I'm sponsoring this case for Cathy Zhou. I've marked the case closed
approved automatic, as the interfaces being modified are private, and the
changes are minor and fairly obvious.
1 Introduction
==============
This case proposes two changes related to the dlmgmtd daemon:
1) Change the dlmgmtd daemon to be run by the "dladm" user.
2) Create a /etc/svc/volatile/dladm directory and change the
dlmgmtd door file location from /etc/.dlmgmt_door to
/etc/svc/volatile/dladm/dlmgmt_door. Remove the
/etc/.dlmgmt_door file from the SUNWcsr package.
2. Details
==========
- Privileges for dlmgmtd
As part of PSARC/2008/002, we already limit privileges of the
dlmgmtd daemon to be only "file_dac_write, file_chown_self,
sys_mount, and sys_net_config", but since dlmgmtd is still run by
uid 0, it is still vulnerable as it still has unnecessary
privileges (e.g., read access to all root owned files).
We propose to change the dlmgmtd daemon to be run by the "dladm"
user. Note that the "dladm" user already exists and owns the
files under /etc/dladm. The dlmgmtd daemon needs to access the
files under /etc/dladm, so it is natural to run dlmgmtd by
"dladm".
A /etc/svc/volatile/dladm directory will be created and will be
owned by "dladm". This directory will be used to hold the
temporary datalink configuration files and the dlmgmtd door file
(discussed below).
Note that although the /var/run directory seems a better place to
hold door files, it is mounted much later in boot by the
filesystem/minimal service, therefore cannot be used in this case.
- Door file for dlmgmtd
As part of PSARC/2006/299, we proposed the dlmgmtd daemon to
communicate with datalink management interfaces consumers using a
door located in /etc (/etc/.dlmgmt_door). Because the dlmgmtd
daemon is started very early in boot, we chose to make the
/etc/.dlmgmt_door file part of the SUNWcsr package, to avoid
having to create the door file before the root FS becomes
writable.
Several issues were found related to the above implementation
though:
1) Missing /etc/.dlmgmt_door file after flashinstall
In the case of flashinstall, the flarcreate's "fdo" command
excludes all the door files because "archiver (cpio/pax) unable
to archive DOOR and SOCKET files, and it gives error". As a
result, the /etc/.dlmgmt_door file is excluded by flarcreate
and hence will not exist on the system after flashinstall. This
causes the failure of the network/datalink-management service
(which starts dlmgmtd) and an unusable system.
2) After system is booted, "pkgchk -n SUNWcsr" reports error
Because a file is never packaged as a door, the
/etc/.dlmgmt_door file is packaged as part of SUNWcsr (file
type 'f'), and only becomes a door by dlmgmtd calls fattach()
on it at runtime. But this causes pkgchk to report an error:
# pkgchk -n SUNWcsr
ERROR: /etc/.dlmgmt_door
file type <f> expected <D> actual
To resolve the above two issues, we propose to change the dlmgmtd
door file location from /etc/.dlmgmt_door to
/etc/svc/volatile/dladm/dlmgmt_door. Because /etc/svc/volatile
is mounted as tmpfs, there is no problem with having dlmgmtd
create the door file early in boot, and the /etc/.dlmgmt_door
file is no longer needed.
