On Thu, Feb 11, 2010 at 12:50:14PM -0800, Michael Hunter wrote: > On Thu, 11 Feb 2010 12:18:34 -0800 > Renee Danson Sommerfeld <renee.sommerfeld at sun.com> wrote: > > > On Thu, Feb 11, 2010 at 10:50:20AM -0800, Michael Hunter wrote: > > > On Thu, 11 Feb 2010 10:24:22 -0800 [...] > > > > > > OTOH if somebody created the zone and added sys_dl_config to the limit > > > set then we could get it. What you could do is check the zone set and > > > see if it exists and if it does add it to our privset. What we should > > > do is build our requested set and then priv_intersect() it with > > > the (all) zone set. Thats way more clean then the global check and deals > > > with however the user decides to configure the zone. > > > > I agree; and I think it makes for a less risky change than the > > original fix for 14305. > > > > I've put the privs that were removed by the 14305 fix back in, > > and then used priv_intersect() to set make the effective set > > all of our desired list that are available in our zone. I've > > verified that this works in a global zone (though I still need > > to do some more targeted priv testing); Michael, could you give > > this a shot in your zone? > > Works fine.
Thanks! > > Updated webrev: > > > > http://jurassic.eng/~okie/webrev.14521/ > > You can the setting of the global boolean at the beginning of the > function. Yep, I'm glad you caught that. Wevrev updated. -renee
