> 2.1.1. Definition
>
> The read_authorization property may optionally be added to any
> property group of type application (SCF_GROUP_APPLICATION). It is
> defined to be a string-valued property with zero or more values. Each
> string value (if any) of this property will be interpreted as the name
> of an rbac(5) authorization defined in auth_attr(4). A
> read_authorization property which is not string-valued will not be
> interpreted specially.
I don't understand this last sentence. I thought that the
read_authorization property was similar to method, modify, and
value_authorizations in that its type was string.
> 2.3. svcprop(1) changes
>
> With respect to SPGs, svcprop(1)'s behaviour is modified as follows:
>
> - If a property or property group was explicitly specified with -p,
> and svc.configd(1M) denies access to the values of the specified
> property/ies, svcprop(1) will abort and, unless the '-q' option was
> provided, display an error message.
What does abort mean in this context? Does it call abort(3C),
or does it return an error?
> - If no property or property group was specified, properties for
> which the user lacks appropriate authorization to read will be
> displayed as if they had zero values (the present behaviour is to
> display the empty string for the value of such properties).
I don't understand this last sentence. Is the present behavior
being modified? Would string valued properties have "0" returned?
Would string valued properties have an empty string returned?
> smf_security(5)
> value_authorization Authorizations allow changing the
> values of any property of the property
> - group except modify_authorization.
> + group except modify_authorization, and
> + the retrieval of any property values
> + except modify_authorization from the
> + property group if sensitive.
Does this case modify the action of value_authorization with
respect to modify_authorization? I'm not sure what it is
saying. I can read it as saying the value_authorization
doesn't allow the retrieval of the value of a modify_authorization
that is present in a sensitive property group. I'm not sure
that makes sense.
The way I've read this proposal, if I can change the sensitive
property value, I can read it. Please clarify.
Gary..
