Preface: I was siting down about to send this off to the PSARC alias, in response to the libdlpi one page, when I thought that this discussion is perhaps better served by being elsewhere as it really isn't to do with that case, directly, at all, unless someone thinks it should be brought up in PSARC discussion anyway...
Subject: Re: PSARC/2006/436 Public DLPI Library A side issue that concerns me with making libdlpi available is the association between using it and having the correct privilege (NET_RAWACCESS.) In this specific instance, if I'm developing a product for Solaris that uses libdlpi, what would lead me to knowing about security privileges and then use them, if I'm coming from a traditional unix background where it is "you must be root to do everything" ? Why would I care about them? So I can install my program into the least privilege framework correcrtly. Sure if I read about security privileges I'll find out how to do that, but what will lead me there? It's like going fishing using line without a hook or bait. The key to remember here is that if you're been programming for Linux or even Solaris, all you know is that the program must run as root (for snoop/tcpdump, etc) and this will, by and large, continue to work, meaning you never need to discover the bigger world that Solaris has to offer. Strictly speaking it could be seen as inappropriate for this library to document the requirement of NET_RAWACCESS itself, but I think it would be of benefit if there was some linkage through the man pages between those for libdlpi and those for security privileges, if only to further advertise this capability and hopefully see more people make use of it. That said, I'm unsure if there isn't a bigger task here, for the developers of security privileges (not libdlpi), to consider how/where to make privileges more visile to developers. Just looking at this case, of raw access to network devices, there currently doesn't appear to be any mention on it in snoop's man page, either and snoop's entry into exec_attr looks like it is waiting for a CR... Darren
