On Wed, 2009-08-05 at 11:41 -0400, Girish Moodalbail wrote:
> On 08/05/09 02:10, Peter Memishian wrote:
> > > > I see no compelling reason to restrict the ability to see the current
> > > > values of properties.
> > >
> > > The reason, /sbin/ndd restricts access to property values is because to
> > > do 'open("/dev/ip", ..)' you need net_rawaccess privilege.
> >
> > I'm aware.
> >
> > > Now, if we don't restrict then it would mean to relax that privilege.
> >
> > I'm not sure what you're getting at. The verbiage is specific to ndd
> > knobs.
>
> We have made /sbin/ndd to use libipadm.so for following modules ip, tcp,
> udp and sctp. With this we could get rid of ND_SET/ND_GET/nd_load, et al
> for these modules and both ndd and ipadm would be working on same copy
> of the property in the kernel.
>
> So if we allow ipadm show-prop to display properties for any user, then
> ndd -get /dev/ip <prop_name> would work too for that user. This would
> mean that we broke the "net_rawaccess" privilege, which was needed to
> access TCP/IP information from ndd.
We haven't broken anything by doing that, we've made things better. The
privilege requirement around ndd -get <foo> was an artifact of the
implementation, and not a documented requirement.
-Seb
