> Besides the somewhat questionable duplication of the SCF mechanisms > that Sowmini cites, there's another important problem with the > existing dladm/dlmgmtd mechanism: security. > > The existing design checks that the caller holds sys_dl_config and/or > sys_net_config, but then doesn't go on to audit this access-granting > mechanism. The auditing (if any is done at all) is done out in the > *client* (see audit_secobj in dladm), and not where the access itself > is checked. > > Someone with those privileges could write his own non-auditing utility > and just walk right by this security measure. That isn't supposed to > happen.
I'm not sure I follow this. If you have sufficient privileges, you can always bypass auditing by writing your own utilities. > User space things should be checking authorizations (with > chkauthattr(3SECDB)) instead of privileges, and then auditing the > results at the point where the enforcement is done. -- meem
