PSARC 2009/215 PCITool Public Interrupts

Gary Winiger gww at sac.sfbay.sun.com
Fri May 1 10:13:43 PDT 2009 

> After discussing with Gary Winiger I am amending the PSARC case to 
> include more details about security.

	I'm probably being overly picky here.  In my offline discussions
	there seemed to be confusion about the (architectural) details.
	Including that I'm not the only one on the committee.

>  From project team:
> It is currently not in the "Maintenance and Repair" Rights Profile and 
> we don't plan to ship it with it configured in it. Do you recommend 
> otherwise?
> 
>  From Gary Winiger:
>     Manintenance and Repair seems like an appropriate Rights Profile.
>     The specification can state that the will be adding /usr/sbin/pcitool
>     to the existing Maintenance and Repair Rights Profile with attributes
>     of --- and you state the attributes.

	I've missed seeing the specification that pcitool will be
	added to Maintenane and Repair and with what attributes.

>     See
>     http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/
>     for how to add to the RBAC databases.

	I'm happy to coach how to deliver into the RBAC databases should
	the best practice not be sufficient for the project team.

> Maintenance Commands                                  pcitool(1M)
> 
> NAME
>      pcitool - interrupt routing tool
> 
> SYNOPSIS
>      /usr/sbin/pcitool PCI_nexus_node -i ino=ino [ -r [ -c ] | -w
>      cpu=CPU [ -g ] ] [ -v ] [ -q ]
> 
>      /usr/sbin/pcitool [ -h ]

>      Required privileges
> 
>      The user must have all privileges in order to access  inter-
>      rupt  information.   A  regular  user  can  access interrupt
>      information when su(1M) to root or granted the  "Maintenance
>      and  Repair"  rights  profile  in  the  user_attr  file. See
>      user_attr(4) and rbac(5).

> SEE ALSO
>      pci(4), su(1M), user_attr(4), rbac(5)
> 
> NOTES

>      Root access is required to  execute  all  commands  in  this
>      tool.

	Probably a nit.  The preceeding gives me pause over what the
	specification for Rights Profiles inclusion really is.
	Should this note just be eliminated, or is there some hard
	requirement for euid==ruid==0 which cannot be met otherwise.

Gary..

More information about the opensolaris-arc mailing list