prasad wrote:
>> 2. Use getrealpath() to determine the canonical
>> pathname for the file.
>>
>> 3. Look up the canonical pathname in the user's
>> profiles to find the
>> attributes (user/group ids and privileges).
>>
>
> Scott:
>
> My execution profiles database has an executable that has a symlink in the
> pathname (for historical reasons and now our users are used to it). Now
> pfexec is failing with permission denied because of the above logic.
>
> What are my options?
> a) Educate my users to use the new pathname
> b) Remove the symlink
>
All you need to do is ensure that the entry in the profile contains the
canonical pathname (i.e. with the symlink resolved). Users can invoke
the program using any pathname that resolves to the same canonical path.
For example, if you had /usr/bin/cat in a profile entry, users can
invoke it as either /usr/bin/cat or /bin/cat. [/bin is a symlink to
/usr/bin.]
Scott
