On Sun, Jul 05, 2009 at 06:37:18AM -0500, Nicolas Williams wrote: > Are you saying that there's now a way to separately specify privileges > to "force" on exec() beyond what the process has in its limit set, or > that the kernel grants less than "full privilege" (currently euid == 0 + > oE = oP = L) to processes exec()ing set-uid programs for which there > exist exec_attr(4) entries? > > If the former then I'd expect there should be more details. If the > latter, then, does that apply regardless of whether PRIV_PFEXEC is set?
And if the latter, what happens when exec()ing set-uid programs without matching exec_attr(4) entries? Is there any way to apply a wildcard rule to grant not privileges to processes running set-uid programs not listed in exec_attr(4)? Nico --
