On Mon, 2007-06-04 at 22:36 -0700, Scott Rotondo wrote:
> > In order to ease the porting of ZFS to BSD and MacOS X the following
> > "system" attributes will be supported in ZFS. Setting these
> > attributes requires PRIV_FILE_FLAG_SET. Clearing the attribute
> > requires a process to have PRIV_FILE_FLAG_CLEAR
>
> You're requiring two different privileges, depending on whether the
> attribute is set or cleared? That's contrary to the way other Solaris
> privileges work, where a single privilege lets you set a given attribute
> (say, file permission bits) regardless of the value being set.
The BSD version of the interface severely constrains when and how
"system" append-only and immutable bits may be cleared (essentially,
only in single-user mode).
I think that separating "set" and "clear" has utility from a
least-privilege standpoint in that it allows a process to be able to
create an append-only log file without being able to tamper with
existing log entries.
- Bill
