Hi Gary,
All of these commands need to open the device tree files with read and
write permission. The device tree files are by design of solaris owned
by root, the following is an example:
# ls -l /devices/pci at 0,0/pci1022,7458 at 1/pci11ab,11ab at 1/disk at
1,0:q,raw
crw-r----- 1 root sys 27, 464 Nov 13 10:52
/devices/pci at 0,0/pci1022,7458 at 1/pci11ab,11ab at 1/disk at 1,0:q,raw
And according to the output of ppriv -lv (the verbose description of all
the privileges on solaris):
file_dac_write
Allows a process to write a file or directory whose permission
bits or ACL do not allow the process write permission.
In order to write files owned by uid 0 in the absence of an
effective uid of 0 ALL privileges are required.
These commands then need to be run with euid=0.
Besides, I've checked all these commands by running
ppriv -D -s A=sys_devices -e sg_xxx /dev/rdsk/cxtxdxpx as root.
It's testified that all these command need the privilege "sys_devices"
only.
The "System Administrator" is not a user, it's one of the existing
rights profiles, we could grant it to any user or role as we want.
These commands are by design for system administration, I think we
should put them under the rights profile "File System Management"
which is a supplementary rights profile of "System Administrator".
So it will depend on the customers which user/role would run these
commands, not restricted to superuser(root).
Thanks and regards,
-Xiao
