In-kernel pfexec implementation. [PSARC/2009/377 FastTrack timeout 07/10/2009]

Casper Dik casper at sac.sfbay.sun.com
Fri Jul 3 05:43:38 PDT 2009 

Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
    1.1. Project/Component Working Name:
	 In-kernel pfexec implementation.
    1.2. Name of Document Author/Supplier:
	 Author:  Casper Dik
    1.3  Date of This Document:
	03 July, 2009
4. Technical Description
I'm sponsoring this fasttrack for myself.

This project proposes an in-kernel implementation of the
pfexec(1) command.

Release binding: minor.

The implementation of pfexec(1) is changed such that is
add the PRIV_PFEXEC credential flag and then executes
the program.  The execve() system call will notice the
PRIV_PFEXEC flag and it will ask the pfexecd daemon
whether the file can be executed and which changes to the
credential are required.

The pfexecd is started at boot through SMF as "svc:/system/pfexecd".

Implementing pfexec in the kernel delivers the following advantages:


	- pfshells come at no charge; this project will deliver
	  the following pf*sh*:
		pfbash pfcsh pfksh pfksh93 pfsh pftcsh pfzsh

	  A pf*sh* starts, sets the PRIV_PFEXEC flag and executes
	  the shell.  Code which supports profile shells in current
	  shells will be removed.

	- Fewer privileges are needed in the Limit sets for
	  in users in certain roles.  (Unsafe privileges are not
	  required in the limit set unless required by the exec_attr
	  entry)

	- More fine grained control in exec_attr.  E.g., instead
	  of creating an exec_attr for "/usr/sbin/mount", you
	  can now create different exec_attrs for each of the
	  mount commands in /usr/lib/fs/*.

	- Profile shells are a bit more efficient (pfexec is no longer
 	  executed by the profile shells; "pfexec" by hand will work
	  as before)

Additional, this project will deliver "Forced Privileges" through
the exec_attr database:

	- Unsafe privileges are not required to execute ping, traceroute,
 	  etc.  (If an executable is set-uid root, then the kernel
	  will lookup the Forced Privileges for that executable)
	- Set-uid applications in that list will not start as root,
	  instead they run with the appropriate privileges.



ppriv(1) will shell the PRIV_PFEXEC flag:

% pftcsh
> ppriv $$
4812:   sh
flags = PRIV_PFEXEC
        E: basic
        I: basic
        P: basic
        L: all

And ppriv(1) can make your shell a profile shell:

	% ppriv -P $$

There's no restriction in setting the PRIV_PFEXEC as using "pfexec" is not
restricted.

	Exported Interface name

	PRIV_PFEXEC		Committed	getpflags(2) <sys/priv.h>
	svc:/system/pfexecd	Committed	pfexecd(1m)
	pf*sh*			Committed	pfexec(1)
	new flag in ppriv	Committed	ppriv(1)



--- getpflags.2 Fri Jul  3 14:29:27 2009
+++ getpflags.2.new     Fri Jul  3 14:34:05 2009
@@ -47,6 +47,12 @@
          privilege debugging enabled. Processes can set and unset this
          flag at will.
 
+     PRIV_PFEXEC
+
+        This one bit flag takes the value of 0 (unset) or 1 (set).
+        If this flag is set then all the commands are executed as if
+        they are executed from a profile shell.
+
      NET_MAC_AWARE
      NET_MAC_AWARE_INHERIT
          These flags are available only if the  system  is  configured
--- pfexec.1    Fri Jul  3 14:35:10 2009
+++ pfexec.1.new        Fri Jul  3 14:36:08 2009
@@ -12,8 +12,16 @@
 
      /usr/bin/pfcsh [ options ] [ argument ]...
 
+     /usr/bin/pftcsh [ options ] [ argument ]...
+
      /usr/bin/pfksh [ options ] [ argument ]...
 
+     /usr/bin/pfksh93 [ options ] [ argument ]...
+
+     /usr/bin/pfbash [ options ] [ argument ]...
+
+     /usr/bin/pfzsh [ options ] [ argument ]...
+
 DESCRIPTION
      The pfexec program is used to execute commands with the attri-
      butes specified by the user's profiles in the exec_attr(4) data-
--- ppriv.1     Fri Jul  3 14:29:27 2009
+++ ppriv.1.new Fri Jul  3 14:31:50 2009
@@ -45,6 +45,8 @@
      -N         Turns off privilege debugging  for  the  processes  or
                 command supplied.
 
+     -P         Enable the PRIV_PFEXEC process attribute.
+
      -s spec    Modifies a process's privilege sets according to spec,
                 a    specification    with   the   format   [AEILP][+-
                 =]privsetspec, containing no spaces, where:

6. Resources and Schedule
    6.4. Steering Committee requested information
   	6.4.1. Consolidation C-team Name:
		ON
    6.5. ARC review type: FastTrack
    6.6. ARC Exposure: open

More information about the opensolaris-arc mailing list