On 27/07/2010 17:19, Steve Lawrence wrote:
Darren J Moffat wrote:
DJM-1 zonestatd
What is the SMF method script used to start zonestatd ? ie what
uid/gid and privileges does it run with ?
/lib/svc/method/svc-zstat
I'll add that to the interface table.
It runs as uid/gid 0. I'll work out which privileges are needed so I can
drop the rest.
daemon/daemon with privileges would be better. If zonestatd is the
method started by SMF you may also be able to remove the basic proc_exec
privilege if zonestatd as well.
DJM-3 Can zonestat(1) run as an normal user (ie with no privileges
other than basic and no additional RBAC authorisations other than
those granted by Basic Solaris User) ? If so is there any information
that user can get that they can't through existing commands ?
It can be run as a basic user. The aggregated process cpu data requires
privilege to enable, and potentially privilege to fetch depending on the
permissions of the accounting file. The basic user cannot get access to
the individual accounting records, but only the aggregated totals by zone.
Today basic users can get /proc cpu usage data, which is basically the
same, but only for currently running processes.
Sounds like perhaps I should require all zonestat clients to have
PRIV_PROC_INFO, as without such privilege, similar tools like prstat
would not function.
Generally clients would have proc_info but if tools giving similar data
(like prstat) would fail then zonestatd shouldn't return that data to
the client either.
The memory data is available via kstats and private system calls that
require no extra privilege. The private system calls are used by prstat
-Z and swap -s. I don't see any basic privileges governing kstat access.
That is fine no need to restrict those further - well there is in some
cases in my opinion but it isn't this case.
DJM-4 I assume this works in a TX zone configuration
Yes.
DJM-5 I don't see how the FMRI can be Consolidation Private if the
config/sample_internal is Committed.
Good point. Since I support disabling of the smf service (in which
zonestat command does not work but fails gracefully), perhaps I should
make the smf service committed. I'm not sure what Committed on a service
means.
Committed for the FMRI means the name is well known and we expect an
admin to do 'svcadm enable/disable <fmri>'. Some SMF services may be
implementation details of some bigger architecture and can thus be lower
than Committed.
--
Darren J Moffat
_______________________________________________
opensolaris-arc mailing list
opensolaris-arc@opensolaris.org
