PSARC 2009/377 In-kernel pfexec implementation

A larger putback found it’s way into OpenSolaris. It’s headlined with the introduction of the changes introduced by PSARC case 2009/377 In-kernel pfexec implementation.. This PSARC case removes the old mechanism of proving profile shells to a new kernel-integrated one:

The implementation of pfexec(1) is changed such that is add the PRIV_PFEXEC credential flag and then executes the program. The execve() system call will notice the PRIV_PFEXEC flag and it will ask the pfexecd daemon whether the file can be executed and which changes to the credential are required

Another interesting change introduces by the PSARC is a different behaviour in the case of setuid-ed binaries:

Additional, this project will deliver "Forced Privileges" through the exec_attr database:
- Unsafe privileges are not required to execute ping, traceroute, etc. (If an executable is set-uid root, then the kernel will lookup the Forced Privileges for that executable)
- Set-uid applications in that list will not start as root, instead they run with the appropriate privileges.

One big advantage of the new in-kernel implementation is the point, that profile shells ( are simple to implement now: So there will be an pfbash, pfzsh and pftcsh. A profile shell is a hardlink to a regualar Solaris shells that enables checking privileges that are assigned to the role. The shell code has to be aware of the RBAC configuration. This wasn’t the case in the past for bash, zsh and tcsh. Now that this part has moved into the kernel, all shells use the common infrastructure. Another interesting feature of this change: The introduction of the FILE_READ and FILE_WRITE privileges due to the code putback of the results of PSARC case 2009/378 enables you to create read-only and write-only processes.