In-kernel pfexec implementation. [PSARC/2009/377 FastTrack timeout 07/10/2009]
Nicolas Williams
Nicolas.Williams at Sun.COM
Sun Jul 5 05:05:14 PDT 2009
On Sun, Jul 05, 2009 at 06:37:18AM -0500, Nicolas Williams wrote:
> Are you saying that there's now a way to separately specify privileges
> to "force" on exec() beyond what the process has in its limit set, or
> that the kernel grants less than "full privilege" (currently euid == 0 +
> oE = oP = L) to processes exec()ing set-uid programs for which there
> exist exec_attr(4) entries?
>
> If the former then I'd expect there should be more details. If the
> latter, then, does that apply regardless of whether PRIV_PFEXEC is set?
And if the latter, what happens when exec()ing set-uid programs without
matching exec_attr(4) entries? Is there any way to apply a wildcard
rule to grant not privileges to processes running set-uid programs not
listed in exec_attr(4)?
Nico
--
More information about the opensolaris-arc
mailing list