On 03/10/09 20:01, Peter Memishian wrote: > > > While this will work for ipadm, I don't think this is architecturally > > > sound. For instance, consider the case where an application links > against > > > a library (e.g., libnwam) that in turn links against libipadm. Now that > > > application needs to have something in /etc/security/exec_attr to satisfy > > > an implementation detail of libnwam (the fact that it uses libipadm). > > > > It would need to have file_dac_write iff it was doing IP configuration. > > in.routed does IP configuration; would it have this? > If it does need 'write' access to the 'libipadm' data store then yes it should have that privilege.
In other words if 'in.routed' does any persistent operations then it would need 'file_dac_write' privilege. ~Girish
