Hi,
On 08/26/09 09:38, Darren J Moffat wrote:
> Garrett D'Amore wrote:
>> Man pages in the case directory indicate that Primary Administrator
>> (root) is required to run these commands. Why? It seems like these
>> commands only access information which should be considered public, so
>> that anyone can run them. I realize that there is an issue of
>> accessing the underlying device nodes, but perhaps RBAC can be used to
>> make these commands available to anyone? (Or perhaps the underlying
>> device node can be provided in "safe, read-only" type of mode?)
>
> I'll ask a more specific question.
>
> Exactly what privileges do these commands need to run with to gather the
> information they need.
>
> "Primary Administrator" should never be documented in a man page. If
> the command really needs all privileges because that is what the device
> node requires then that is what we document.
A number of questions have been posed so I'll address them here.
Aubrey, if I get something wrong, please feel free to correct me.
"Is it really necessary to use the "pmtools" name?"
Nope. In fact, I had originally named it "SUNWacpidump" but over the
course of code reviews and discussions with the SFW community it was
renamed to "SUNWpmtools." I'm indifferent to the name, so changing it
is no big deal to me.
"Man pages in the case directory indicate that Primary Administrator
(root) is required to run these commands. Why?"
Since this is my first attempt at writing man pages and delivering
anything into Solaris, I begged, borrowed, and stole from whatever
resources I could find. The "Primary Administrator" moniker is likely
an artifact from this process. I can change that to something more
appropriate, or just remove it altogether.
"...but perhaps RBAC can be used to make these commands available to
anyone? (Or perhaps the underlying device node can be provided in
"safe, read-only" type of mode?)"
The utility access /dev/xsvc, which is owned by root. Instead of
specifying the command must be run as root, I could change it to
something along the lines of, "PRIV_FILE_DAC_READ privileges are
required to run this command." Would that suffice?
"Primary Administrator" should never be documented in a man page."
I pulled that from the man page for powertop(1M). It sounds like that
was not appropriate for these utilities.
Thank you all for your time and comments.
Sincerely,
Pat
>
--
Pat Bredenberg
Solaris Quality Engineering
Sun Microsystems, Inc. - Broomfield, CO
