Casper Dik <casper at sac.sfbay.sun.com> wrote: > > Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI > This information is Copyright 2009 Sun Microsystems > 1. Introduction > 1.1. Project/Component Working Name: > In-kernel pfexec implementation. > 1.2. Name of Document Author/Supplier: > Author: Casper Dik > 1.3 Date of This Document: > 03 July, 2009 > 4. Technical Description > I'm sponsoring this fasttrack for myself. > > This project proposes an in-kernel implementation of the > pfexec(1) command. > > Release binding: minor. > > The implementation of pfexec(1) is changed such that is > add the PRIV_PFEXEC credential flag and then executes > the program. The execve() system call will notice the > PRIV_PFEXEC flag and it will ask the pfexecd daemon > whether the file can be executed and which changes to the > credential are required.
Does this mean that the need for the existence of the /usr/bin/pfexec program will remain? OK, from readin below this seems to be true. ... or will there be a file system attribute that allows to create spfexec executable file behavior? > The pfexecd is started at boot through SMF as "svc:/system/pfexecd". > > Implementing pfexec in the kernel delivers the following advantages: > > > - pfshells come at no charge; this project will deliver > the following pf*sh*: > pfbash pfcsh pfksh pfksh93 pfsh pftcsh pfzsh > > A pf*sh* starts, sets the PRIV_PFEXEC flag and executes > the shell. Code which supports profile shells in current > shells will be removed. You mean the code that shifts the arg vector and that prepends /usr/bin/pfexec ? > /usr/bin/pfcsh [ options ] [ argument ]... > > + /usr/bin/pftcsh [ options ] [ argument ]... > + > /usr/bin/pfksh [ options ] [ argument ]... > > + /usr/bin/pfksh93 [ options ] [ argument ]... > + > + /usr/bin/pfbash [ options ] [ argument ]... > + > + /usr/bin/pfzsh [ options ] [ argument ]... > + Will there be the possibility to turn on/off this feature like while the shell is running like I did implement in "bsh" and "sh" in ftp://ftp.berlios.de/pub/schily/ set -P # Turn on profile mode set +P # Turn off profile mode set -o profile # Turn on profile mode set +o profile # Turn off profile mode J?rg -- EMail:joerg at schily.isdn.cs.tu-berlin.de (home) J?rg Schilling D-13353 Berlin js at cs.tu-berlin.de (uni) joerg.schilling at fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily
