Peter Memishian wrote: > > The question now becomes how to secure DLDIOC_DOORSERVER. Should I keep > > the PRIV_SYS_NET_CONFIG requirement and yank the code in dlmgmtd that > > creates the door file and calls DLDIOC_DOORSERVER up to before privileges > > are dropped, or relax the privilege checks in the kernel to just check to > > see if the user-id is dladm? Any other ideas? > > Obviously, having fewer privileges is more secure, but given that > PRIV_SYS_NET_CONFIG is needed, I'd say it's fine. (Also, I'd sooner > define a new privilege than add uid checks in the kernel.) >
Right, a new privilege would have been a third option. In any case, I've implemented what Artem also has, which is to retain PRIV_SYS_NET_CONFIG after dropping privileges, and this works well. -Seb
