Hi Darren,
On Aug 27, 2009, at 2:54 AM, Darren J Moffat wrote:
> Pat Bredenberg wrote:
>> The utility access /dev/xsvc, which is owned by root. Instead
>> of specifying the command must be run as root,
>
> The device permissions and ownership aren't relevant here it is
> what privilege the device enforces for reading from it.
Right. I stand corrected.
>
> > I could change it to
>> something along the lines of, "PRIV_FILE_DAC_READ privileges are
>> required to run this command." Would that suffice?
>
> Yes that is sufficient, please ensure though that the man page does
> say that it needs this because of use of /dev/xsvc.
OK, great.
>
> I think an entry in the already existing "Maintenance and Repair"
> RBAC profile would also be appropriate, but given the mostly debug
> nature of these I wouldn't insist on it. It would look like this:
>
> Maintenance and Repair:solaris:cmd:::/usr/bin/
> acpidump:privs=file_dac_read
I think I'll decline to take this option for the time being. Thank
you for the constructive criticism.
Sincerely,
Pat B.
>
> --
> Darren J Moffat
