In-kernel pfexec implementation. [PSARC/2009/377 FastTrack timeout 07/10/2009]

Darren J Moffat Darren.Moffat at sun.com
Fri Jul 3 06:08:07 PDT 2009 

Casper Dik wrote:
> Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
> This information is Copyright 2009 Sun Microsystems
> 1. Introduction
>     1.1. Project/Component Working Name:
> 	 In-kernel pfexec implementation.
>     1.2. Name of Document Author/Supplier:
> 	 Author:  Casper Dik
>     1.3  Date of This Document:
> 	03 July, 2009
> 4. Technical Description
> I'm sponsoring this fasttrack for myself.
> 
> This project proposes an in-kernel implementation of the
> pfexec(1) command.
> 
> Release binding: minor.
> 
> The implementation of pfexec(1) is changed such that is
> add the PRIV_PFEXEC credential flag and then executes
> the program.  The execve() system call will notice the
> PRIV_PFEXEC flag and it will ask the pfexecd daemon
> whether the file can be executed and which changes to the
> credential are required.
> 
> The pfexecd is started at boot through SMF as "svc:/system/pfexecd".

I'm assuming here that pfexecd is running as root with all privileges ?
Or is it able to run with a reduced set (for example pfexecd shouldn't I 
think need most of the current basic privs or file_write from the new 
set in PSARC/2009/378).  Though it feels to me like it should be running 
with all privs because other wise a lower privileged process is acting 
as an authority to hand out privs it doesn't actually have.

Sorry for not bringing this next one up in the prereview but it only 
just popped into my head.   In the current system pfexec itself will do 
the nameservice lookup to find the exec_attr entry to use.  If I 
understand the new system it will be pfexecd doing that, right ?   So 
this changes things with respect to per user nscd (needed for doing self 
credential'd lookups) in that user_attr, prof_attr and exec_attr lookups 
for 'pfexec' won't use the per user nscd ?   Or am I missing something.

In the pre-review we discussed wither or not a TX configuration would 
have one pfexecd per system (in the global zone) or one per zone.  This 
would ensure that pfexecd "follows" what happens with nscd which can be 
one in the global zone or one per zone.  I can't tell from the case 
material what the decision was on that.

-- 
Darren J Moffat

More information about the opensolaris-arc mailing list