On 2009?03?02? 12:33, Sebastien Roy wrote: > On Mon, 2009-03-02 at 14:55 -0500, Sowmini.Varadhan at Sun.COM wrote: >> On (03/02/09 14:48), Sebastien Roy wrote: >>>> We are considering using a model similar to that used for dladm/flowadm: >>>> have an ipadm RBAC role with auths similar to those for dladm: >>>> i.e., auths=solaris.smf.manage.wpa,solaris.smf.modify. >>> The libdladm model requires that writing to the database be done by >>> dlmgmtd which is run as the dladm user (the datalink.conf file is only >>> writable by the dladm user). Permissions to write to the file are not >>> related to any authorizations AFAIK. How will this work for libipadm? >> How does this work for flowadm, which afaict writes to flowadm.conf >> without dlmgmtd being the intermediary? > > I don't know, I'm not that familiar with the design/implementation of > flowadm. Does it require being run as root to create a flow? If so, > then I'm not quite sure why flowadm.conf is owned by the dladm user. > Probably created by the package/bfu script? Although I don't see the related code. I tried to delete flowadm.conf and run a "flowadm add-flow" command, flowadm.conf is then created and owned by root.
- Cathy
