On Mon, 2008-07-28 at 13:38 -0700, Gary Winiger wrote: > > create-secobj sys_dl_config, solaris.network.link.security > > delete-secobj sys_dl_config, solaris.network.link.security > > I don't undestand these lines in the proposal. sys_dl_config > is the new proposed privilege and enforced by the kernel. > solaris.network.link.security is an existing authorization. > Authorizations are enforced by privileged programs, not > by the kernel.
That's right, and I probably shouldn't have included that information in the table. I was just trying to convey what dladm does today. It checks for the solaris.network.link.security authorization for these subcommands, and I'm not changing that. > Is this proposal saying that dladm for these operations > will check the authorization and fail the operation if > the authorization is not present? Please clarify. That is correct. It does check for that authorization, and it will still check for it. In addition to that, the kernel ioctl used to manipulate these security objects will require the sys_dl_config privilege. I hope this clears up the confusion. -Seb
