Quoth Trevor Watson on Fri, Jun 13, 2008 at 02:52:00AM -0700:
> I'm struggling with giving a user permissions to alter the environment
> of a method context.
>
> The service looks similar to this:
> <exec_method name='start' type='method' exec='/opt/blah/bin/myservice'/>
>
> <property_group name='general' type='framework'>
> <propval name='action_authorization' type='astring'
> value='solaris.smf.manage.kgm' />
This will permit the user to use "svcadm enable -t",
"svcadm disable -t", "svcadm restart", "svcadm refresh", "svcadm clear",
and "svcadm mark" on the service.
> <propval name='value_authorization' type='astring'
> value='solaris.smf.manage.kgm' />
This will permit the user to use "svcadm enable" and "svcadm disable" on
the service, and otherwise modify the values of properties in the
"general" property group.
> I thought this would be enough to enable the 'kgm' user to do the following:
>
> svccfg -s myservice:inst1 setenv -i HOME /export/home/kgm
For that you'll need to include
<property_group name='method_context' type='framework'>
<propval name='modify_authorization' type='astring'
value='solaris.smf.manage.kgm' />
</property_group>
or
<property_group name='method_context' type='framework'>
<propval name='value_authorization' type='astring'
value='solaris.smf.manage.kgm' />
</property_group>
with a <method_context> which defines an environment on the instance.
In either case, setting the environment on in the start property group
will override the setting. The only way to avoid that is to allow the
user to modify the start property group, which would allow hiw to modify
the execution string, which I presume is undesirable. Though with
modify_authorization he can create context properties, which might also
be undesirable.
> But I get:
>
> svccfg: permission denied
>
> - which is not very helpful and even svccfg -v does not give any more
> information than that.
Yes, this is 6425995 "svccfg should share what permission was denied
for".
David
