> Rob's sent me updated materials which reflect the clarifications due
> to the conversation here around privileges and the removal of
> config/debug from the manpages.
>
> I've put them in the case directory.
> config/rootdir
>
> This is an astring property that defaults to "/".
> When set, the specified root directory will be used for
> all pathnames evaluated by snmp-notify.
> 4.11. Security Impact:
>
> During daemon initialization, the smtp-notify daemon will reduce its
> privileges to the following minimal set:
>
> afsr# ppriv 103247
> 103247: /usr/lib/fm/notify/snmp-notify
> flags = PRIV_AWARE
> E: basic
> I: basic
> P: basic
> L: basic
>
> The case will introduce the following new authorization for management
> of the smtp-notify service:
>
> solaris.smf.manage.snmp-notify
>
> This case also introduces the "Event Notification Agent Management"
> profile which will include the above authorization as well as the new
> authorization being added for the smtp-notify service.
Similar to 2009/619,
Can this privilege reduction be done with a method context instead
of by the daemon? If so, why isn't that the choice? If not,
why not?
What uid/gid does the daemon run with and why -- unless it is noaccess.
Additionally this case seems not to follow the SMF policy for
configuring properties. See
http://sac.eng.sun.com/cgi-bin/bp.cgi?NAME=SMF.bp
(there is an opensolsaris.org equivalent, but that website is
not presently responding so I can't cut a paste the url).
See appendix D relative to value_authorization.
Nit, I suspect there's a case dependency on PSARC/2009/617
Gary..
