Girish M G writes: > > Does the new library somehow help the application to bracket the use > > of that privilege so that the use is "safe enough"? > > I guess, we could provide some 'privileges bracketing', using functions > defined in <priv.h>, allowing the 'file_dac_write' to be enabled only > when needed and will be disabled for the most part. > > /sbin/ipadm should start with that privilege turned off. Inside the > library, while doing the persistence, we will enable the privilege and > once the persistence is done we will disable the privilege.
I think that would certainly make the design more palatable. (Better still to go towards having a split design that allows the library to run without needing to write to that central file, but I can understand why you'd want to avoid that sort of complexity.) -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
