> Here is an updated version:
Perhaps my questions were previously answered. I didn't see
that from reading the discussion.
> Patch binding is requested; however, there are no plans to backport any of
> the proposed changes.
> PRIV_SYS_SHARE
> --------------
>
> Establishing an NFS or CIFS share requires full root privileges; however,
Nit root != privilege.
Proper terminology would be to state what privileges are necessary.
sys_nfs or sys_smb and is there something more else?
What are the actual required privileges?
> within a non-global zone, full privileges are not permitted. A new system
> privilege PRIV_SYS_SHARE is proposed, and is enforced in sharefs when adding
> or removing shares replacing the existing usage of PRIV_SYS_CONFIG.
This seems like a change in functionality. That is, the proposal
seems to be to remove functionality from sys_config. That would
not make a Patch binding appropriate.
> PRIV_SYS_SHARE can be assigned to a zone, and it is enabled by default for
> root users in both global and non-global zones.
Again why is root the thing here? What are the actual required
privileges?
I'm trying to understand the compelling reason for adding sys_share.
> With PRIV_SYS_SHARE, a global zone administrator may allow or prohibit
> sharing from any protocol (CIFS, NFS) in any zone (global or non-global).
> Enforcement of the protocol-specific privileges (PRIV_SYS_NFS and
> PRIV_SYS_SMB) will not be changed. To establish a share, both
> PRIV_SYS_SHARE and the protocol-specific privilege are required.
Usually a privilege isn't combined with other privileges for
a single restriction. Why isn't sys_nfs or sys_smb being or
not being in the zones privilege set sufficient?
Why is the additional restriction necessary?
I understand that sys_config is too powerful to allow in a zone.
It seems to me that sharing should be allowed for processes
(subjects) with sys_nfs (or sys_smb) and appropriate file/directory
assess.
Gary..
_______________________________________________
opensolaris-arc mailing list
opensolaris-arc@opensolaris.org
