Sebastien Roy writes: > On Mon, 2009-03-02 at 14:21 -0500, Sowmini.Varadhan at Sun.COM wrote: > > We are considering using a model similar to that used for dladm/flowadm: > > have an ipadm RBAC role with auths similar to those for dladm: > > i.e., auths=solaris.smf.manage.wpa,solaris.smf.modify. > > The libdladm model requires that writing to the database be done by > dlmgmtd which is run as the dladm user (the datalink.conf file is only > writable by the dladm user). Permissions to write to the file are not > related to any authorizations AFAIK. How will this work for libipadm?
I think the libdladm model is weak in this area and could use some work. It should use auths correctly *and* do auditing when it grants access based on auths. It doesn't seem to do that. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
