Sangeeta,
> Recall that we had presented the following proposal for ILB at PSARC
> Inception ( PSARC case 2008/575)
>
> 9.1 IPC details and privileges for ilbd daemon
>
> We will use AF_UNIX socket (socket type of SOCK_SEQPACKET)
> for IPC between libilb and ilbd as both processes will run on the same
> machine. A subset of ilbadm commands will require privileges
^^^^^^^^^^
While that might be how to express the enforcement in the kernel,
As I understand things ilbadm really just calls ilbd which
does the access check and then proxies the call to the kernel.
So it would be more appropriate to say "will require that the
calling user be authroized" -- and the specific authorizations
are part of the exported interfaces. The auths also need to be
made available either in an existing Rights Profile, or a new
one created. The ildadm man page should document that the
subset of commands can only be run by users having the Rights Profile.
> Assuming we go with the "root" with dropped privileges approach, please
> provide us guidance for the specific issues:
>
> o where would you recommend that the persistent config files belong.
> Would having them in /etc/ilbadm directory still be appropriate.?
Ideally it would not exist and be a [set of] smf properties.
Since I believe we've already been down that path and the file
is too complex for properties, what's wrong with the use of
/etc/ilbadm/*? Is the issue that ilbd can't hold the files open
and needs create access in that directory so it can do atomic
renames?
> o You had also advised us that in order to keep things simple we should
> run *all* the health checks that ILB provides with a set of privileges
> and document that by default the user-supplied health checks will also
> run with the same exact set of privileges. If the admin has some
> user-supplied scripts that require a larger priv set he/she will have to
> run it with setuid explicitly ( I assume that would be root with just
> the essential privileges) . I assume this advise would still stand?
Yes. If it turns out that ildb needs to keep all privs in its
permitted set, then things could be more flexible.
HTH,
Gary..
