On 08/05/09 02:10, Peter Memishian wrote:
> > > I see no compelling reason to restrict the ability to see the current
> > > values of properties.
> >
> > The reason, /sbin/ndd restricts access to property values is because to
> > do 'open("/dev/ip", ..)' you need net_rawaccess privilege.
>
> I'm aware.
>
> > Now, if we don't restrict then it would mean to relax that privilege.
>
> I'm not sure what you're getting at. The verbiage is specific to ndd
> knobs.
We have made /sbin/ndd to use libipadm.so for following modules ip, tcp,
udp and sctp. With this we could get rid of ND_SET/ND_GET/nd_load, et al
for these modules and both ndd and ipadm would be working on same copy
of the property in the kernel.
So if we allow ipadm show-prop to display properties for any user, then
ndd -get /dev/ip <prop_name> would work too for that user. This would
mean that we broke the "net_rawaccess" privilege, which was needed to
access TCP/IP information from ndd.
That was my conern.
thanks
~Girish
