Sangeeta Misra writes:
> Folks,
> Currently ilbd daemon runs as "root" and uses SCF to store persistent
> configuration. ILB's rules, servergroups and healthcheck objects are
> represented as property groups in SCF. Note that we use the property
> group type SCF_GROUP_APPLICATION.
>
[SNIP]
>
> Question 1
> ===========
> I assume in order to authorize ilbd daemon to successfully call the the
> scf_* functions to create/modify /delete/retrieve the configuration
> to/from scf framework, all I need to do is add this to
> usr/src/lib/libsecdb/user_attr.txt :
I'll let Gary comment on modifications to
usr/src/lib/libsecdb/user_attr.txt.
>
> daemon::::auths=solaris.smf.manage.ilb,solaris.smf.modify ( or should
> this be solaris.smf.modify.application?)
If all of your property groups are of type application, then
solaris.smf.modify.application is preferred. It is more restrictive. I
assume that you are adding this authorization so that you can create
property groups. It would be nice if you could use a service specific
authorization to allow property group authorization, but I have not found a
way to do that.
>
> Can you confirm that this is indeed all that is required? Or does one
> need to do more than that ( and if so what exactly)?
This is all that should be required.
>
> Question 2
> =============
> Is it OK for a process running as "daemon" to have
> "solaris.smf.modify"/"solaris.smf.modify.application" authorization? Or
> should this authorization only be granted to processes that run as
> "root" ?
Gary?
>
> Sangeeta
