> Date: Wed, 10 Dec 2008 09:38:56 -0500
> From: James Carlson <james.d.carlson at sun.com>
>
> > > usr/src/cmd/ksh/Makefile
> > >
> > > 32:nit: 'pfrksh' seems like an odd combination of beasts to me.
> >
> > See http://bugs.opensolaris.org/view_bug.do?bug_id=6763029 ("restricted
> > profile shell option (pfrsh) would be convenient for setting up
> > restricted accounts"). The idea is to have "profile shell" and
> > "restriced shell" mode active at the same time. ksh93 now properly
> > detects this condition based on the executable name being used.
>
> OK ... it still seems odd to me, as "restricted shell" is all about
> nailing down the user's access and a "profile shell" normally grants
> extra privileges.
>
> Have you discussed the combination with any of the RBAC folks? The
> idea seems (to me) to confuse the separate notions of "user" and
> "role."
>
> Existing restricted shells typically aren't used for scripts --
> they're assigned to user accounts to restrict what those users do.
> Profile shells, by contrast, typically aren't assigned to login
> accounts -- they're invoked in scripts or by users from within other
> shells. I suppose it's possible to combine these two for a very
> special user, but it'd be interesting to see some concrete usage
> scenarios, particularly ones that (in some way) work better with this
> combination shell.
>
> In any event, that CR you're citing is in "Dispatched" ("nobody
> cares") state; it'd be good to have someone add an evaluation and get
> it into a state where you can integrate. (Yes, I know that's
> something you can't control directly ...)
>
6763029 has been moved to the rbac group (with a reference to
this code review discussion), so it can be properly evaluated.
April
