Tim Foster wrote:
> Yep, I had tried that before submitting the code review - I believe we were
> running into this restriction, documented in privileges(5)
>
> PRIV_FILE_DAC_WRITE
>
> Allow a process to write a file or directory whose per-
> mission bits or ACL do not allow the process write per-
> mission. All privileges are required to write files
> owned by UID 0 in the absence of an effective UID of 0.
>
> Since /system/volatile is owned by root, we can't write it even with, eg.
>
> {file_dac_write}:/system/volatile,{file_dac_write}:/system/volatile/*
Right, but file_dac_write is the wrong privilege. I was trying this for a
service a while back, and Casper pointed me to the "zone" privilege (which
is like the "all" privilege, but DTRT in zones), and that *that* can take a
path limiting it as well. There are a few examples in privileges(5), but
it's not clear from any of it that this is what you want to do here.
At any rate, give it a shot, see if it does what you want.
(And apologies, I meant "extended policy" instead of "mwac" in my original
message.)
Danek
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
