>On Tue, Mar 16, 2010 at 6:04 PM, <Casper.Dik at sun.com> wrote: >> >> I filed the following bug: >> >> 6934527 pfksh93 does not work for builtin commands > >This bug might be a candidate for a WONTFIX. The root cause is that >the pfexec *design* is utterly broken (giving a whole process extra >privileges, ignoring the fact that part of this process may be >compromised. The granulation is the wrong one and should never grant a >whole process such a power) and deliberately ignored the concept of >shell builtins in POSIX shells. Sure, Sun never cared much about POSIX >when designing own APIs but we have again the case where this >ignorance in the design process strikes back.
That's an opinion, not a fact. How would you compromise a process which isn't running? It is not much from using "sudo" or similar mechanisms; a profile shell just allows you to run commands without having to start every command with "sudo" or "pfexec". >> >> pfexec is only executed for "external" commands and not for >> internal commands. > >This is the correct behaviour. Commands which require special >privileges should intentionally be marked as privileged, in this case >by specifying the full path of the command (which prevents the shell >from using a builtin command). I think you misunderstand why we have profile shells; they are mostly used as *interactive* shells. You don't want to use full pathnames when typing a command nor do you want "mkdir" and "/usr/bin/mkdir" be different in a interactive shell. >> I want to change ksh93 that when it runs as a "profile shell", it >> needs to disable all builtin commands listed in "cmdlist.h"; > >This would cause "7000000 Putback for 6934527 regressed pfksh93 >performance, scripts run 70-100 times slower". AFAIK this kind of >performance regression is a no-go in ON, right? I think you don't quite understand the rules we operate under: if the current behaviour is "buggy" then any performance measurements are simply not valid. Clearly, "pfksh93" will possibly be slower than "ksh93" but so be it; currently it is broken and now it just fails more quickly. It will not change the speed of ksh93 nor would it make the operating of the system more slowly. There are five or so "pfsh" scripts in /usr/sbin. The rest of the profile shells are interactive and it takes a lot more time to type in the command. >I think the problem is the design of pfexec and friends which should >be fixed and not that the broken policy enforced upon ksh93. It will >just break things, including scripts which rely on features only >present in the builtin command and not in the /usr/bin commands, >signal handling and other stuff. (Open)Solaris is the only system I know which has "profile shells" so such a script wouldn't be portable anyway. If the "/bin/foo" command behaves differently then "builtin foo", then that is an actual bug. (cf mktemp) Casper
