On Dec 6, 2007 10:30 AM, Darren J Moffat <[EMAIL PROTECTED]> wrote: > Shawn Walker wrote: > > On Dec 6, 2007 4:41 AM, Darren J Moffat <[EMAIL PROTECTED]> wrote: > >> You REALLY REALLY REALLY REALLY don't want to test that the user has a > >> specifically named profile - not even pfexec (pfsh,etc) do that. It is > >> very likely that the user may have a differently named profile with the > >> required privileges/uid assigned to the command. > > > > One of the Sun tools I saw (whose name eludes me at the moment) > > I'd like to know so I can get it fixed because that is broken - unless > it is an application explicitly giving the profile to a user account.
I'll dig around at home, I think it was an installation program for a software bundle I downloaded. > > explicitly checked for the "Software Installation Profile" -- since > > I'm the ignorant person that suggested this to John, can you clarify > > how you can check for sufficient privileges? > > You shouldn't you should do the operation and if it fails with > permission denied you know you don't have permission. It isn't your job > as a userland application or library to check privileges that is the job > of the kernel. Don't try and second guess the kernel. I wasn't trying to second-guess the kernel. I guess I was trying for the "ask for permission not for forgiveness" approach :) > > In other words, if you want to ensure that a user has the privileges > > equivalent to a "Software Installation Profile" how do you go about > > doing that? > > Why do you want to do that at all ? What is the real problem you think > needs solving here ? I was trying to figure out a good way to determine if the user had the necessary privileges to install software up front, and if they didn't inform them of what they could do to get them. Telling a user "You do not have the necessary privileges to perform software installation" isn't the same as "You do not have the Software Installation Profile enabled for your account or your user has insufficient privileges." The problem I see with the approach of "trying the operation" and then gracefully failing if I get permission denied is that it is somewhat prone to error. Meaning, I might have file permissions on the package database, and on some directories on the system, but maybe not all. This could leave me in a bad situation where I start an installation and then have to tell the user halfway through that there is a permissions problem. I was looking for a confident way to ensure "up-front" that a user has the necessary privileges without relying on the (incorrect) sledgehammer approach of requiring root. -- Shawn Walker, Software and Systems Analyst http://binarycrusader.blogspot.com/ "To err is human -- and to blame it on a computer is even more so." - Robert Orben _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
