> Which again re-enforces that system_noshell() *is* intended to be a
> replacement for system(3C).
>
> I have not problem with providing a variant of system(3C) that is more
> secure. However I'm not convinced that a new symbol - and thus changes
> to existing code to use it. Is the best way to do it. I wonder if this
> can be done more like the non exec stack, ie something that gets set at
> build time.
I too have no real problem with a more secure convenience function
version of system(3). I'm not convinced that this is it. Or without
changing to existing source code that system_noshell(3) will really
provide benefit sought.
Is part of this project to go through Solaris and fix callers
of system(3)? I didn't see that in the proposal.
I'm concerned about statements like:
"SN_RESETIDS If this flag is set, the file is executed by resetting
the effective user ID and the effective group ID of the
child process executing the file to the real user ID and
the real group ID of the parent.
The system_noshell() function resets the user and group IDs to those
of the real user, when used in setuid binaries. Use system_noshell_x()
and system_noshell_xv() to override this behavior. There will be no
change in privileges when the system_noshell() function is used in
non setuid binaries."
What does setuid have to do with privilege? Is this just imprecision
and the intent is setuid 0 -- thus implying all zone "forced"
privileges? Why wouldn't I want the ability to reset the privileges
to basic (or some priv set passed in)?
I'd think a convenince function should have similar ability to
if ((pid = fork()) != 0) {
/* parent */
while (pid != waitpid(pid, &status)) {
continue;
}
return (WEXITSTATUS(status);
} else if (pid == -1) {
/* couldn't fork */
return (-1);
}
/* child */
if (resetuids) {
(void) setuid(getuid());
(void) setgid(getgid());
}
if (resetprivs) {
(void) setppriv(PRIV_SET, PRIV_LIMIT, basic);
}
if (execv(path, argv) == -1) {
_exit(127)
}
/* NOPATH */
The project team should note that setuid 0 is not the only way
a program gains privilege. pfexec(1) -P and pfexec from a granted
Rigths Profile, svc.startd method_context are examples of other
ways. Is the intent to help these programs also?
Perhaps I've missed something as to why system_noshell() is being
proposed or proposed as it is.
Maybe some concrete usage examples (see Glenn's comment)).
Gary..
