On (08/05/09 10:43), Peter Memishian wrote: > > > We haven't broken anything by doing that, we've made things better. The > > privilege requirement around ndd -get <foo> was an artifact of the > > implementation, and not a documented requirement. > > I agree that it's an artifact, but as Girish points out, it was indeed > documented (in privileges(5)). But I see no issue with removing that > verbiage in the documentation and broadening the phrasing -- e.g.: > > PRIV_SYS_IP_CONFIG > > Allow a process to configure a system's IP interfaces and > routes. Allow a process to configure TCP/IP parameters. Allow a > process to pop anchored STREAMS modules with matching zoneid. >
I think the question is whether we should allow "ndd -get .." to succeed for non-root users. My answer to that question would be "yes", and that would not require any changes to the above (i.e., to set anything, you would still need to be privileged)- Girish? --Sowmini
