On Wed, May 04, 2011 at 11:16:29AM -0700, [email protected] wrote: > On Tue, May 03, 2011 at 04:56:51PM -0700, Edward Pilatowicz wrote: > > --------- > > src/svc/zoneproxyd.xml > > > > - don't run as root. instead, run as daemon and add in just the privs > > you need. (which i'm guessing are file_owner and file_dac_read. if > > you need additional privs you can figure out which ones you need via > > ppriv -D.) > > This isn't going to work until the zone_enter code changes. That code > does a bitwise compare on the privilige set of the caller who enters, > and if that caller doesn't have all of root's privs, the zone enter > fails. I believe that when you reviewed this initially, I tried it and > determined that it didn't work. This code will add and remove its privs > as needed, but at a minimum it needs to have root privs at some time so > that it can zone_enter and fattach the door in the proxy-client's zone. >
excellent point. it'd be great to have a comment in the manifest which mentions this. ed _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
