In-kernel pfexec implementation. [PSARC/2009/377 FastTrack timeout 07/10/2009]
Casper.Dik at sun.com
Casper.Dik at sun.com
Sun Jul 5 08:14:15 PDT 2009
>On Sun, Jul 05, 2009 at 06:37:18AM -0500, Nicolas Williams wrote:
>> Are you saying that there's now a way to separately specify privileges
>> to "force" on exec() beyond what the process has in its limit set, or
>> that the kernel grants less than "full privilege" (currently euid == 0 +
>> oE = oP = L) to processes exec()ing set-uid programs for which there
>> exist exec_attr(4) entries?
>>
>> If the former then I'd expect there should be more details. If the
>> latter, then, does that apply regardless of whether PRIV_PFEXEC is set?
>
>And if the latter, what happens when exec()ing set-uid programs without
>matching exec_attr(4) entries? Is there any way to apply a wildcard
>rule to grant not privileges to processes running set-uid programs not
>listed in exec_attr(4)?
The current implementation leaves the semantics of
a set-uid root executable without an exec_attr entry
unchanged.
Casper
More information about the opensolaris-arc
mailing list