On Wed, 2008-08-27 at 17:03 -0700, Darren Reed wrote:
> On 08/27/08 16:37, Bill Sommerfeld wrote:
> > Unless I'm mistaken, the spec as written would allow *any* service
> > administrator to inject essentially arbitrary rules into the global
> > ipf.conf.
> Given David's replies, do you still see that as being possible?
The spec needs to make it clear that it is unsafe to delegate access to
these properties.
smf could probably use a mechanism to make it harder to screw up access
to critical properties like this.
> Maybe I should ask, what would you define as being an "overall
> policy"?
A single coherent source for "what should be allowed on this system"
which comes from a single origin. You are likely to lose that coherance
when you take the policy, salami-slice it, and spread it through a bunch
of service properties.
- Bill
_______________________________________________
networking-discuss mailing list
[email protected]
