[smf-discuss] Question on privileges needed for ilbd daemon process to use scf_* functions

Mon, 15 Jun 2009 09:10:30 -0700 

Folks,
Currently ilbd daemon  runs as "root" and uses SCF to store persistent  
configuration.  ILB's rules, servergroups and healthcheck objects are  
represented as property groups in SCF.  Note that we use the property 
group type SCF_GROUP_APPLICATION.

Below is a sample layout of the ilb property groups/properties:

prop-group name | property name | property type  | property value
-------------------------------------------------------------------------
rule123           status          boolean          disabled/enabled
                  vip             net-v4/6-addr    v4/6 IP address
                  port            astring          port range
                  protocol        astring          TCP/UDP...
                  ilb-alg         astring          round-robin...
                  ilb-type        astring          NAT/DSR...
                  healthcheck     astring          healthcheck name
                  drain-time      int              sec
                  nat-timeout     int              sec
                  pers-timeout    int              sec
                  hc-port         astring          ALL/ANY/some-number
                  servergroup     astring          servergroup name
                  [.... more rules ....]
servergroup123    status          boolean          disabled/enabled
                  server1         astring          IP-addr:port:enable/disable
                  server2         astring          IP-addr:port:enable/disable
                  [ .... more servers ....]
healthcheck123    hc-test         astring          test program
                  hc-timeout      int              timeout value in sec
                  hc-interval     int              interval val in sec
                  hc-count        int              test repetition
                  [ .... more healthchecks ....]

I am trying to see if I can get ilbd to run as "daemon"  instead of 
"root" .  See attached ilbd.xml file to see the list of privileges that 
ilbd daemon runs with.  After starting the ilbd daemon ( ie running with 
"daemon" uid), when I try to configure healthcheck thus:

# ilbadm create-healthcheck -h 
hc-test=ping,hc-timeout=3,hc-count=2,hc-interval=14 hc1

I get the error: 

ilbadm: no scf permit

The command executes fine, but its the writing  to scf  that is 
failing.  My questions are as follows:

Question 1
===========
I assume in order to authorize ilbd daemon to successfully call the the 
scf_* functions to create/modify /delete/retrieve the configuration  
to/from scf framework, all I need to do is add this to  
usr/src/lib/libsecdb/user_attr.txt :

daemon::::auths=solaris.smf.manage.ilb,solaris.smf.modify  ( or should 
this be solaris.smf.modify.application?)

Can you confirm that this is indeed all that is  required?  Or does one 
need to do more than that  ( and if so what exactly)?

Question 2
=============
Is it OK for a process  running as "daemon" to have  
"solaris.smf.modify"/"solaris.smf.modify.application" authorization? Or 
should this authorization  only be granted to processes that run as 
"root" ?

Sangeeta

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ilbd.xml
Type: text/xml
Size: 3171 bytes
Desc: not available
URL: 
<http://mail.opensolaris.org/pipermail/smf-discuss/attachments/20090615/f3a3a77e/attachment.xml>

Reply via email to