Regarding the issue of pfksh93 invoking built-ins instead of binaries
(e.g., the chown built-in in ksh93 instead of pfexec'ing the
/usr/bin/chown binary), I propose that we include pfksh93
but disable only the built-ins bound to the /bin pathname:
- cat
- chown
- head
- mkdir
- rmdir
- tee
- uniq
- wc
It may be a little more disabling than necessary, but rather
than argue which of these eight should or should not be allowed, it includes
only those built-ins which are mostly specific to the ksh93 proposed
for Solaris integration, so, hopefully, it should cause no new
failures in ksh93 test scripts.
We leave the new built-ins with no pathname binding--printf
and sleep--alone, as there should be no practical effect running
printf or sleep with privileges.
The built-ins bound to /usr/ast/bin could be either disabled for
pfksh93 or we could argue that they are undocumented and there should
be no expectation by users that they will allow RBAC-enhanced
privileges.
The remaining built-in commands in ksh93 are not bound to a pathname,
and either do not have a matching Solaris binary or are also built-ins
in Solaris ksh, so their behavior as far as RBAC privileges should
be the same as Solaris ksh, e.g., "test" is a built-in in Solaris ksh.
In a future case, we can enable the built-ins bound to /bin for pfksh93,
when we have investigated and solved the general RBAC issue for built-ins
in ksh93.
Thanks,
April
