On Wed, 2006-01-25 at 07:04, Joerg Schilling wrote:
> If you like to transparently run a privileged rootl-less
> program, you currently need to use a profile enabled shell (e.g. pfsh, pfksh,
> pfcsh). Otherwies you would need to call:
>
> /usr/bin/pfexec command args
>
> pfexec.c is nearly 600 lines of code.
600 lines of very very carefully implemented and hand audited code!
> How about adding aprox. 50 lines from isaexec to pfexec to allow doing the
> following:
>
> link /usr/bin/pfexec to /usr/bin/cdrecord
> copy cdrecord to /usr/bin/i86/cdrecord
>
> then call /usr/bin/cdrecord and get a cdrecord with a few added privs listed
> in /etc/security/exec_attr
Do you actually need multiple implementations of cdrecord, eg a 32bit
and 64 bit version ? If not I don't think abusing the isaexec mechanism
is the best way to solve this problem. Sure it will work but it doesn't
feel the best way to me, but I'm thinking about it.
Thanks for thinking about this and looking for a solution.
The other way is for cdrecord to "reexec" itself under pfexec.
We have a few shell scripts around here that do this as the very
first thing:
if [ "$_" != "/usr/bin/pfexec" -a -x /usr/bin/pfexec ]; then
/usr/bin/pfexec $0 $*
exit $?
fi
You could have cdrecord do the same thing. Ugly ? yes. d\Does it help
all programs in general like your suggestion could ? no. Is is better
than what you suggested, I don't think so but I'm throwing it out for
further discussion.
I'd like to solve this problem in a better way. That might be
changing the userland bits of the exec*() family to do the pfexec
prefixing in userland first or it might mean getting the kernel
involved. Or it might be something else.
I think what you are looking for in the specific case of cdrecord
is really forced privileges in the filesystem, right ? This is
because I think cdrecord is one of those class of programs that needs to
ALWAYS run with privielge. We had that ability
in all previous Trusted Solaris releases because we had a modified
version of UFS and tmpfs. In the OpenSolaris code base we only
have forced all privileges, as implemented by being setuid root.
If we had a way to have a system namespace for extended attributes
this would be possible to implement in tmpfs, UFS and ZFS (and any
other filesystem that implements the xattr ability).
For your specific case of cdrecord you could also code it to
be installed setuid root and drop all of the privilege you don't
need. See ping.c as an example of how to do this and this security
community document for the commentary:
http://opensolaris.org/os/community/security/library/howto/privbracket/
--
Darren J Moffat
_______________________________________________
opensolaris-code mailing list
[email protected]
https://opensolaris.org:444/mailman/listinfo/opensolaris-code
