7418 pfexec and the case of the missing error message

Reviewed by: Joshua M. Clulow <jmc@joyent.com>
Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
Approved by: Dan McDonald <danmcd@omniti.com>

2 files changed, 18 insertions, 7 deletions

diff --git a/usr/src/man/man1/pfexec.1 b/usr/src/man/man1/pfexec.1
index 07b89eefa2..66e5e08420 100644
--- a/usr/src/man/man1/pfexec.1
+++ b/usr/src/man/man1/pfexec.1
@@ -3,7 +3,7 @@
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH PFEXEC 1 "Mar 3, 2003"
+.TH PFEXEC 1 "Jul 8, 2016"
 .SH NAME
 pfexec, pfsh, pfcsh, pfksh \- execute a command in a profile
 .SH SYNOPSIS
@@ -33,7 +33,6 @@ pfexec, pfsh, pfcsh, pfksh \- execute a command in a profile
 .fi
 
 .SH DESCRIPTION
-.sp
 .LP
 The \fBpfexec\fR program is used to execute commands with the attributes
 specified by the user's profiles in the \fBexec_attr\fR(4) database. It is
@@ -53,9 +52,13 @@ The privileges specification on the commands line is parsed using
 union of the privileges specified using the "\fBprivs\fR" keyword in
 \fBprof_attr\fR(4) for all the user's profiles and added to the inheritable set
 before executing the command.
-.SH USAGE
 .sp
 .LP
+For \fBpfexec\fR to function correctly, the \fBpfexecd\fR daemon must be running
+in the current zone. This is normally managed by the
+"\fBsvc:/system/pfexec:default\fR" SMF service (see \fBsmf\fR(5)).
+.SH USAGE
+.LP
 \fBpfexec\fR is used to execute commands with predefined process attributes,
 such as specific user or group \fBID\fRs.
 .sp
@@ -79,7 +82,6 @@ This command runs \fBchown user file\fR with all privileges assigned to the
 current user, not necessarily all privileges.
 
 .SH EXIT STATUS
-.sp
 .LP
 The following exit values are returned:
 .sp
@@ -101,7 +103,6 @@ An error occurred.
 .RE
 
 .SH SEE ALSO
-.sp
 .LP
 \fBcsh\fR(1), \fBksh\fR(1), \fBprofiles\fR(1), \fBsh\fR(1), \fBexec_attr\fR(4),
-\fBprof_attr\fR(4), \fBuser_attr\fR(4), \fBattributes\fR(5)
+\fBprof_attr\fR(4), \fBuser_attr\fR(4), \fBattributes\fR(5), \fBsmf\fR(5)
diff --git a/usr/src/uts/common/os/klpd.c b/usr/src/uts/common/os/klpd.c
index 55734ae757..8592b47021 100644
--- a/usr/src/uts/common/os/klpd.c
+++ b/usr/src/uts/common/os/klpd.c
@@ -39,6 +39,8 @@
 #include <sys/pathname.h>
 #include <sys/varargs.h>
 #include <sys/zone.h>
+#include <sys/cmn_err.h>
+#include <sys/sdt.h>
 #include <netinet/in.h>
 
 #define	ROUNDUP(a, n) (((a) + ((n) - 1)) & ~((n) - 1))
@@ -860,8 +862,13 @@ pfexec_call(const cred_t *cr, struct pathname *rpnp, cred_t **pfcr,
 		klpd_hold(pfd);
 	mutex_exit(&myzone->zone_lock);
 
-	if (pfd == NULL)
+	if (pfd == NULL) {
+		DTRACE_PROBE2(pfexecd__not__running,
+		    zone_t *, myzone, char *, rpnp->pn_path);
+		uprintf("pfexecd not running; pid %d privileges not "
+		    "elevated\n", curproc->p_pid);
 		return (0);
+	}
 
 	if (pfd->klpd_door_pid == curproc->p_pid) {
 		klpd_rele(pfd);
@@ -896,6 +903,9 @@ pfexec_call(const cred_t *cr, struct pathname *rpnp, cred_t **pfcr,
 		case EINTR:
 			/* FALLTHROUGH */
 		default:
+			DTRACE_PROBE4(pfexecd__failure,
+			    int, dres, zone_t *, myzone,
+			    char *, rpnp->pn_path, klpd_reg_t *, pfd);
 			goto out;
 		}
 	}