Glenn Fowler writes:
> > In order for this to work, either (A) all applications using libcmd
> > must become smart enough to know when to do exec() instead or (B) no
> > application other than a /usr/bin/* utility implemented by way of
> > libcmd should ever link against libcmd.
> 
> does this mean that the sh implementation makes some kind of contract
> on what system calls it will make? e.g., if chmod(1) requires pfexec,
> then can the sh implementation make a call to chmod(2) under any
> circumstances?

No, not quite.

If the assertion is that linking to libcmd and calling the functions
there is "just like" fork/exec of those same things, then the caller
(today) needs to understand when to exec the 'pfexec' setuid utility
instead.  In the future, when exec is (with some hope) made more
natural, the caller will need to know when the libcmd function is
"just like" fork/exec and when it's just not.

There's no limitation on the use of chmod(2), though.  If an
application calls that, and it needs additional privileges or a
different uid, then the entire program needs the additional
privileges.  It's not expected that invoking chmod(2) causes you to
get new privileges.

That's the problem.  If the user sets $SHELL correctly to a pf-type
shell and configures RBAC as needed, then any shell-invoked uses of
chmod(1) should get RBAC-controlled behavior.  The surprising effect
here is that there are cases where (for ksh93) it doesn't, and where
innocent recoding of 'system("chmod ...");' results in different
behavior (and perhaps actual failure).

-- 
James Carlson, KISS Network                    <james.d.carlson at sun.com>
Sun Microsystems / 1 Network Drive         71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677

Reply via email to