Looks good -- only a couple small comments and nits. > 1 Introduction > ============== > > This case proposes two changes related to the dlmgmtd daemon: > > 1) Change the dlmgmtd daemon to be run by the "dladm" user, and no extra > privileges are required. > > 2) Change the dlmgmtd door file from /etc/.dlmgmt_door to > /etc/svc/volatile/dlmgmt/dlmgmt_door. Remove the /etc/.dlmgmt_door > file from the SUNWcsr package. >
I wonder if /etc/svc/volatile/dladm would be more symmetric with the existing /etc/dladm directory? (Even if it's only used by dlmgmt at this point, I suspect if a dladm use came up we'd want to use it for the purpose.) Also, the introduction could make it clear that we're introducing this directory. > 2. Details > ========== > > - Privileges for dlmgmtd > > As part of PSARC/2008/002, we already limit privileges of the dlmgmtd > daemon to be only "file_dac_write, file_chown_self, sys_mount, and > sys_net_config", but since dlmgmtd is still run by uid 0, it is > still vulnerable as it still the unnecessary privileges (e.g., read s/the unnecessary/has unnecessary/ > access to all root owned files). > > We propose to change the dlmgmtd daemon to be run by the "dladm" user. > Note that the "dladm" user already exists and owns the files under > /etc/dladm. The dlmgmtd daemon needs to access the files under > /etc/dladm, so it is nature to run dlmgmtd by "dladm". s/nature/natural/ > A /etc/svc/volatile/dlmgmt directory will be created and will be owned > by "dladm". This directory will be used to hold the temporary datalink > configuration files and the dlmgmtd door file (discussed below). Would be good to explicitly cover why /var/run can't be used. > - Door file for dlmgmtd > > As part of PSARC/2006/299, we proposed the dlmgmtd daemon to communicate > with datalink management interfaces consumers using a door located in > /etc (/etc/.dlmgmt_door). Because the dlmgmtd daemon is started very > early at boot, we choose to make the /etc/.dlmgmt_door file as part of s/at boot/in boot/, s/choose/chose/, s/as part/part/ > the SUNWcsr package, to avoid creating the door file before the root s/creating/having to create/ > FS becomes writable. > > Several issues are found related to the above implementation though: > > 1) Missing /etc/.dlmgmt_door file after flashinstall > > In the case of flashinstall, the flarcreate's "fdo" command excludes > all the door files because "archiver (cpio/pax) unable to archive > DOOR and SOCKET files, and it gives error". As a result, the > /etc/.dlmgmt_door file is excluded by flarcreate and hence will not > exist on the system after flashinstall. This causes the failure of > the network/datalink-management service (which starts dlmgmtd) and > an unusable system. > > 2) After system is booted, "pkgchk -n SUNWcsr" reports error > > Because a file is never packaged as a door, the /etc/.dlmgmt_door > file is packaged as part of SUNWcsr (file type 'f'), and only becomes > a door by dlmgmtd calls fattach() on it at runtime. But this causes > pkgchk to report an error: > > # pkgchk -n SUNWcsr > ERROR: /etc/.dlmgmt_door > file type <f> expected <D> actual > > To resolve the above two issues, we propose to change the dlmgmtd door > file from /etc/.dlmgmt_door to /etc/svc/volatile/dlmgmt/dlmgmt_door. > Because /etc/svc/volatile is mounted as tmpfs, there is no problem to > create the door file early at boot, and the /etc/.dlmgmt_door file > is no longer needed. -- meem
