In-kernel pfexec implementation. [PSARC/2009/377 FastTrack timeout 07/10/2009]
Casper.Dik at sun.com
Casper.Dik at sun.com
Tue Jul 7 09:22:57 PDT 2009
>Does this mean that the need for the existence of the /usr/bin/pfexec program
>will remain? OK, from readin below this seems to be true.
Yes, that is correct.
>... or will there be a file system attribute that allows to create spfexec
>executable file behavior?
No. (Note that exec_attrs belong to a profile, not the executable)
>
>> The pfexecd is started at boot through SMF as "svc:/system/pfexecd".
>>
>> Implementing pfexec in the kernel delivers the following advantages:
>>
>>
>> - pfshells come at no charge; this project will deliver
>> the following pf*sh*:
>> pfbash pfcsh pfksh pfksh93 pfsh pftcsh pfzsh
>>
>> A pf*sh* starts, sets the PRIV_PFEXEC flag and executes
>> the shell. Code which supports profile shells in current
>> shells will be removed.
>
>You mean the code that shifts the arg vector and that prepends /usr/bin/pfexec ?
Correct.
>> /usr/bin/pfcsh [ options ] [ argument ]...
>>
>> + /usr/bin/pftcsh [ options ] [ argument ]...
>> +
>> /usr/bin/pfksh [ options ] [ argument ]...
>>
>> + /usr/bin/pfksh93 [ options ] [ argument ]...
>> +
>> + /usr/bin/pfbash [ options ] [ argument ]...
>> +
>> + /usr/bin/pfzsh [ options ] [ argument ]...
>> +
>
>Will there be the possibility to turn on/off this feature like while the shell
>is running like I did implement in "bsh" and "sh" in
>ftp://ftp.berlios.de/pub/schily/
>
>set -P # Turn on profile mode
>set +P # Turn off profile mode
>
>set -o profile # Turn on profile mode
>set +o profile # Turn off profile mode
No; that use is wrong. A profile can be defined such that you can only
run a few executables. Being able to disable the "profileness" of a shell
is a bug because of that feature.
I tried ksh93 and ksh and neither appears to support those.
Casper
More information about the opensolaris-arc
mailing list