On Mon, 2009-03-02 at 14:21 -0500, Sowmini.Varadhan at Sun.COM wrote: > On (03/02/09 12:51), Sebastien Roy wrote: > > > > This is unrelated to the parsing discussion, but here's a question: The > > ipadm database update/access code will be executed in the context of the > > caller? > > > > I ask because this means that the caller has to have write permissions > > in the database file, and that may conflict with the RBAC model where > > any user with the appropriate authorization should be able execute the > > authorized operation. > > > > We are considering using a model similar to that used for dladm/flowadm: > have an ipadm RBAC role with auths similar to those for dladm: > i.e., auths=solaris.smf.manage.wpa,solaris.smf.modify.
The libdladm model requires that writing to the database be done by dlmgmtd which is run as the dladm user (the datalink.conf file is only writable by the dladm user). Permissions to write to the file are not related to any authorizations AFAIK. How will this work for libipadm? -Seb
