Gary Winiger writes: > > -bash-3.2$ ppriv -De fping -h > > fping[18609]: missing privilege "net_icmpaccess" (euid = 201400, syscall > > = 230) needed at secpolicy_net_icmpaccess+0x24 > > fping: can't create raw socket : Permission denied > > > > As a result, it seems not necessary to file a bug against fping. > > Are you then saying that shmux will pfexec /usr/bin/fping so > that administrators with the Network Management Rights Profile > can use shmux to call fping?
Having to grant a rights profile just so that people can use this shmux utility strikes me as an extremely poor answer. There's no clear reason this utility needs to use fping. It likely shouldn't be using it. The reason fping has restricted access on Solaris (and isn't either setuid or in any "normal" profile) is that it's considered _dangerous_. The regular 'ping' utility appears to have all of the functionality that this shmux feature needs, and it doesn't require the user to have any special privileges. I strongly recommend either: - Fixing this utility so that it invokes "ping". or: - Just removing the silly "-p" option. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
