> dlmgmtd does start with PRIV_SYS_NET_CONFIG (it starts with all
> privileges). It opens the dld control node with that privilege, then
> drops all privileges (see dlmgmt_init_privileges()).
>
> In the updated iptun code, any random Joe can open the dld control
> device. Each ioctl will have its own set of required privileges, so that
> unprivileged users can do sane things like type "dladm show-link".
> DLDIOCSETPROP is clearly one that should require PRIV_SYS_NET_CONFIG.
> Are you saying that dlmgmtd will retain PRIV_SYS_NET_CONFIG even after
> having dropped privileges?
Well yes, that's what my current code relies on, i.e. dlmgmt_door_init()
becomes:
if (__init_daemon_priv(PU_RESETGROUPS|PU_CLEARLIMITSET, UID_DLADM,
- GID_SYS, NULL) == -1) {
+ GID_SYS, PRIV_SYS_NET_CONFIG, NULL) == -1) {
Or I could do something else, as long as dlmgmtd is allowed to do
DLDIOCSETPROP.
-Artem
