Casper Dik wrote: > Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI > This information is Copyright 2009 Sun Microsystems > 1. Introduction > 1.1. Project/Component Working Name: > In-kernel pfexec implementation. > 1.2. Name of Document Author/Supplier: > Author: Casper Dik > 1.3 Date of This Document: > 03 July, 2009 > 4. Technical Description > I'm sponsoring this fasttrack for myself. > > This project proposes an in-kernel implementation of the > pfexec(1) command. > > Release binding: minor. > > The implementation of pfexec(1) is changed such that is > add the PRIV_PFEXEC credential flag and then executes > the program. The execve() system call will notice the > PRIV_PFEXEC flag and it will ask the pfexecd daemon > whether the file can be executed and which changes to the > credential are required. > > The pfexecd is started at boot through SMF as "svc:/system/pfexecd".
I'm assuming here that pfexecd is running as root with all privileges ? Or is it able to run with a reduced set (for example pfexecd shouldn't I think need most of the current basic privs or file_write from the new set in PSARC/2009/378). Though it feels to me like it should be running with all privs because other wise a lower privileged process is acting as an authority to hand out privs it doesn't actually have. Sorry for not bringing this next one up in the prereview but it only just popped into my head. In the current system pfexec itself will do the nameservice lookup to find the exec_attr entry to use. If I understand the new system it will be pfexecd doing that, right ? So this changes things with respect to per user nscd (needed for doing self credential'd lookups) in that user_attr, prof_attr and exec_attr lookups for 'pfexec' won't use the per user nscd ? Or am I missing something. In the pre-review we discussed wither or not a TX configuration would have one pfexecd per system (in the global zone) or one per zone. This would ensure that pfexecd "follows" what happens with nscd which can be one in the global zone or one per zone. I can't tell from the case material what the decision was on that. -- Darren J Moffat
