Basic File Privileges [PSARC/2009/378 FastTrack timeout 7/10/2009]
Casper.Dik at sun.com
Casper.Dik at sun.com
Mon Jul 6 13:27:59 PDT 2009
>On Mon, Jul 06, 2009 at 08:18:38PM +0200, Casper.Dik at Sun.COM wrote:
>>
>>
>> >fyi, this is not how zones works. zones starts with the empty set and
>> >then adds privs. please see the brand config.xml files for where this
>> >is defined. you'll need to upate these files with these new privileges.
>> >(and feel free to file an RFE against zones to start with the basic set
>> >and then add or remove privs as necessary.)
>>
>> Ok, that's clearly broken. Doesn't it work correctly for native
>> zones?
>>
>
>all brands work the same way wrt privs handling. it's all controlled by
>the config.xml file.
Check for "BASIC_TOKEN" in
http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libzonecfg/common/libzonecfg.c#4950
and further.
So generally will work.
Unfortunately, the syntax used to describe "privilege sets":
<privilege set="required" name="proc_exec" />
actually only accepts single privileges.
For the basic set, we'd really want something like:
<privilege set="required" name="basic,!file_link_any,!proc_session,!procinfo" />
The property of the basic set is that you cannot portably enumerate it.
Casper
More information about the opensolaris-arc
mailing list