On Fri, Jul 03, 2009 at 04:32:18PM +0200, Casper.Dik at sun.com wrote: > > >On Fri, 2009-07-03 at 05:45 -0700, Casper Dik wrote: > >> This project proposes two new "basic" privileges. > >> > >> FILE_READ > >> Allows a process to read a file or directory whose > >> permission or ACL allow the process read permission. > >> > >> FILE_WRITE > >> Allows a process to write a file or directory whose > >> permission or ACL allow the process write permission. > > > >I have no problem with these new privileges, but do have one question > >regarding the semantics of adding them to the basic set. How will this > >affect processes that may be specifying individual privileges in the > >"basic" set by enumeration rather than specifying "basic" itself in the > >various APIs? Will they cease to be able to read and write files? Do > >such applications exist? > > When define a "set of privileges", you must start with the basic set.
hey casper, fyi, this is not how zones works. zones starts with the empty set and then adds privs. please see the brand config.xml files for where this is defined. you'll need to upate these files with these new privileges. (and feel free to file an RFE against zones to start with the basic set and then add or remove privs as necessary.) ed
