Moin!
I discovered a bug/annoyance/feature that IMHO makes working with SMF
authorisations more difficult. I did discover this when writing an smf
manifest and did spend quite some time debugging what I did wrong,
when I made no error, as the behavior is the same for all smf services.
Ok if I wanted to give someone permissions to start and stop say the
name service cache, I thought it would be enough to grant him the
solaris.smf.manage.name-service-cache authorization with:
usermod -A solaris.smf.manage.name-service-cache tst
however as it turns out this does not work:
tst at live:~$ svcadm disable name-service-cache
svcadm: svc:/system/name-service-cache:default: Permission denied.
when I truss this it seems that svcadm wants to do some write
something and is not allowed
svcadmwrite(2, " s v c a d m", 6) = 6
: write(2, " : ", 2) = 2
svc:/system/name-service-cache:defaultwrite(2, " s v c : / s y s t e
m /".., 38) = 38
: Permission denied.
after some time I figured out that I had to allow the
solaris.smf.modify.framework authorization
usermod -A "solaris.smf.manage.name-service-
cache,solaris.smf.modify.framework" tst
now everything did work as expected. However it is IMHO not a good
idea to give the modify authorization to a user as he now can modify
every framework parameter of other services also. Now I can understand
that some stuff needs to be written to the service (contract,
restarter info, etc), but the authorization should be done per service
as the user was granted management of this service, and not any
service. If possible it should be done by using the service specific
management authorization and not a new authorization per service, but
that's just my 2 cents.
I did discover this behavior on Solaris 10 Update 5 and OpenSolaris
2008.05, seems to be no difference between the two with regards to that.
So long
-Ralf
---
Ralf Weber
e: opensolaris at fl1ger.de
