> The question now becomes how to secure DLDIOC_DOORSERVER. Should I keep > the PRIV_SYS_NET_CONFIG requirement and yank the code in dlmgmtd that > creates the door file and calls DLDIOC_DOORSERVER up to before privileges > are dropped, or relax the privilege checks in the kernel to just check to > see if the user-id is dladm? Any other ideas?
Obviously, having fewer privileges is more secure, but given that PRIV_SYS_NET_CONFIG is needed, I'd say it's fine. (Also, I'd sooner define a new privilege than add uid checks in the kernel.) -- meem
