Peter Memishian wrote:
> > Today, to access or set TCP/IP network parameters, one needs
> > PRIV_SYS_IP_CONFIG and it's defined in privileges(5)
> >
> > ---------
> > PRIV_SYS_IP_CONFIG
> >
> > Allow a process to configure network parameters for TCP/IP using ndd.
> > Allow a process access to otherwise restricted TCP/IP information
> > using ndd.
> > ---------------
> >
> > Now should we restrict the output of following subcommands
> >
> > (a) ipadm show-prop (show's module specific NDD properties)
> > (b) ipad show-ifprop (show's interface specific NDD properties)
> >
> > like we do for ndd(1M), today?
> >
> > However, for dladm(1M), with Sebastien's PSARC/2008/473 push, some of
> > the 'dladm show-*' commands needs no privileges. What is the expected
> > behavior here?
>
> I see no compelling reason to restrict the ability to see the current
> values of properties.
The reason, /sbin/ndd restricts access to property values is because to
do 'open("/dev/ip", ..)' you need net_rawaccess privilege. Now, if we
don't restrict then it would mean to relax that privilege.
~Girish
