FYI,
-------- Original Message --------
Subject: Re: sg3 utilities 1.25 [PSARC/2008/683]
Date: Sat, 15 Nov 2008 11:13:46 +0800
From: Xiao Li <[email protected]>
To: Gary Winiger <gww at eng.sun.com>
CC: Darren.Moffat at Sun.COM
References: <200811150126.mAF1QuBe023325 at marduk.eng.sun.com>
Hi Gary,
Thanks for your response, please see my comments below.
Gary Winiger wrote:
>> Hi Darren and Gary,
>> If you're both ok with these two new profiles, could I post it to PSARC-ext?
>>
>
> Please answer the questions that you have avoided answering:
> From the most recent time I asked them:
>
> Such as why is sys_devices required to run the view commands?
>
These commands are utilizing USCSICMD interface to
send scsi command, and this interface need
the process have the privilege of sys_devices. It
will call drv_priv() to check the privilege no matter
the process is reading or writing to the device file.
> And why are the modes restricted?
Sorry, I do not quite understand this question.
> What is the policy? Why
> is the policy appropriate?
I'm using the policy "solaris", according to the
manpage of exec_attr. Is this what you
are asking?
> And as you say why File System Management?
> It is included in System Administrator, so why is that the
> appropriate set of Rights Profiles for these commands?
>
I've worked out two new profiles "SCSI Device Info"
and "SCSI Device Management"
as suggested by Darren.
> Since the claim is required privileges, what about limitprivs?
>
limitprivs=all.
> Perhaps after understanding the why of the device policy,
> the view routines may not need any Rights Profile at all.
> From (one of the Xiao Li's) email that showed
> crw-r----- 1 root sys
> sgid sys might be appropriate.
> Without the project team explaination of rationale for the
> existant policy, I can't judge.
>
> And explain the rationale for the existant policy. Only then
> is it possible to review the Rights Profiles.
>
The original source code is opening the device file
with flag O_RDWR, so euid=0 is
necessary, but I've tried if I set it to O_RDONLY,
it will work as well, and just
egid=sys is enough. However as I mentioned above,
sys_devices is needed when
sending USCSI command, this is by design of Solaris.
-Xiao
> If you can't answer the questions and explain the existant policy,
> contact your case owner for directions on how to proceed.
>
> Gary..
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20081120/d7a5f578/attachment.html>
