Bart Blanquart wrote: >> We have other requests coming from our customers to have a per-user >> fine-grained policy of whether they can do read-only or read-write >> mounts. The current design supports this because the authorizations >> for each device are configurable and extensible. We can create >> separate authorizations for read-only and read-write mounts, and >> assign one or the other to individual users. The device_clean script >> can check the authorizations (using auths(1)) and set the appropriate >> mount options. > > Is there a policy documented on what authorization names are usable > (i.e. if customers add finer-grained authorizations following the > naming examples they may end up with things like > solaris.device.cdrom.ro/solaris.device.cdrom.rw/...) so that there > won't be conflicts with (similar) authorizations we may add later? > > (auth_attr(4) implies that another top level name-space should be used > instead of 'solaris.', but that seems somewhat unfortunate, as it > prevents solaris.* or solaris.device.* from having the expected effect).
Other than what the man page says, there is no policy. I agree that using a prefix other than solaris is more work since it won't be covered by solaris.*. > > Regarding the use of auths(1) in scripts: it currently seems to be > unsuited for that (even though the man-page recommends this use), as > its output is not guaranteed to contain the complete authorization > name (e.g. auths output as root is "solaris.*", so grepping for > "solaris.device.something" won't give the expected result); CR 6251549 > documents this. I agree that checking authorizations is a bit complicated in a shell script since you have to process the wild cards. --Glenn
