It runs as uid/gid 0. I'll work out which privileges are needed so I can
drop the rest.
daemon/daemon with privileges would be better. If zonestatd is the
method started by SMF you may also be able to remove the basic
proc_exec privilege if zonestatd as well.
I just reviewed the privileges. zonestatd does a zone_enter() to fetch
resource control info, which requires all privileges. I would need to
implement a getrctl_byid(2) system call to avoid this. The current
getrctl(2) system call uses the context of the caller.
-Steve
_______________________________________________
opensolaris-arc mailing list
opensolaris-arc@opensolaris.org
