Hi,
I ran into a problem with the VRRP project which I am working on. In
particular, The vrrpd daemon was ran by the vrrp:default service, and
its privileges is defined in vrrp.xml like below:
<method_context>
<!--
We need PRIV_SYS_CONFIG to post VRRP sysevent,
PRIV_NET_ICMPACCESS and PRIV_NET_RAWACCESS to
open the raw socket, PRIV_SYS_IP_CONFIG to bring
up/down the virtual IP addresses.
-->
<method_credential
user='root'
group='root'
limit_privileges=':default'
privileges='basic,sys_config,net_icmpaccess,net_rawaccess,sys_ip_config'
/>
</method_context>
Note that the vrrp service can be run in both global zone and non-global
exclusive IP zone. But apparently, sys_config is not able to be set in
an non-global zone, or "svcadm enable vrrp" would fail with "svc.startd
could not set context for method: ] setppriv: Not owner" failure.
It is fine to not specify the sys_config privilege in the non-global
zone (as we only need this privilege for posting sysevent and sysevent
is not supported in the non-global zone anyway), but my question is:
How to specify different privileges requirement for the same service in
different zones? Or should I have to *not* specifying the privileges in
the xml file, but instead to drop and limit the privileges in the vrrpd
daemon itself?
[ Please copy me to the answers of the discussion as I am not on the
smf-discuss alias. Thanks! ].
Thanks
- Cathy
