April Chin writes: > Regarding the issue of pfksh93 invoking built-ins instead of binaries > (e.g., the chown built-in in ksh93 instead of pfexec'ing the > /usr/bin/chown binary), I propose that we include pfksh93 > but disable only the built-ins bound to the /bin pathname:
That seems quite reasonable to me. (The big concern is with chown, but getting the others seems harmless.) > The built-ins bound to /usr/ast/bin could be either disabled for > pfksh93 or we could argue that they are undocumented and there should > be no expectation by users that they will allow RBAC-enhanced > privileges. As I understand it, the user would add the "virtual" directory /usr/ast/bin to his path, right? Whatever bit of text documents this path (the original case proposed "Volatile" stability for the /usr/ast/bin mechanism, which means it's a public interface) should note that it may cause trouble with pfksh93. Other than that, this seems fine. -- James Carlson, KISS Network <james.d.carlson at sun.com> Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
