shmux [PSARC/2009/150 FastTrack timeout 03/10/2009]
James Carlson
james.d.carlson at sun.com
Fri Mar 6 07:38:38 PST 2009
Gary Winiger writes:
> > -bash-3.2$ ppriv -De fping -h
> > fping[18609]: missing privilege "net_icmpaccess" (euid = 201400, syscall
> > = 230) needed at secpolicy_net_icmpaccess+0x24
> > fping: can't create raw socket : Permission denied
> >
> > As a result, it seems not necessary to file a bug against fping.
>
> Are you then saying that shmux will pfexec /usr/bin/fping so
> that administrators with the Network Management Rights Profile
> can use shmux to call fping?
Having to grant a rights profile just so that people can use this
shmux utility strikes me as an extremely poor answer.
There's no clear reason this utility needs to use fping. It likely
shouldn't be using it. The reason fping has restricted access on
Solaris (and isn't either setuid or in any "normal" profile) is that
it's considered _dangerous_. The regular 'ping' utility appears to
have all of the functionality that this shmux feature needs, and it
doesn't require the user to have any special privileges.
I strongly recommend either:
- Fixing this utility so that it invokes "ping".
or:
- Just removing the silly "-p" option.
--
James Carlson, Solaris Networking <james.d.carlson at sun.com>
Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
More information about the opensolaris-arc
mailing list