> Rob's sent me updated materials which reflect the clarifications due > to the conversation here around privileges and the removal of > config/debug from the manpages. > > I've put them in the case directory.
> config/rootdir > > This is an astring property that defaults to "/". > When set, the specified root directory will be used for > all pathnames evaluated by snmp-notify. > 4.11. Security Impact: > > During daemon initialization, the smtp-notify daemon will reduce its > privileges to the following minimal set: > > afsr# ppriv 103247 > 103247: /usr/lib/fm/notify/snmp-notify > flags = PRIV_AWARE > E: basic > I: basic > P: basic > L: basic > > The case will introduce the following new authorization for management > of the smtp-notify service: > > solaris.smf.manage.snmp-notify > > This case also introduces the "Event Notification Agent Management" > profile which will include the above authorization as well as the new > authorization being added for the smtp-notify service. Similar to 2009/619, Can this privilege reduction be done with a method context instead of by the daemon? If so, why isn't that the choice? If not, why not? What uid/gid does the daemon run with and why -- unless it is noaccess. Additionally this case seems not to follow the SMF policy for configuring properties. See http://sac.eng.sun.com/cgi-bin/bp.cgi?NAME=SMF.bp (there is an opensolsaris.org equivalent, but that website is not presently responding so I can't cut a paste the url). See appendix D relative to value_authorization. Nit, I suspect there's a case dependency on PSARC/2009/617 Gary..