pkg/55765: make security/priv work with per_user_tmp=YES

[kim%netbsd.org@localhost (Kimmo Suominen)]

>Number:         55765
>Category:       pkg
>Synopsis:       make security/priv work with per_user_tmp=YES
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Oct 29 07:30:00 +0000 2020
>Originator:     Kimmo Suominen
>Release:        NetBSD 9.1
>Organization:
>Environment:
System: NetBSD equinoxe.x.gw.fi 9.1 NetBSD 9.1 (GENERIC) #0: Sun Oct 18 19:24:30 UTC 2020 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:

	Using security/priv to run commands as another user on a
	system with per_user_tmp=YES is not practical, because
	after switching to another user /tmp no longer exists. This
	is because the /private/tmp/@ruid target is created by
	setusercontext(3), and security/priv does not call it (using
	setuid(2)/setgid(2)/initgroups(3) instead).

>How-To-Repeat:

	% su -m
	# pkg_add priv
	# echo 0:root:0000000: > /usr/pkg/etc/priv/${USER}
	# rm -rf /private/tmp/0

	Alternatively reboot the system, which would be the common cause
	for /private/tmp/0 no longer existing.

	% priv vipw
	ex/vi: Error: Log file: No such file or directory
	vipw: /usr/bin/vi: Undefined error: 0
	vipw: /etc/master.passwd: unchanged

	[The error from vi is also not as helpful as it could be.]

>Fix:

	Proposed patch:
	https://www.netbsd.org/~kim/priv-setusercontext.diff

	Workaround: Only authorize users using the F_SU flag in the priv
	configuration files. This requires creating the corresponding
	"su-target" or "sutarget" links as well.