[1] = env_logname;
 238                 env[2] = (pw->pw_uid == 0 ? supath : path);
 239                 env[3] = env_shell;
 240                 env[4] = env_mail;
 241                 env[5] = NULL;
 242                 env[6] = NULL;
 243                 env[7] = NULL;
 244 
 245                 envnext = (char **)&env[5];
 246 
 247                 /*
 248                  * It's possible that TERM wasn't defined in the outer
 249                  * environment.
 250                  */
 251                 if (cur_term != NULL) {
 252                         len_term = strlen(cur_term) + strlen("TERM=") + 1;
 253                         env_term = safe_malloc(len_term);
 254 
 255                         (void) snprintf(env_term, len_term, "TERM=%s",
 256                             cur_term);
 257                         *envnext = env_term;
 258                         envnext++;
 259                 }
 260 
 261                 /*
 262                  * It is also possible that TZ wasn't defined in the outer
 263                  * environment.  In that case, we must attempt to open the file
 264                  * defining the default timezone and select the appropriate
 265                  * entry. If there is no default timezone there, try
 266                  * TIMEZONE in /etc/default/login, duplicating the algorithm
 267                  * that login uses.
 268                  */
 269                 if (cur_tz != NULL) {
 270                         len_tz = strlen(cur_tz) + strlen("TZ=") + 1;
 271                         env_tz = safe_malloc(len_tz);
 272 
 273                         (void) snprintf(env_tz, len_tz, "TZ=%s", cur_tz);
 274                         *envnext = env_tz;
 275                 } else {
 276                         if ((env_tz = getdefault(TIMEZONEFILE, "TZ=",
 277                             "TZ=")) != NULL)
 278                                 *envnext = env_tz;
 279                         else {
 280                                 env_tz = getdefault(LOGINFILE, "TIMEZONE=",
 281                                     "TZ=");
 282                                 *envnext = env_tz;
 283                         }
 284                 }
 285 
 286                 environ = (char **)&env[0];
 287 
 288                 /*
 289                  * Prefix the shell string with a hyphen, indicating a login
 290                  * shell.
 291                  */
 292                 shell = safe_malloc(PATH_MAX);
 293                 (void) snprintf(shell, PATH_MAX, "-%s", basename(pw->pw_shell));
 294         } else {
 295                 shell = basename(pw->pw_shell);
 296         }
 297 
 298         /*
 299          * If there are no arguments, we launch the user's shell; otherwise, the
 300          * remaining commands are assumed to form a valid command invocation
 301          * that we can exec.
 302          */
 303         if (optind >= argc) {
 304                 targs = alloca(2 * sizeof (char *));
 305                 filename = pw->pw_shell;
 306                 targs[0] = shell;
 307                 targs[1] = NULL;
 308         } else {
 309                 targs = &argv[optind];
 310                 filename = targs[0];
 311         }
 312 
 313         if (execvp(filename, targs) == -1)
 314                 die(gettext("exec of %s failed"), targs[0]);
 315 
 316         /*
 317          * We should never get here.
 318          */
 319         return (1);
 320 }
 321 
 322 static int
 323 update_running_proc(int newproj_flag, char *procname, char *projname)
 324 {
 325         struct ps_prochandle *p;
 326         prcred_t original_prcred, current_prcred;
 327         projid_t prprojid;
 328         taskid_t taskid;
 329         int error = 0, gret;
 330         struct project project;
 331         char prbuf[PROJECT_BUFSZ];
 332         struct passwd *passwd_entry;
 333         int grab_retry_count = 0;
 334 
 335         /*
 336          * Catch signals from terminal. There isn't much sense in
 337          * doing anything but ignoring them since we don't do anything
 338          * after the point we'd be capable of handling them again.
 339          */
 340         (void) sigignore(SIGHUP);
 341         (void) sigignore(SIGINT);
 342         (void) sigignore(SIGQUIT);
 343         (void) sigignore(SIGTERM);
 344 
 345         /* flush stdout before grabbing the proc to avoid deadlock */
 346         (void) fflush(stdout);
 347 
 348         /*
 349          * We need to grab the process, which will force it to stop execution
 350          * until the grab is released, in order to aquire some information about
 351          * it, such as its current project (which is achieved via an injected
 352          * system call and therefore needs an agent) and its credentials. We
 353          * will then need to release it again because it may be a process that
 354          * we rely on for later calls, for example nscd.
 355          */
 356         if ((p = proc_arg_grab(procname, PR_ARG_PIDS, 0, &gret)) == NULL) {
 357                 warn(gettext("failed to grab for process %s: %s\n"),
 358                     procname, Pgrab_error(gret));
 359                 return (1);
 360         }
 361         if (Pcreate_agent(p) != 0) {
 362                 Prelease(p, 0);
 363                 warn(gettext("cannot control process %s\n"), procname);
 364                 return (1);
 365         }
 366 
 367         /*
 368          * The victim process is now held. Do not call any functions
 369          * which generate stdout/stderr until the process has been
 370          * released.
 371          */
 372 
 373 /*
 374  * The target process will soon be restarted (in case it is in newtask's
 375  * execution path) and then stopped again. We need to ensure that our cached
 376  * data doesn't change while the process runs so return here if the target
 377  * process changes its user id in between our stop operations, so that we can
 378  * try again.
 379  */
 380 pgrab_retry:
 381 
 382         /* Cache required information about the process. */
 383         if (Pcred(p, &original_prcred, 0) != 0) {
 384                 preserve_error(gettext("cannot get process credentials %s\n"),
 385                     procname);
 386                 error = 1;
 387         }
 388         if ((prprojid = pr_getprojid(p)) == -1) {
 389                 preserve_error(gettext("cannot get process project id %s\n"),
 390                     procname);
 391                 error = 1;
 392         }
 393 
 394         /*
 395          * We now have all the required information, so release the target
 396          * process and perform our sanity checks. The process needs to be
 397          * running at this point because it may be in the execution path of the
 398          * calls made below.
 399          */
 400         Pdestroy_agent(p);
 401         Prelease(p, 0);
 402 
 403         /* if our data acquisition failed, then we can't continue. */
 404         if (error) {
 405                 warn("%s\n", global_error);
 406                 return (1);
 407         }
 408 
 409         if (newproj_flag == 0) {
 410                 /*
 411                  * Just changing the task, so set projname to the current
 412                  * project of the running process.
 413                  */
 414                 if (getprojbyid(prprojid, &project, &prbuf,
 415                     PROJECT_BUFSZ) == NULL) {
 416                         warn(gettext("unable to get project name "
 417                             "for projid %d"), prprojid);
 418                         return (1);
 419                 }
 420                 projname = project.pj_name;
 421         } else {
 422                 /*
 423                  * cache info for the project which user passed in via the
 424                  * command line
 425                  */
 426                 if (getprojbyname(projname, &project, &prbuf,
 427                     PROJECT_BUFSZ) == NULL) {
 428                         warn(gettext("unknown project \"%s\"\n"), projname);
 429                         return (1);
 430                 }
 431         }
 432 
 433         /*
 434          * Use our cached information to verify that the owner of the running
 435          * process is a member of proj
 436          */
 437         if ((passwd_entry = match_user(original_prcred.pr_ruid,
 438             projname, 0)) == NULL) {
 439                 warn("%s\n", global_error);
 440                 return (1);
 441         }
 442 
 443         /*
 444          * We can now safely stop the process again in order to change the
 445          * project and taskid as required.
 446          */
 447         if ((p = proc_arg_grab(procname, PR_ARG_PIDS, 0, &gret)) == NULL) {
 448                 warn(gettext("failed to grab for process %s: %s\n"),
 449                     procname, Pgrab_error(gret));
 450                 return (1);
 451         }
 452         if (Pcreate_agent(p) != 0) {
 453                 Prelease(p, 0);
 454                 warn(gettext("cannot control process %s\n"), procname);
 455                 return (1);
 456         }
 457 
 458         /*
 459          * Now that the target process is stopped, check the validity of our
 460          * cached info. If we aren't superuser then match_user() will have
 461          * checked to make sure that the owner of the process is in the relevant
 462          * project. If our ruid has changed, then match_user()'s conclusion may
 463          * be invalid.
 464          */
 465         if (getuid() != 0) {
 466                 if (Pcred(p, &current_prcred, 0) != 0) {
 467                         Pdestroy_agent(p);
 468                         Prelease(p, 0);
 469                         warn(gettext("can't get process credentials %s\n"),
 470                             procname);
 471                         return (1);
 472                 }
 473 
 474                 if (original_prcred.pr_ruid != current_prcred.pr_ruid) {
 475                         if (grab_retry_count++ < GRAB_RETRY_MAX)
 476                                 goto pgrab_retry;
 477 
 478                         warn(gettext("process consistently changed its "
 479                             "user id %s\n"), procname);
 480                         return (1);
 481                 }
 482         }
 483 
 484         error = set_ids(p, &project, passwd_entry);
 485 
 486         if (verbose)
 487                 taskid = pr_gettaskid(p);
 488 
 489         Pdestroy_agent(p);
 490         Prelease(p, 0);
 491 
 492         if (error) {
 493                 /*
 494                  * error is serious enough to stop, only if negative.
 495                  * Otherwise, it simply indicates one of the resource
 496                  * control assignments failed, which is worth warning
 497                  * about.
 498                  */
 499                 warn("%s\n", global_error);
 500                 if (error < 0)
 501                         return (1);
 502         }
 503 
 504         if (verbose)
 505                 (void) fprintf(stderr, "%d\n", (int)taskid);
 506 
 507         return (0);
 508 }
 509 
 510 static int
 511 set_ids(struct ps_prochandle *p, struct project *project,
 512     struct passwd *passwd_entry)
 513 {
 514         int be_su = 0;
 515         prcred_t old_prcred;
 516         int error;
 517         prpriv_t *old_prpriv, *new_prpriv;
 518         size_t prsz = sizeof (prpriv_t);
 519         priv_set_t *eset, *pset;
 520         int ind;
 521 
 522         if (Pcred(p, &old_prcred, 0) != 0) {
 523                 preserve_error(gettext("can't get process credentials"));
 524                 return (1);
 525         }
 526 
 527         old_prpriv = proc_get_priv(Pstatus(p)->pr_pid);
 528         if (old_prpriv == NULL) {
 529                 preserve_error(gettext("can't get process privileges"));
 530                 return (1);
 531         }
 532 
 533         prsz = PRIV_PRPRIV_SIZE(old_prpriv);
 534 
 535         new_prpriv = malloc(prsz);
 536         if (new_prpriv == NULL) {
 537                 preserve_error(gettext("can't allocate memory"));
 538                 free(old_prpriv);
 539                 return (1);
 540         }
 541 
 542         (void) memcpy(new_prpriv, old_prpriv, prsz);
 543 
 544         /*
 545          * If the process already has the proc_taskid privilege,
 546          * we don't need to elevate its privileges; if it doesn't,
 547          * we try to do it here.
 548          * As we do not wish to leave a window in which the process runs
 549          * with elevated privileges, we make sure that the process dies
 550          * when we go away unexpectedly.
 551          */
 552 
 553         ind = priv_getsetbyname(PRIV_EFFECTIVE);
 554         eset = (priv_set_t *)&new_prpriv->pr_sets[new_prpriv->pr_setsize * ind];
 555         ind = priv_getsetbyname(PRIV_PERMITTED);
 556         pset = (priv_set_t *)&new_prpriv->pr_sets[new_prpriv->pr_setsize * ind];
 557 
 558         if (!priv_issubset(nset, eset)) {
 559                 be_su = 1;
 560                 priv_union(nset, eset);
 561                 priv_union(nset, pset);
 562                 if (Psetflags(p, PR_KLC) != 0) {
 563                         preserve_error(gettext("cannot set process "
 564                             "privileges"));
 565                         (void) Punsetflags(p, PR_KLC);
 566                         free(new_prpriv);
 567                         free(old_prpriv);
 568                         return (1);
 569                 }
 570                 (void) __priv_bracket(PRIV_ON);
 571                 if (Psetpriv(p, new_prpriv) != 0) {
 572                         (void) __priv_bracket(PRIV_OFF);
 573                         preserve_error(gettext("cannot set process "
 574                             "privileges"));
 575                         (void) Punsetflags(p, PR_KLC);
 576                         free(new_prpriv);
 577                         free(old_prpriv);
 578                         return (1);
 579                 }
 580                 (void) __priv_bracket(PRIV_OFF);
 581         }
 582 
 583         (void) __priv_bracket(PRIV_ON);
 584         if ((error = setproject_proc(project->pj_name,
 585             passwd_entry->pw_name, 0, Pstatus(p)->pr_pid, p, project)) != 0) {
 586                 /* global_error is set by setproject_err */
 587                 setproject_err(passwd_entry->pw_name, project->pj_name,
 588                     error, project);
 589         }
 590         (void) __priv_bracket(PRIV_OFF);
 591 
 592         /* relinquish added privileges */
 593         if (be_su) {
 594                 (void) __priv_bracket(PRIV_ON);
 595                 if (Psetpriv(p, old_prpriv) != 0) {
 596                         /*
 597                          * We shouldn't ever be in a state where we can't
 598                          * set the process back to its old creds, but we
 599                          * don't want to take the chance of leaving a
 600                          * non-privileged process with enhanced creds. So,
 601                          * release the process from libproc control, knowing
 602                          * that it will be killed.
 603                          */
 604                         (void) __priv_bracket(PRIV_OFF);
 605                         Pdestroy_agent(p);
 606                         die(gettext("cannot relinquish superuser credentials "
 607                             "for pid %d. The process was killed."),
 608                             Pstatus(p)->pr_pid);
 609                 }
 610                 (void) __priv_bracket(PRIV_OFF);
 611                 if (Punsetflags(p, PR_KLC) != 0)
 612                         preserve_error(gettext("error relinquishing "
 613                             "credentials. Process %d will be killed."),
 614                             Pstatus(p)->pr_pid);
 615         }
 616         free(new_prpriv);
 617         free(old_prpriv);
 618 
 619         return (error);
 620 }
 621 
 622 /*
 623  * preserve_error() should be called rather than warn() by any
 624  * function that is called while the victim process is being
 625  * held by Pgrab.
 626  *
 627  * It saves a single error message to be printed until after
 628  * the process has been released. Since multiple errors are not
 629  * stored, any error should be considered critical.
 630  */
 631 void
 632 preserve_error(const char *format, ...)
 633 {
 634         va_list alist;
 635 
 636         va_start(alist, format);
 637 
 638         /*
 639          * GLOBAL_ERR_SZ is pretty big. If the error is longer
 640          * than that, just truncate it, rather than chance missing
 641          * the error altogether.
 642          */
 643         (void) vsnprintf(global_error, GLOBAL_ERR_SZ-1, format, alist);
 644 
 645         va_end(alist);
 646 
 647 }
 648 
 649 /*
 650  * Given the input arguments, return the passwd structure that matches best.
 651  * Also, since we use getpwnam() and friends, subsequent calls to this
 652  * function will re-use the memory previously returned.
 653  */
 654 static struct passwd *
 655 match_user(uid_t uid, char *projname, int is_my_uid)
 656 {
 657         char prbuf[PROJECT_BUFSZ], username[LOGNAME_MAX+1];
 658         struct project prj;
 659         char *tmp_name;
 660         struct passwd *pw = NULL;
 661 
 662         /*
 663          * In order to allow users with the same UID but distinguishable
 664          * user names to be in different projects we play a guessing
 665          * game of which username is most appropriate. If we're checking
 666          * for the uid of the calling process, the login name is a
 667          * good starting point.
 668          */
 669         if (is_my_uid) {
 670                 if ((tmp_name = getlogin()) == NULL ||
 671                     (pw = getpwnam(tmp_name)) == NULL || (pw->pw_uid != uid) ||
 672                     (pw->pw_name == NULL))
 673                         pw = NULL;
 674         }
 675 
 676         /*
 677          * If the login name doesn't work,  we try the first match for
 678          * the current uid in the password file.
 679          */
 680         if (pw == NULL) {
 681                 if (((pw = getpwuid(uid)) == NULL) || pw->pw_name == NULL) {
 682                         preserve_error(gettext("cannot find username "
 683                             "for uid %d"), uid);
 684                         return (NULL);
 685                 }
 686         }
 687 
 688         /*
 689          * If projname wasn't supplied, we've done our best, so just return
 690          * what we've got now. Alternatively, if newtask's invoker has
 691          * superuser privileges, return the pw structure we've got now, with
 692          * no further checking from inproj(). Superuser should be able to
 693          * join any project, and the subsequent call to setproject() will
 694          * allow this.
 695          */
 696         if (projname == NULL || getuid() == (uid_t)0)
 697                 return (pw);
 698 
 699         (void) strlcpy(username, pw->pw_name, sizeof (username));
 700 
 701         if (inproj(username, projname, prbuf, PROJECT_BUFSZ) == 0) {
 702                 char **u;
 703                 tmp_name = NULL;
 704 
 705                 /*
 706                  * If the previous guesses didn't work, walk through all
 707                  * project members and test for UID-equivalence.
 708                  */
 709 
 710                 if (getprojbyname(projname, &prj, prbuf,
 711                     PROJECT_BUFSZ) == NULL) {
 712                         preserve_error(gettext("unknown project \"%s\""),
 713                             projname);
 714                         return (NULL);
 715                 }
 716 
 717                 for (u = prj.pj_users; *u; u++) {
 718                         if ((pw = getpwnam(*u)) == NULL)
 719                                 continue;
 720 
 721                         if (pw->pw_uid == uid) {
 722                                 tmp_name = pw->pw_name;
 723                                 break;
 724                         }
 725                 }
 726 
 727                 if (tmp_name == NULL) {
 728                         preserve_error(gettext("user \"%s\" is not a member of "
 729                             "project \"%s\""), username, projname);
 730                         return (NULL);
 731                 }
 732         }
 733 
 734         return (pw);
 735 }
 736 
 737 void
 738 setproject_err(char *username, char *projname, int error, struct project *proj)
 739 {
 740         kva_t *kv_array = NULL;
 741         char prbuf[PROJECT_BUFSZ];
 742         struct project local_proj;
 743 
 744         switch (error) {
 745         case SETPROJ_ERR_TASK:
 746                 if (errno == EAGAIN)
 747                         preserve_error(gettext("resource control limit has "
 748                             "been reached"));
 749                 else if (errno == ESRCH)
 750                         preserve_error(gettext("user \"%s\" is not a member of "
 751                             "project \"%s\""), username, projname);
 752                 else if (errno == EACCES)
 753                         preserve_error(gettext("the invoking task is final"));
 754                 else
 755                         preserve_error(
 756                             gettext("could not join project \"%s\""),
 757                             projname);
 758                 break;
 759         case SETPROJ_ERR_POOL:
 760                 if (errno == EACCES)
 761                         preserve_error(gettext("no resource pool accepting "
 762                             "default bindings exists for project \"%s\""),
 763                             projname);
 764                 else if (errno == ESRCH)
 765                         preserve_error(gettext("specified resource pool does "
 766                             "not exist for project \"%s\""), projname);
 767                 else
 768                         preserve_error(gettext("could not bind to default "
 769                             "resource pool for project \"%s\""), projname);
 770                 break;
 771         default:
 772                 if (error <= 0) {
 773                         preserve_error(gettext("setproject failed for "
 774                             "project \"%s\""), projname);
 775                         return;
 776                 }
 777                 /*
 778                  * If we have a stopped target process it may be in
 779                  * getprojbyname()'s execution path which would make it unsafe
 780                  * to access the project table, so only do that if the caller
 781                  * hasn't provided a cached version of the project structure.
 782                  */
 783                 if (proj == NULL)
 784                         proj = getprojbyname(projname, &local_proj, prbuf,
 785                             PROJECT_BUFSZ);
 786 
 787                 if (proj == NULL || (kv_array = _str2kva(proj->pj_attr,
 788                     KV_ASSIGN, KV_DELIMITER)) == NULL ||
 789                     kv_array->length < error) {
 790                         preserve_error(gettext("warning, resource control "
 791                             "assignment failed for project \"%s\" "
 792                             "attribute %d"),
 793                             projname, error);
 794                         if (kv_array)
 795                                 _kva_free(kv_array);
 796                         return;
 797                 }
 798                 preserve_error(gettext("warning, %s resource control "
 799                     "assignment failed for project \"%s\""),
 800                     kv_array->data[error - 1].key, projname);
 801                 _kva_free(kv_array);
 802         }
 803 }