Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
In-kernel pfexec implementation.
1.2. Name of Document Author/Supplier:
Author: Casper Dik
1.3 Date of This Document:
03 July, 2009
4. Technical Description
I'm sponsoring this fasttrack for myself.
This project proposes an in-kernel implementation of the
pfexec(1) command.
Release binding: minor.
The implementation of pfexec(1) is changed such that is
add the PRIV_PFEXEC credential flag and then executes
the program. The execve() system call will notice the
PRIV_PFEXEC flag and it will ask the pfexecd daemon
whether the file can be executed and which changes to the
credential are required.
The pfexecd is started at boot through SMF as "svc:/system/pfexecd".
Implementing pfexec in the kernel delivers the following advantages:
- pfshells come at no charge; this project will deliver
the following pf*sh*:
pfbash pfcsh pfksh pfksh93 pfsh pftcsh pfzsh
A pf*sh* starts, sets the PRIV_PFEXEC flag and executes
the shell. Code which supports profile shells in current
shells will be removed.
- Fewer privileges are needed in the Limit sets for
in users in certain roles. (Unsafe privileges are not
required in the limit set unless required by the exec_attr
entry)
- More fine grained control in exec_attr. E.g., instead
of creating an exec_attr for "/usr/sbin/mount", you
can now create different exec_attrs for each of the
mount commands in /usr/lib/fs/*.
- Profile shells are a bit more efficient (pfexec is no longer
executed by the profile shells; "pfexec" by hand will work
as before)
Additional, this project will deliver "Forced Privileges" through
the exec_attr database:
- Unsafe privileges are not required to execute ping, traceroute,
etc. (If an executable is set-uid root, then the kernel
will lookup the Forced Privileges for that executable)
- Set-uid applications in that list will not start as root,
instead they run with the appropriate privileges.
ppriv(1) will shell the PRIV_PFEXEC flag:
% pftcsh
> ppriv $$
4812: sh
flags = PRIV_PFEXEC
E: basic
I: basic
P: basic
L: all
And ppriv(1) can make your shell a profile shell:
% ppriv -P $$
There's no restriction in setting the PRIV_PFEXEC as using "pfexec" is not
restricted.
Exported Interface name
PRIV_PFEXEC Committed getpflags(2) <sys/priv.h>
svc:/system/pfexecd Committed pfexecd(1m)
pf*sh* Committed pfexec(1)
new flag in ppriv Committed ppriv(1)
--- getpflags.2 Fri Jul 3 14:29:27 2009
+++ getpflags.2.new Fri Jul 3 14:34:05 2009
@@ -47,6 +47,12 @@
privilege debugging enabled. Processes can set and unset this
flag at will.
+ PRIV_PFEXEC
+
+ This one bit flag takes the value of 0 (unset) or 1 (set).
+ If this flag is set then all the commands are executed as if
+ they are executed from a profile shell.
+
NET_MAC_AWARE
NET_MAC_AWARE_INHERIT
These flags are available only if the system is configured
--- pfexec.1 Fri Jul 3 14:35:10 2009
+++ pfexec.1.new Fri Jul 3 14:36:08 2009
@@ -12,8 +12,16 @@
/usr/bin/pfcsh [ options ] [ argument ]...
+ /usr/bin/pftcsh [ options ] [ argument ]...
+
/usr/bin/pfksh [ options ] [ argument ]...
+ /usr/bin/pfksh93 [ options ] [ argument ]...
+
+ /usr/bin/pfbash [ options ] [ argument ]...
+
+ /usr/bin/pfzsh [ options ] [ argument ]...
+
DESCRIPTION
The pfexec program is used to execute commands with the attri-
butes specified by the user's profiles in the exec_attr(4) data-
--- ppriv.1 Fri Jul 3 14:29:27 2009
+++ ppriv.1.new Fri Jul 3 14:31:50 2009
@@ -45,6 +45,8 @@
-N Turns off privilege debugging for the processes or
command supplied.
+ -P Enable the PRIV_PFEXEC process attribute.
+
-s spec Modifies a process's privilege sets according to spec,
a specification with the format [AEILP][+-
=]privsetspec, containing no spaces, where:
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
ON
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
