On Tue, May 03, 2011 at 04:56:51PM -0700, Edward Pilatowicz wrote: > --------- > src/svc/zoneproxyd.xml > > - don't run as root. instead, run as daemon and add in just the privs > you need. (which i'm guessing are file_owner and file_dac_read. if > you need additional privs you can figure out which ones you need via > ppriv -D.)
This isn't going to work until the zone_enter code changes. That code does a bitwise compare on the privilige set of the caller who enters, and if that caller doesn't have all of root's privs, the zone enter fails. I believe that when you reviewed this initially, I tried it and determined that it didn't work. This code will add and remove its privs as needed, but at a minimum it needs to have root privs at some time so that it can zone_enter and fattach the door in the proxy-client's zone. -j _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
